Here's How the GDPR Will Affect Your Data Governance


The GDPR lays out specific instructions for how organizations should collect, process, use, and store personal data. To make sure your data governance plan covers all facets of the new law, Microsoft suggests you develop a governance plan that gets you ready to:

  • Discover (find and classify personal data)
  • Manage (including responding to requests from data subjects)
  • Protect (all aspects of securing personal data)
  • Report (documenting activities and conditions about personal data)

Discover and manage your data

Data governance starts with being able to quickly find data and manage it effectively and efficiently. Reason being, you need to be able to promptly address the rights of data subjects, which are laid out in Chapter 3 (Articles 12-23) of the GDPR. For example, data subjects have the right to:

  • See any personal data you’ve stored about them, plus the details about how you use and process it
  • Ask for you to export a copy of their personal data in a commonly used, machine-readable format
  • Ask you to send their data to another controller (under certain circumstances)
  • Ask you not to collect or process their personal data at all

So one of the most important goals of your data governance plan should be to help protect these rights. As part of this plan, you should:

  • Inform data subjects about their rights, anywhere you collect personal data
  • Provide a way for users to make requests about their data
  • Put processes and technology in place to quickly find personal data where it lives across your systems
  • Manage and respond to any requests

Protect your data

Security is a critical part of data governance. Article 32 of the GDPR talks about how you need to keep personal data secure at every step. It applies to both controllers and processors, and mandates that they should “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

To get there, you can’t merely put security and incident response measures in place. You also need to set up a process to regularly test and evaluate the effectiveness of those technical and organizational measures.

The GDPR also specifically suggests that companies pseudonymize and encrypt personal data when it makes sense. And on a much broader scale, it further requires “the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.”

Of course, no matter how much security you put in place, breaches might still happen. So the GDPR goes on to say that your security measures should include “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”

Report and document

Documentation plays a large part in the GDPR. Under the new law, your company should keep records to show that:

  • You collected personal data lawfully
  • Your users freely gave their consent for you to collect (if applicable)
  • You’ve appropriately handled requests by data subjects
  • You’ve taken the appropriate security measures to protect personal data and respond to incidents
  • You’ve made the required notifications
  • When required, you’ve carried out data protection impact assessments
  • If required, you’ve appointed a data protection officer

Need help with the GDPR?

We at Binary Tree are doing our part to help our clients protect the privacy of their own customers. We can help speed up your GDPR journey by moving you to Office 365, which comes with built-in data governance features. Specifically, Office 365 makes it easier to:

  • Find and catalog personal data in your systems
  • Build a more secure environment
  • Simplify how you manage and monitor personal data
  • Get tools and resources to meet reporting and assessment requirements


Source: Microsoft. Data Governance for GDPR Compliance. November 2017.