World wide, Data Privacy laws are increasing. Customers are increasingly aware, and concerned, about how data is processed. The Chief Privacy Officer is (or should be) a key stakeholder for many Data Governance initiatives, and new terms like “Privacy by Design” and “Privacy Engineering” are entering our conversations with peers. Non-EU organizations selling into the EU will soon have to comply with EU Data Privacy laws. However, data professionals who take a structured, principles based approach, to building their Data Privacy capabilities stand a better chance of sustainable success than those who don’t. Rather than reinventing the wheel, organizations should look at how the DMBOK framework, in conjunction with other approaches and methods, can provide a robust platform for Data Privacy initiatives in their organizations.

1. Castlebridge Associates
Castlebridge Associates | Invent Centre | DCU | Glasnevin | Dublin 9| Ireland
Changing How People in Organisations Think about Information
DATA PRIVACY & THE DMBOK
NO NEED TO REINVENT THE WHEEL!

2. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHATWE ARE GOING TO COVER
Why Data Privacy is Important
Data Privacy in the DMBOK
Some Other Concepts
Ethical Information Management

3. Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
WHY DATA PRIVACY IS IMPORTANT
SOME KEYTRENDSTO BE AWARE OF…

4. Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
People have entrusted us with their most
personal information.
We owe them nothing less than the
best protections that we can possibly
provide by harnessing the technology
at our disposal.
We must get this right.
History has shown us that sacrificing
our right to privacy can have dire
consequences.
Tim Cook, CEO Apple

5. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE GLOBAL LEGISLATIVE TREND
7
17
36
68
111
0
20
40
60
80
100
120
1970s 1980s 1990s 2000s 2010-2015
Total Global Data Privacy Laws
Total Global Data Privacy Law
Within this, there is also continued evolution of existing Data Privacy laws
(e.g. EU Data Protection Regulation)

6. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
ONE KEY TREND…
Global momentum toward the EU’s model of data privacy regulation has led
to new laws and better protection for the consumer. Many non-EU countries
have passed laws over the past 12 months that bring the world’s collective standards
around data privacy closer to the high-water mark laid out by the EU’s
overarching Privacy Directive.
For instance, countries such as Malaysia and South Africa have recently passed new data
privacy frameworks that closely follow the EU’s lead. South Africa has even gone one step
farther and implemented provisions that will likely be implemented by the future EU
Privacy Directive updates.
- Forrester,August 2014

7. © 2015 | Castlebridge Associates | Confidential
A FRAMEWORK FORTHINKING ABOUT INFORMATION
Strategic
Business Information Technology
TacticalOperationsCustomer
Business
Strategy &
Governance
Information
Strategy &
Governance
IT Strategy &
Governance
Business
Architecture &
Planning
Information
Architecture &
Planning
Technology
Architecture &
Planning
Management &
Execution of
Business
Processes
Management &
Application of
Information
Management &
Exploitation of
IT Services
Process Outcome Information Outcome
Expectation
Based on Amsterdam 9-box model by Prof. Rik Maes et al
Privacy is Here

8. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
A SUMMARY MAPPING OF CORE PRINCIPLES
EU Principle OECD Principle(s) AICPA FIPP
Obtain Data Fairly Openness Notice ; Choice and Consent
Process for a Specified and Lawful
Purpose Purpose Specification Collection
Do not Process for an incompatible
purpose Use Limitation Use, Retention, Disposal
Ensure Data is Accurate,
Complete,and Up-to-date Data Quality Quality
Personal Data should be kept Safe
and Secure Security Safeguards Security for Privacy; Disclosure
Data must be adequate,relevant,
not excessive Data Quailty Quality
Personal data must not be kept for
longer than necessary for the
specified purposes Use, Retention, Disposal
Individuals have rights of access,
rectification,erasure, blocking Individual participation Access
Management; Monitoring & Enforcement
Penalties & Civil liability &
Enforcement Accountability Monitoring & Enforcement

9. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
One Stop Shop
KEY PROVISIONS OF THE DATA PROTECTION
REGULATION
Core 8 Principles
+
Accountability Principle
+
Transparency Principle
+
Article 7, 8 ECHR
Increased
Penalties
Moves towards a “Risk
Based” model
Explicit
Focus on
Governance
Principles
Driven
Principles
Driven
Enhanced Rights:
Data Portability;
RTBF;
Risk & Penalty
Mitigation
Documentation
Risk & Penalty
Mitigation
Fines as
% of
Global
Turnover
General Data Protection Regulation – 1 Slide Summary

10. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHY DOES IT MATTER?

11. Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK

12. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
© DAMA International, used with permission

13. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
Remember to Respect Copyright

14. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
© DAMA International, used with permission

15. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTIONTHROUGH THE DG/IQ LENS
Current EU Data Protection
Directive 95/46/EC

16. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: PRINCIPLES
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access. X

17. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: QUALITY PRINCIPLES
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access. X

18. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA QUALITY IN DMBOK?
Definition:
Planning, implementation, and control activities that
apply quality management techniques to measure,
assess, improve, and ensure the fitness of data for use.
.
Goals:
• To measurably improve the quality of data in relation to
defined business expectations.
• To define requirements and specifications for integrating data
quality control into the system development lifecycle.
• To provide defined processes for measuring, monitoring, and
reporting conformance to acceptable levels of data quality.
Activities:
1. Develop and Promote Data Quality Awareness
2. Define Data Quality Requirements
3. Profile, Analyze, and Assess Data Quality
4. Define Data Quality Metrics
5. Define Data Quality Business Rules
6. Test and Validate Data Quality Requirements
7. Set and Evaluate Data Quality Service Levels
8. Continuously Measure and Monitor Data Quality
9. Manage Data Quality Issues
10. Clean and Correct Data Quality Defects
11. Design and Implement Operational DQM Procedures
12. Monitor Operational DQM Procedures and Performance
Inputs Outputs
Inputs:
• Business Requirements
• Data Requirements
• Data Quality Expectations
• Data Policies and Standards
• Business Metadata
• Technical Metadata
• Data Sources and Data Stores
Primary Deliverables:
• Improved Quality Data
• Data Management
• Operational Analysis
• Data Profiles
• Data Quality Certification
Reports
• Data Quality Service Level
• Agreements
Metrics:
• Data Value Statistics
• Errors / Requirement Violations
• Conformance to Expectations
• Conformance to Service Levels
Tools:
• Data Profiling Tools
• Statistical Analysis Tools
• Data Cleansing Tools
• Data Integration Tools
• Issue and Event Management Tools

19. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
EXAMPLE: MARKETING CONSENTS EXPIRE AFTER 12 MONTHS
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
12 months or
over
10 -12 Months 6-9 months 3-6 months 0-3 months
Marketing Months since last contact
ePrivacy Directive ConsentTracker
30% x Avg uplift of €10 per campaign, 10% success rate, 1.2 million customers

20. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
© DAMA International, used with permission

21. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: DATA DEVELOPMENT
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access. X

22. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA DEVELOPMENT IN DMBOK?
Definition:
Designing, implementing, and maintaining solutions to
meet the data needs of the enterprise.
.
Goals:
• Identify and define data requirements.
• Design data structures and other solutions to these requirements.
• Implement and maintain solution components that meet these
requirements.
• Ensure solution conformance to data architecture and standards as
appropriate.
• Ensure the integrity, security, usability, and maintainability of structured data
assets.
Activities:
1. Data Modelling, Analysis and Solution Design
• Analyze Information Requirements
• Develop and Maintain Conceptual Data Models
• Develop and Maintain Logical Data Models
• Develop and Maintain Physical Data Models
2. Detailed Data Design
• Design Physical Databases
• Design Information Products
• Design Data Access Services
• Design Data Integration Services
3. Data Model and Design Quality Management
• Develop Data Modeling and Design Standards
• Review Data Model and Database Design Quality
• Manage Data Model Versioning and Integration
4. Data Implementation
• Build and test Data Access Services
• Validate Information Requirements
Inputs Outputs
Inputs:
• Business Goals and Strategies
• Data Needs and Strategies
• Data Standards
• Data Architecture
• Process Architecture
• Application Architecture
• Technical Architecture
Primary Deliverables:
• Data Requirements and
Business Rules
• Conceptual Data Models
• Logical Data Models and
Specifications
• Physical Data Models and
Specifications
• Meta-data (Business and
Technical)
• Data Access Services

23. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY
Obtain
Storage
Store/Share Apply

24. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY -
EXAMPLE
• EU e-marketing rules require explicit Opt-in consent for calls
to mobiles and for SMS marketing
• Fixed line is Opt-out
• Data Modelling decision required here…

25. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY -
EXAMPLE
Marketing Other
Call
SMS
Call
Opt-in
Is this a nominated contact
for that purpose?
Purposes
Service Delivery
Record opt-in for service
delivery calls
Opt-in
Is this a nominated contact
for that purpose?
Record opt-in for service
delivery calls
Opt Out Record opt-in for service
delivery calls
Is this a nominated contact
for that purpose?
Email Opt-in Record opt-in for service
delivery calls
Is this a nominated contact
for that purpose?
Postal Opt-Out Record opt-in for service
delivery calls
Is this a nominated contact
for that purpose?

26. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY –
A KISS OF DEATHTO USEABLE DATA…
Please tick this box if you would like us to not contact you
Blanket Opt-Outs applied at the PARTY Entity level, not at the contact point or in
the context of a specific purpose….

27. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT CAN WE LEARN FROM DATA MODEL
ABOUT PRIVACY IMPACTS?

28. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
© DAMA International, used with permission

29. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA ARCHITECTURE IN DMBOK?
Definition:
Defining the data needs of the enterprise
and designing the master blueprints to
meet those needs..
Goals:
• To plan with vision and foresight to provide high quality data.
• To identify and define common data requirements.
• To design conceptual structures and plans to meet the current
and long-term data requirements of the enterprise.
Activities:
1. Understand Enterprise Information Needs
2. Develop and Maintain the Enterprise Data Model
3. Analyze and AlignWith Other Business Models
4. Define and Maintain the DataTechnology Architecture
5. Define and Maintain the Data Integration Architecture
6. Define and Maintain the DW/BI Architecture
7. Define and Maintain EnterpriseTaxonomies and
Namespaces
8. Define and Maintain the Meta-data Architecture
Inputs Outputs
Inputs:
• Business Goals
• Business Strategies
• Business Architecture
• Process Architecture
• IT Objectives
• IT Strategies
• Data Strategies
• Data Issues
• Data Needs
• Technical Architecture
Primary Deliverables:
• Enterprise Data Model
• Information Value Chain
Analysis
• Data Technology Architecture
• Data Integration / MDM
Architecture
• DW / BI Architecture
• Meta-data Architecture
• Enterprise Taxonomies and
Namespaces
• Document Management
Architecture
• Metadata

30. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: DATA ARCHITECTURE
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access. X

31. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential

32. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORK
Executive
Business
Manager
Architect
Engineer
Technician
How
(Action)
Why
(Motivation)
Where
(Location)
When
(Event)
Who
(Actor)
What
(Data)
Enterprise
Scope
Context
Business
Concepts
System
Logic
Technology
Physics
Tool
components
Enterprise
Inventory
Identification
Inventory
Definition
Inventory
Representation
Inventory
Specification
Inventory
Configuration
Inventory
Instantiation
Process
Identification
Process
Definition
Process
Representation
Process
Specification
Process
Configuration
Process
Instantiations
Distribution
Identification
Distribution
Definition
Distribution
Representation
Distribution
Specification
Distribution
Configuration
Distribution
Instantiations
Responsibility
Identification
Responsibility
Definition
Responsibility
Representation
Responsibility
Specification
Responsibility
Configuration
Distribution
Instantiations
Timing
Identification
Timing
Definition
Timing
Representation
Timing
Specification
Timing
Configuration
Timing
Instantiations
Motivation
Identification
Motivation
Definition
Motivation
Representation
Motivation
Specification
Motivation
Configuration
Motivation
Instantiations
Inventory Sets Process flows
Distribution
Networks
Responsibility
Assignments
Timing Cycles
Motivation
Intentions
Based on the Zachman Framework and content from
Dennedy & Finneran’s Privacy Engineers Manifesto

33. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORK
Executive
Business
Manager
Architect
Engineer
Technician
How
(Action)
Why
(Motivation)
Where
(Location)
When
(Event)
Who
(Actor)
What
(Data)
Enterprise
Scope
Context
Business
Concepts
System
Logic
Technology
Physics
Tool
components
Enterprise
Inventory
Identification
Inventory
Definition
Inventory
Representation
Inventory
Specification
Inventory
Configuration
Inventory
Instantiation
Process
Identification
Process
Definition
Process
Representation
Process
Specification
Process
Configuration
Process
Instantiations
Distribution
Identification
Distribution
Definition
Distribution
Representation
Distribution
Specification
Distribution
Configuration
Distribution
Instantiations
Responsibility
Identification
Responsibility
Definition
Responsibility
Representation
Responsibility
Specification
Responsibility
Configuration
Distribution
Instantiations
Timing
Identification
Timing
Definition
Timing
Representation
Timing
Specification
Timing
Configuration
Timing
Instantiations
Motivation
Identification
Motivation
Definition
Motivation
Representation
Motivation
Specification
Motivation
Configuration
Motivation
Instantiations
Inventory Sets Process flows
Distribution
Networks
Responsibility
Assignments
Timing Cycles
Motivation
Intentions
What triggers
need for data?
Timing
Identification
Motivation
Identification
• Why?
• Balancing
priorities/goals
• Purpose spec
Specified data,
specified
purpose
Specified data,
specified
purpose
Based on the Zachman Framework and content from
Dennedy & Finneran’s Privacy Engineers Manifesto

34. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORK
Executive
Business
Manager
Architect
Engineer
Technician
How
(Action)
Why
(Motivation)
Where
(Location)
When
(Event)
Who
(Actor)
What
(Data)
Enterprise
Scope
Context
Business
Concepts
System
Logic
Technology
Physics
Tool
components
Enterprise
Inventory
Identification
Inventory
Definition
Inventory
Representation
Inventory
Specification
Inventory
Configuration
Inventory
Instantiation
Process
Identification
Process
Definition
Process
Representation
Process
Specification
Process
Configuration
Process
Instantiations
Distribution
Identification
Distribution
Definition
Distribution
Representation
Distribution
Specification
Distribution
Configuration
Distribution
Instantiations
Responsibility
Identification
Responsibility
Definition
Responsibility
Representation
Responsibility
Specification
Responsibility
Configuration
Distribution
Instantiations
Timing
Identification
Timing
Definition
Timing
Representation
Timing
Specification
Timing
Configuration
Timing
Instantiations
Motivation
Identification
Motivation
Definition
Motivation
Representation
Motivation
Specification
Motivation
Configuration
Motivation
Instantiations
Inventory Sets Process flows
Distribution
Networks
Responsibility
Assignments
Timing Cycles
Motivation
Intentions
Data
Classification
IN CONTEXT
How does the
purpose get
executed?
Based on the Zachman Framework and content from
Dennedy & Finneran’s Privacy Engineers Manifesto

35. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORK
Executive
Business
Manager
Architect
Engineer
Technician
How
(Action)
Why
(Motivation)
Where
(Location)
When
(Event)
Who
(Actor)
What
(Data)
Enterprise
Scope
Context
Business
Concepts
System
Logic
Technology
Physics
Tool
components
Enterprise
Inventory
Identification
Inventory
Definition
Inventory
Representation
Inventory
Specification
Inventory
Configuration
Inventory
Instantiation
Process
Identification
Process
Definition
Process
Representation
Process
Specification
Process
Configuration
Process
Instantiations
Distribution
Identification
Distribution
Definition
Distribution
Representation
Distribution
Specification
Distribution
Configuration
Distribution
Instantiations
Responsibility
Identification
Responsibility
Definition
Responsibility
Representation
Responsibility
Specification
Responsibility
Configuration
Distribution
Instantiations
Timing
Identification
Timing
Definition
Timing
Representation
Timing
Specification
Timing
Configuration
Timing
Instantiations
Motivation
Identification
Motivation
Definition
Motivation
Representation
Motivation
Specification
Motivation
Configuration
Motivation
Instantiations
Inventory Sets Process flows
Distribution
Networks
Responsibility
Assignments
Timing Cycles
Motivation
Intentions
Logical Schema Process Maps /
Data Flow
RACI Matrix
Based on the Zachman Framework and content from
Dennedy & Finneran’s Privacy Engineers Manifesto

36. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORK
Executive
Business
Manager
Architect
Engineer
Technician
How
(Action)
Why
(Motivation)
Where
(Location)
When
(Event)
Who
(Actor)
What
(Data)
Enterprise
Scope
Context
Business
Concepts
System
Logic
Technology
Physics
Tool
components
Enterprise
Inventory
Identification
Inventory
Definition
Inventory
Representation
Inventory
Specification
Inventory
Configuration
Invntory
Instantiation
Process
Identification
Process
Definition
Process
Representation
Process
Specification
Process
Configuration
Process
Instantiations
Distribution
Identification
Distribution
Definition
Distribution
Representation
Distribution
Specification
Distribution
Configuration
Distribution
Instantiations
Responsibility
Identification
Responsibility
Definition
Responsibility
Representation
Responsibility
Specification
Responsibility
Configuration
Distribution
Instantiations
Timing
Identification
Timing
Definition
Timing
Representation
Timing
Specification
Timing
Configuration
Timing
Instantiations
Motivation
Identification
Motivation
Definition
Motivation
Representation
Motivation
Specification
Motivation
Configuration
Motivation
Instantiations
Inventory Sets Process flows
Distribution
Networks
Responsibility
Assignments
Timing Cycles
Motivation
Intentions
Where is your
data stored?
What rules apply
to that storage?
Based on the Zachman Framework and content from
Dennedy & Finneran’s Privacy Engineers Manifesto

37. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
© DAMA International, used with permission

38. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: DATA GOVERNANCE
Principle Governance Quality
Personal data which is being processed must be fairly
obtained and processed
X
Personal Data shall be obtained for a Specified and Lawful
Purpose
X
Personal Data shall not be processed in a manner
incompatible with the specified purpose
X
Personal Data shall be kept accurate and complete and,
where necessary, kept up to date
X
Personal Data should be kept Safe & Secure X
Data processed must be adequate, relevant and not
excessive
X X
Personal data should not be kept for longer than
necessary for the specified purpose or purposes
X X
Data Subjects have a right of Access. X

39. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA GOVERNANCE IN DMBOK?
Definition:
The exercise of authority and
control (planning, monitoring, and
enforcement) over the management
of data assets..
Goals:
• To define, approve, and communicate data strategies, policies, standards, architecture, procedures,
and metrics.
• To track and enforce regulatory compliance and conformance to data policies, standards, architecture,
and procedures.
• To sponsor, track, and oversee the delivery of data management projects and services.
• To manage and resolve data related issues.
• To understand and promote the value of data assets..
Activities:
1. Data Management Planning
• Understand Strategic Enterprise Data Needs
• Develop and Maintain the Data Strategy
• Establish Data Professional Roles and Organizations
• Identify and Appoint Data Stewards
• Establish Data Governance and Stewardship Organizations
• Develop and Approve Data Policies, Standards, and Procedures
• Review and Approve Data Architecture
• Plan and Sponsor Data Management Projects and Services
• Estimate Data Asset Value and Associated Costs
2. Data Management Control
• Supervise Data Professional Organizations and Staff
• Coordinate Data Governance Activities
• Manage and Resolve Data Related Issues
• Monitor and Ensure Regulatory Compliance
• Monitor and Enforce Conformance With Data Policies, Standards,
• and Architecture
• Oversee Data Management Projects and Services
• Communicate and Promote the Value of Data Assets
Inputs Outputs
Inputs:
• Business Goals
• Business Strategies
• IT Objectives
• IT Strategies
• Data Needs
• Data Issues
• Regulatory Requirements
Primary Deliverables:
• Data Policies
• Data Standards
• Resolved Issues
• Data Management Projects and
Services
• Quality Data and Information
• Recognized Data Value

40. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
SOME KEY GOVERNANCE FUNCTIONS FROM
PRIVACY PERSPECTIVE
 Co-ordination of Data Privacy policies and standards
 ISO29100 is a good core starting point
 Ensuring staff are trained
 Acting as “honest broker”
 Ensuring appropriate risk posture in relation to privacy compliance
 Ensuring processes for personal data are documented
 Ensuring key controls are defined, operate, and are validated

41. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
STEWARDSHIP FOR DATA PRIVACY
Strategic
Operational
Tactical
Doers Definers Deciders Co-ordinators
  
   
  
3DC Stewardship
Defined not by WHERE they are in organisation, but by ROLE in relation to Information

42. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
A DATA STEWARDSHIP MIND MAP
Governance &
Stewardship
Data Use Steward
(Doer/Definer)
UX Requirements
Privacy Reporting
Screens & Reports Quality
Screen & Reports Content
Design & Aesthetics
Data Governance Reqts
(Co-ordinator)
Data Standards Compliance
Use of Metadata Documentation
Metric Driven Quality Assurance
Data Management Structure
Data Collection
Steward
(Doer/Definer)
Data Classification (PII, Sensitive)
Encryption
Business Content Rules
Privacy Rules
Privacy Reqts
Steward
(Decider/Definer)
Purpose
Notice
Consent
Transfer (3rd Party)
Access/Correction/Deletion
Proportionality
Retention
Responsible Action
Based on work by M. Dennedy & Tom Finneran

43. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE DATA PROTECTION OFFICER ROLE
• On the Executive Board?
• Reporting to Executive Board?
• Must be Independent
• Technical and Business skills
• Accountable for the System of Governance
• “StatutoryTenure”

44. Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
SOME FINAL CONCEPTS

45. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY BY DESIGN
What is it?
Privacy by Design is a philosophy for systems engineering
which takes privacy into account throughout the whole
engineering process.
Why is it Important?
Privacy by Design establishes 7 guiding principles for
development of systems that respect and enhance privacy as a
quality system
What is it?
It is just QUALITY MANAGEMENT applied to Information,
with PRIVACY as a “critical to quality” characteristic

46. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY BY DESIGN
'You cannot inspect
quality into a product.'
The quality is there or it
isn't by the time it's
inspected.

47. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY BY DESIGN
Focus on defining
processes & rules, not
correcting errors
Privacy as a quality
characteristic
A function of process
design, not an after
thought
Things need to work
without undue
invasion of privacy
Information Asset Life
Cycle thinking
Communicate,
Document,
communicate more!
Focus on the Customer –
Customer determines
Quality /Privacy

48. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY ENGINEERING
What is it?
Privacy Engineering is the discipline that ensures the
gathering and application of privacy requirements has
the same primacy as other ‘functional’ requirements in
processes and systems and incorporates them into the
project, product, system, or information life cycle.
Why is it Important? It is the glue that makes PBD operative in an organisation
What is it?
It is just QUALITY ENGINEERING applied to Information,
with PRIVACY as a “critical to quality” characteristic

49. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
ELEMENTS OF PRIVACY ENGINEERING MAPPED TO
JURAN
Enterprise Goals
User Goals
Privacy Policy
Requirements
Policies and
Procedures
Privacy
Mechanisms
Privacy Awareness
Training
Quality Assurance
QA Feedback
Improvement

50. Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
ETHICAL INFORMATION
MANAGEMENT
THE NEW EIM

51. Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
Business Information Technology
Society’s Ethical Framework
Organisation’s Ethical Framework
Regulation
& Laws
Lobbying
StrategicTacticalOperationsCustomer
Standards &
Codes
Standard
Practices
Business
Strategy &
Governance
Information
Strategy &
Governance
IT Strategy &
Governance
Business
Architecture &
Planning
Information
Architecture &
Planning
Technology
Architecture &
Planning
Management &
Execution of
Business
Processes
Management &
Application of
Information
Management &
Exploitation of
IT Services
Process Outcome Information Outcome
Customer
Feedback
Customer
Education
Expectation
Business Information Technology