To execute an effective GDPR solution there are six infrastructure building blocks that you should have in your solution implementation. Establishing the right level of automation for these components will deliver the required oversight of your data sources and data exchanges as well as providing the the framework for your leadership and team to be efficient and effective in using and controlling the data.
Infrastructure Building Blocks
|Data Catalogue||A data catalogue records the details of the data held across your business. In a 'Basic' Form this could be an manually maintained Spreadsheet in best practice the cataloguing tool continually scans your estate and creates an actively maintained searchable catalogue. A catalogue is key to tracking that you are managing personal data, underpins Subject Access Requests and enables consent management.|
|Data Quality||Article 5 of the regulation requires that personal data you hold is up to date and accurate. In a 'Basic' solution this would be regularly manually checking Data Quality using the Data Catalogue as a guide to were the data is held. In 'Best Practice' a Data Quality tool would continual scan for Data Quality issues flagging and correcting as required.|
|Data Governance||To effectively manage your GDPR compliance you need to document and manage who supervises each item of data, that permissions and consents are captured and managed for each data point, how the logical data model of the business maps to the physical data model, what data is held by third parties on your behalf and if so are the data processing contracts GDPR compliant, is data being held or sent internationally and have you documented process flows as required by article 30. In a 'Basic' solution this could be an extension of the Spreadsheet that you are using as a Data Catalogue, in 'best practice' this is a Data Governance tool.|
|Single Customer View||In order to effectively manage Permissions & Consents you need to be sure that permissions captured for a person on one source are matched to permissions captured for that person on other sources. Given the variations in identifying details a robust method for matching people records is required. Similarly when servicing a Subject Access Request being able to identify all variations of a persons identity across your systems is critical if you are to ensure you are reporting back on all data you hold on the requestor.|
|Subject Access Request||Subject Access Requests, Erasure Requests, Data Rectification Requests and the other Individual Rights Requests require not only a Data Catalogue and Single Customer View to find the required data quickly but a process to case manage the requests, ensure that you correctly identify the requestor, compile the data, approve the action and evidence that the action was taken. A 'Basic' solution is to use a spreadsheet to manage the workflow and document the case. 'Best Practice' is to use a workflow tool integrated with the Data Catalogue and Single Customer View.|
|Permission & Consent Management||Articles 6,7,8,18 and a number of others describe your requirements to clearly and transparently capture and manage consents and permissions. In a 'Basic' solution you may use a spreadsheet to master the Permission & Consents statements and then federate these out to systems in which your clients and prospects interface with your business. In a 'Best Practice' implementation a Permission & Consent Management Hub is deployed to automate the capture and management of citizens permissions.|
Selecting the Infrastructure for your business
Depending on your business data volumes and complexity you will select a varying level of tool maturity and scalability to deploy. The table below provides a summary of the options.
|Maturity & Scalability||Data Catalogue||Data Quality||Data Governance||Single Customer View||Subject Access Request||Permission & Consent Management|
|Best Practice||Data Catalogue Tool||Data Quality Tool||Data Governance Tool||Master Data Management Hub||Data Catalogue Tool||Permission & Consent Management Hub|
|Digital Applications||Web Application||Web Application with PL/SQL code fragments||Web Application||Machine Learning Matching||Web Application||Web Application with Federated Deployment|
|Basic||Spreadsheet||Manual||Spreadsheet||No Options||Manual||Spreadsheet with Federated Deployment|