Know your data, generate Data Bill of Materials (DBoM)

Compliance with privacy laws

Many laws across the world have mandatory requirements of ROPA. As one example, Article 30 of the EU General Data Protection Regulation requires data controllers to maintain a record of data processing activities for data under their responsibility, which could be satisfied by a rigorous DBoM. A detailed record of how the data was collected and processed will also make it easier to find data to be deleted, in order to comply with “right to be forgotten” laws like GDPR Article 17. Gaps or deficiencies in a DBoM could also be used to determine if data was unlawfully acquired or processed. As more countries create comprehensive data laws and regulations, simplifying compliance will only become more important, and the DBoM will reduce the time and labor costs of compliance.

Even where a record of data collecting and processing is not required by law, maintaining such a record is a good way for data vendors and collectors to inform data subjects about how their personal information is being used. Meticulous cataloging and ease of requesting one’s data from a collector would increase data subjects’ confidence in the system and trust in companies responsible for their data. It is easier to identify who has stewardship over a given piece of data if there is a detailed, trustworthy log of personal data being collected and used by systems. Liability in the event of a data breach will be simpler to determine with a DBoM, since the record of data collection and transfers will show who had stewardship of the data at the time of the breach.

The Trust Challenge

How will DBoM help Businesses ?

DBoM will help data collectors and stakeholders find personal and sensitive data as well as vital information about that data such as when, why and how it was collected. Having such a record built into the data collection process will increase the transparency of the data cataloging and data collection process. This helps stakeholders more effectively take inventory of the data they possess, which can otherwise be difficult considering the vast quantities of data companies might acquire.

Win-Win Situation

Data Subject Rights

Implementing a DBoM would simplify and improve the DSAR process for both processor and subject. DSAR fulfillment can take a significant amount of time and labor. AI-driven data management technology has lowered these barriers to compliance, but still, they need pointers to find data sources where personal information exists. With a DBoM acting as a standardized record for the location and relevant characteristics of each unit of data, even manual fulfillment of DSARs becomes easier. Less time spent on searching means faster and cost effective DSAR fulfillment.

The Trust Challenge

Final Take

Implementing the DBoM would result in similar improvements in the collection, usage, storage, sharing and destruction of personal data. As organizations better understand their data as an asset and data breaches become a more pressing concern, we predict that the DBoM will become a standard industry practice.

Win-Win Situation

Business Benefits

Instituting the DBoM as a standard practice will dramatically improve responsible use of personal data within software ecosystems and transparency for consumers and stakeholders with regards to how personal data is used. The record of transfers, storage locations and uses in a DBoM will allow customers to more easily see how and why their data was processed and allows data processors to share this information with consumers and fellow processors much more quickly and efficiently.

The Trust Challenge

Challenges

The following are the issues created by the guidelines that the majority of organizations face:

  • Manually managing data mapping and inventory to fulfil legal standards, as well as the organization's inability to centrally handle customer data in order to be controlled.
  • Although the guidelines do not mandate the requirements for data destruction, one of the security precautions that must be followed is to erase sensitive data once the purpose has been accomplished.
  • Organizations do not have a mechanism in place to generate record of assurance that provide the proof of permanent deletion.
  • Organizations lack the ability to detect and filter out data that is part of a breach and has been shared to unauthorized persons.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us