To execute an effective GDPR solution there are six infrastructure building blocks that you should have in your solution implementation.  Establishing the right level of automation for these components will deliver the required oversight of your data sources and data exchanges as well as providing the the framework for your leadership and team to be efficient and effective in using and controlling the data.  

Infrastructure Overview

Page 1.png

Infrastructure Building Blocks

Data Catalogue Data Catalogue A data catalogue records the details of the data held across your business. In a 'Basic' Form this could be an manually maintained Spreadsheet in best practice the cataloguing tool continually scans your estate and creates an actively maintained searchable catalogue. A catalogue is key to tracking that you are managing personal data, underpins Subject Access Requests and enables consent management.
Data Quality Data Quality Article 5 of the regulation requires that personal data you hold is up to date and accurate. In a 'Basic' solution this would be regularly manually checking Data Quality using the Data Catalogue as a guide to were the data is held. In 'Best Practice' a Data Quality tool would continual scan for Data Quality issues flagging and correcting as required.
Data Governance Data Governance To effectively manage your GDPR compliance you need to document and manage who supervises each item of data, that permissions and consents are captured and managed for each data point, how the logical data model of the business maps to the physical data model, what data is held by third parties on your behalf and if so are the data processing contracts GDPR compliant, is data being held or sent internationally and have you documented process flows as required by article 30. In a 'Basic' solution this could be an extension of the Spreadsheet that you are using as a Data Catalogue, in 'best practice' this is a Data Governance tool.
Single Customer View Single Customer View In order to effectively manage Permissions & Consents you need to be sure that permissions captured for a person on one source are matched to permissions captured for that person on other sources. Given the variations in identifying details a robust method for matching people records is required. Similarly when servicing a Subject Access Request being able to identify all variations of a persons identity across your systems is critical if you are to ensure you are reporting back on all data you hold on the requestor.
Subject Access Request Subject Access Request Subject Access Requests, Erasure Requests, Data Rectification Requests and the other Individual Rights Requests require not only a Data Catalogue and Single Customer View to find the required data quickly but a process to case manage the requests, ensure that you correctly identify the requestor, compile the data, approve the action and evidence that the action was taken. A 'Basic' solution is to use a spreadsheet to manage the workflow and document the case. 'Best Practice' is to use a workflow tool integrated with the Data Catalogue and Single Customer View.
Permission & Consents Management Permission & Consent Management Articles 6,7,8,18 and a number of others describe your requirements to clearly and transparently capture and manage consents and permissions. In a 'Basic' solution you may use a spreadsheet to master the Permission & Consents statements and then federate these out to systems in which your clients and prospects interface with your business. In a 'Best Practice' implementation a Permission & Consent Management Hub is deployed to automate the capture and management of citizens permissions.

Integrations overview

Page 1.png
page 2.png

Selecting the Infrastructure for your business

Depending on your business data volumes and complexity you will select a varying level of tool maturity and scalability to deploy. The table below provides a summary of the options.

Maturity & Scalability Data Catalogue Data Quality Data Governance Single Customer View Subject Access Request Permission & Consent Management
Best Practice Data Catalogue Tool Data Quality Tool Data Governance Tool Master Data Management Hub Data Catalogue Tool Permission & Consent Management Hub
Digital Applications Web Application Web Application with PL/SQL code fragments Web Application Machine Learning Matching Web Application Web Application with Federated Deployment
Basic Spreadsheet Manual Spreadsheet No Options Manual Spreadsheet with Federated Deployment

Best Practice and Enterprise Infrastructure features

Component Key Desirable Enterprise Features Example COTS
Data Catalogue
  • Structured and unstructured scanning for Identity data.
  • AI & Pattern driven data classification eg recognise email address, phone numbers, passport number etc.
  • Google like catalogue searching
Data Quality
  • Data and content type data quality scanning capability.
  • Scanning scheduling.
  • Quality remediation workflows.
  • Data Quality reporting preferably can integrate into strategic reporting platform.
  • Historic data quality snapshots to provide reporting on data quality movements over time
  • Realtime address, email and mobile phone validation.
Data Governance
  • Capability to assign Data Owners and other data roles at logical layer.
  • Capability tag physical data items with logical tags.
  • Governance workflows.
  • Can manage the GDPR article 30 requirements.
  • Can manage data governance documentation requirements of other Insurance industry regulation.
  • Capability to integrate with Enterprise Application mapping software.
Single Customer View
  • Master of Customer and Prospect Identity Data.
  • Capability to Integrate with Permission and Consent Master.
  • Identity search API
Subject Access Request (Data Rights)
  • Generate DSAR reports
  • Identity validation
  • Data rectification
  • Data portability
Permission & Consent Management
  • Capable of holding a 5W’s permission(preferences) model
  • Realtime API’s for capturing and displaying permissions, permissions statements and privacy statements
  • Full logging of permission changes (eg Kantara)

Example Simplified Governance Metadata model

Governance Simplified.png