Understanding The Data Management Ecosystem
Understanding and managing your data is becoming a fundamental piece of any privacy compliance program. So it shouldn’t be a surprise that it’s a topic that we’ve covered in different posts over the last year or so.
We’ve pulled together some of those posts as part of this review of data management and some of the important components that go into effective data management – like data mapping, data inventories, data tagging and data minimisation.
Data Management
What is Data Management?
Data management ensures the effective, ethical, and compliant use of your organisation data is now critical to business operations and risk management.
Data management involves collecting, storing, organising, protecting, verifying, and processing essential data.
But the benefits of properly managed data are significant, too. Well-managed data can improve decision making, aid strategic planning, build trust, support compliance, and reduce redundancies. Poorly-managed data on the other hand can lead to your reputation deteriorating (and maybe you’ll even end up on TechCrunch’s list of poorly handled data breaches).
Data management includes the following topics:
- data governance
- data security and privacy
- data reference and master data management
- data architecture
- database management
- data quality management
- data warehousing and business intelligence management
- document and record storage
- records management
- data destruction.
What is a Data Management Strategy?
A data management strategy is a roadmap to help your organisation implement a data management program. A data management strategy ensures you use the data the organisation collects effectively, efficiently, legally, and in a manner that helps it achieve its purposes.
Your data management strategy then contemplates how to make the data available throughout your organisation in a way that is safe, streamlined, and shrewd.
We covered Data Management Strategy: No Longer a Nice-to-Have | P 108 (privacy108.com.au)
Understanding your data
Before you can embark on a data management program, it is important to understand your data. Understanding your data goes beyond identifying where it is, whether it’s structured or unstructured, and the systems and teams it’s held by. Understanding your data means you understand the implications of each piece of data.
As well as understanding a given document’s location in a project folder, for example, you can see that the document also passport number, so you can apply the proper controls for access and disposal/destruction.
Data Mapping
Data mapping is one way of helping you understand your data and is certainly one of the most critical steps in any privacy program.
Data mapping shows the journey of an organisation’s data from collection to destruction or de-identification, with all the steps in between. Another important use of data mapping is as part of a privacy impact assessment. Being able to describe the data journey from collection to destruction/de-identification is key to identifying potential privacy issues during that journey.
Even though it sounds simple, data mapping can be very complex. The process usually stretches across the whole organisation and will require interaction with different functions across the business. Some of the challenges in understanding your data include:
- Much of the data your organisation holds will be ‘unstructured’ – in emails and files stored in Sharepoint or file shares. It can be quite tricky to find and understand all the unstructured data across your organization.
- A lot of the effort will be manual – and it’s often hard to find the resources and skills to help with manual identification and mapping. There are tools to assist with that but they can be expensive and, as we know, tools are not always a magic wand (they still need to be implemented, properly configured and managed)
This blog post provides some tips on how to map your organisation’s data.
Data Inventory
Once you have mapped your data, a data inventory should be created to record what you’ve found. According to the IAPP’s Glossary, a Data Inventory is:
“Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organised, and its location. That data is then categorised by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities.”
In other words, a data inventory identifies and documents what personal data your organisation collects, where you keep it, who has access to it, and how it is stored and protected.
We’ve provided some practical implementation tips on how to create a data inventory.
But a data inventory is a living artefact, not a one-off artefact, that must be maintained. We previously covered how to keep your data inventory up-to-date.
Data Tagging
Data tagging is an important tool in the management of your data – and a great step to help the automation of key processes. Data tagging involves attaching labels (or tags) to data to help identify, categorise, use, and protect it more effectively. If your company has a document management system (even a rudimentary one), it’s likely that your company already has some form of data tagging system. More about data tagging.
Data Minimisation
At some stage, you will need to consider steps to minimise the data your organisation holds. Data minimisation is required by most data protection regulatory requirements and is an important risk mitigation technique. Data minimisation involves limiting the collection, processing, and storing of all information but especially personal information, limiting to that which is adequate, relevant and necessary to accomplishing the specified purpose.
This means you should understand what you want to do with the data you are collecting and then collect only the data that you need to achieve that purpose – no more, no less. And you shouldn’t keep it once that purpose has been achieved.
Learn more about data minimisation in our guide for privacy professionals and our insights about data minimisation in practice.
Data Retention Strategy
Your company’s data retention policy is one key governance piece supporting better data management, including data minimisation. In this post, we share some considerations worth considering when creating or reviewing your organisation’s data retention strategy, such as determining appropriate data retention timelines and record types, plus other timing considerations.
For help with your organisation’s data management, reach out. Our team of privacy professionals would love to work with you.