DATA GOVERNANCE FRAMEWORK
The GDPR entails many new obligations for our customers in their role as a controller, but two of the most important aspects are (i) the capacity to protect and take stock of privacy-sensitive data and (ii) the need to identify and manage the reasons for processing. As a controller, you need to demonstrate that you take an active approach to the principles. Analyzing your data and defining how it should be handled in collaboration with Aditro is an excellent way to do just that.
Aditro is all about making data meaningful – whether your data concerns payroll calculations, financial insights and control or the management of human capital, we enable you to focus on your business. We want you to be in control of your data while enjoying the confidence that privacy is safeguarded. This document therefore aims to provide a framework for stronger data governance utilizing classification on the basis of the data protection principles and goals.
DATA PROTECTION PRINCIPLES AND GOALS
As recipients of personal data, our customers are required to ensure proper life-cycle management of data. This all starts with a well-defined practical approach to the data protection principles and goals. Principles guide all good privacy decisions. For example, the principle of data minimization incorporates the concept of data avoidance. One example is that we currently hold data on employee’s relatives. Although children and marital status may influence payroll calculations, spouses and children’s names or contact details do not. Avoiding the processing of such data in large-scale systems can therefore be good practice, bearing in mind that this data could be used to infer information on sexual orientation. Read more about our approach to the data protection principles in Aditro’s Data Protection Policy.
STRONGER DATA GOVERNANCE WITH CLASSIFICATION
Many organizations approach privacy from a classical security perspective. Although this increases the level of personal data protection by enhancing the protection of all data, this approach will have its own limits. For example, encryption and logging place high demands on capacity, making them less practically or economically viable. Although we employ database encryption and access logging, encrypting towards the application and logging what data has been accessed for all data is more difficult to achieve. This is where data governance can play a valuable role. Data governance can generate insights that reduce investment costs and operating expenses while increasing security and privacy.
As part our commitment to help you gain more control over your data, we aim to set industry standards with our extensive classification program. Our approach to classification makes GDPR compliance easier for you. Read on to learn more about how our classification program protects personal data, delivers better business intelligence, retains data for just the right amount of time, reduces personal data in reports and enables you to extract data for compliance with data subject rights.
More Possibilities for Effective Data Use
Making data intelligible not only increases possibilities for data protection but also for data use. The GDPR and the previous Data Protection Directive initially intended to create a level playing field within Europe that facilitates an increase in the flow of data. Privacy protection enables data to be used more freely, which unlocks more possibilities for effective data use.
For example, our payroll processing system may use a name and personal identity number – data that is not relevant for calculating salaries but is relevant for paying them. In this example the name and personal identity number are also highly relevant to the data subject, while salary or absence information might also be relevant for other purposes, such as analyzing trends within the organization. Taken together, data is initially used for calculating a salary, but it can be used for different purposes entirely when taken apart.
Knowing where and when privacy-sensitive data is processed enables us to protect it throughout the lifecycle of the data. Most of our products have added classification values in the database structure and can thus export these values, which in turn may trigger a Data Loss Prevention tool, resulting in encryption of data upon leaving our network, such as over email.
Identifying and Separating Personal Data
Personal data as defined in the GDPR includes all data relating to an identified or identifiable natural person. Most businesses would find it challenging to define what data would not be personal data. This holds true for Aditro, too. We make people-centered products, and the data we process is therefore almost always personal. So instead we reversed the question, asking ourselves: What data would not make other data personal? As a second layer, data should be considered from two viewpoints: (i) the normal environment in which the data is processed, such as between a controller and processor, and (ii) the external environment, meaning unauthorized data recipients. Data is often easier to understand between the sender and recipient, but is that also the case for someone outside of this context?
These questions and others were translated into criteria that define the scope of privacy classification. All data processed by our products is categorized to separate the personal data. Personal data is data that is (i) personal through association, (ii) personal itself through a direct and/or unique connection with an individual or (iii) personal when grouped with other data. For example, data remaining after removing all identifiers (name, email etc.) could be reconstructed in such a way that it leads back to an individual. Another category is sensitive data that relates directly to the GDPR special categories of data that should receive extra protection. A better understanding and more insight into the data we process enables us to protect privacy throughout the data lifecycle and when data is handled within and outside our systems.
Better Business Intelligence
The GDPR does not seek to avoid the processing of data. If personal data is effectively filtered and anonymized, the remaining data can be used for statistical purposes and support business intelligence. Salary changes over a period of time in a specific department can be compared with the revenue generated and benchmarked against other departments, and sick leave statistics can be used to monitor health at work. Data should be used as a resource to support decision-making based on quality data.
We are continuously developing additional tools to help you achieve better business intelligence. Please have a look at our Analytics Module or browse our website for further information.
One of the main elements driving a regulatory approach to data protection is that privacy is a deeply rooted concept within our society and is a human right. Any use of data relating to a person is therefore considered negative in this context, yet it is still commonplace in today’s information society. The collection and processing of data is only allowed for a clearly defined purpose and should be based on a legal basis that allows the processing.
To provide basic compliance with the principles of purpose limitation and data minimization, we have analyzed all the data that our products process in reverse, looking first at a strictly defined purpose to reveal the minimum data necessary to fulfill that purpose. One way of ensuring basic compliance with the principles of storage limitation and data minimization is by differentiating purposes to a high degree, given that more differentiation enables us to reduce data over time as the need for processing diminishes. Our proposed retention policy for our products therefore allows data removal at the following time intervals: 0 days, 90 days, 18 months, 2 years, 3 years, 6 years or 10 years. But classification means also that such values or the data that retention settings operate on may be freely changed. Quite simply said it is a model for you as a Controller to get a head start and reduce operational costs. The operations on the data also differ depending on other policy settings, meaning that modalities relating to access and storage are also reduced to increase privacy protection over time.
Purpose classification is built on three pillars and each of the pillars may have several subcategories.
All our products have classified the minimum set of data necessary to deliver the product’s intended outcome. This may at first seam like a broad definition but it only includes data that is needed for the product to function so this is explained very strictly. For Business Process Outsourcing customers this category may also be called “Process purposes” where it also concerns unstructured or semi-structured data. More information on our products, the purposes they fulfill, and the recommended retention times can be found in our standardized Records of Processing related to purpose categories.
We have identified all legal requirements entailing an obligation to store data. As a result, we only store the minimum amount of data that needs to be retained for compliance with relevant national legislation, also to be found in our standardized Records of Processing related to purpose categories.
All data that is not required for our products or for compliance with legal obligations has been marked as customer-specific fields. As a customer, you may need to process certain data and have valid reasons for doing so, but we have expressly stated that such data is not legally required or materially required for the product to operate. Where this data is processed in our systems and is also considered sensitive or directly identifying personal data, you should determine whether our systems are the best way to process this data or if such data could be processed or stored elsewhere.
Customer purpose also allows you to define your own subcategories if you believe that some data should be stored longer and has a different purpose or if data has been obtained based on consent or legitimate interest, which are both a lawful basis for processing. If this is the case, we recommend that you add these types of data in a separate category to either set a retention time or be prepared to comply with a request for removal from the data subject, such as a withdrawal of consent or an objection to certain types of processing.
For more information, please have a look at the General Records of Processing or our Customer Privacy Site.
Please also feel welcome to contact us at firstname.lastname@example.org for any questions you may have relating to this content.