In recent years two drivers for Data Governance have emerged. The first a business's desire to maximise data accessiblity, useablity and security. The second the regulatory documentation requirements of data regulations such as GDPR. LED and BCBS239.
The regulatory focus has driven vendor investment in tools and platforms that significantly improve the efficiency of managing Data Governance. The upside of this regulatory driven tool maturity is that business's are seeing the benefits in the leveraging of their data on the back of regulatory spend business case in Data Governance solutions.
GDPR Article 30 - DatA Processing Documentation
Article 30 of the GDPR calls for documentation of the records of processing for (Article 30(5)) :
- Organisations of greater than 250 people
- Where your data processing might be consider risky, or
- Where you are processing special categories of data.
Implementations to address the articles requirements tend to fall into three categories:
1) Process list - A list of processes is identified and the required metadata is recorded against the processes. The UK ICO Article 30 template is an example of this approach.
2) System list - A list of systems, most likely from the data and systems audit is created and the Article 30 metadata is attached to the system including the processes the systems performs.
3) Data element List - A list of all data elements across the business is generated, either as a logical model within a Data Governance tool or from the physical elements captured by a Data Catalogue tool. Then, often within a Data Governance tool, the Article 30 required metadata is attached at the data element level.
The Data Element List approach is arguably the most complete and reporting flexible method for documenting under Article 30 but to achieve and maintain requires Data Governance tool that will significantly automate the capture and maintenance of the metadata.
The diagram below is a summary of the Article 30 metadata requirements attached at the data element level. This summary is used by Davies March when helping clients build requirements for their Data Governance tool procurement.
The green circles represent the clauses of Article 30 that call for this metadata.