GDPR monitoring is a key requirement in a European-wide data governance tool

Data governance and the GDPR (General Data Protection Regulation) are closely related. The GDPR is a data privacy law applicable to all companies processing the personal data of EU citizens, irrespective of the company’s location. The law requires organisations to implement adequate security measures to protect personal data, meaning that companies must have robust data governance in place to comply with GDPR regulations.

Data governance helps companies control the quality and integrity of their data, an essential requirement to comply with the GDPR. This law states that companies must ensure that personal data is accurate and up-to-date, thus imposing a requirement on organisations to implement rigorous data management processes to keep data accurate and up-to-date. The GDPR further requires them to have a detailed record of how they process personal data, which is achieved through proper data governance.

In summary, data governance is fundamental to comply with the GDPR, as it helps companies protect their personal data and comply with data privacy regulations. However, regulatory compliance does not guarantee that risks are controlled; risks have a probability of impact or becoming a reality which must of course be managed and this is where PIA comes into play.

PIA (Privacy Impact Assessment) is a tool that helps organisations identify and manage privacy risks associated with the collection, use, storage, and disclosure of personal data. PIA is a key measure for complying with the GDPR (EU General Data Protection Regulation), as the regulation requires companies to carry out a privacy impact assessment before processing high-risk personal data.

PIA helps companies identify risks and implement risk mitigation measures, which is essential to comply with the data protection principles set forth by the GDPR, such as data minimisation, accuracy and purpose limitation. In addition, conducting a PIA demonstrates a company's commitment to protecting personal data and is evidence that steps are being taken to ensure data privacy and security.

In general, data governance software can be helpful in conducting a privacy impact assessment (PIA), but it is important to keep in mind that PIA is a process that goes beyond the use of a specific technology tool. Data governance software can help the company identify and manage certain risks associated with privacy, such as data cataloguing and access control, but PIA is a broader process that also involves identifying specific risks and implementing appropriate mitigation measures.

1. Systematic description of the intended processing activity: data life cycle.
2. An assessment of the necessity and proportionality of the processing in relation to its purpose.
3. A risk assessment:
    A. Threats and risks.
    B. Risk assessment.
    C. Handling the risk to minimise the probability of impact.
4. Measures contemplated, action plan and findings.

PIA (Privacy Impact Assessment) and the DMP (Data Management Plan) are two different concepts related to data management in research projects.

PIA is a process used to identify, assess and mitigate risks related to the privacy of personal data processed by an organisation. In the context of research, PIA is used to identify and mitigate privacy risks associated with the collection, use, and disclosure of personal data in research projects.

On the other hand, the DMP is a tool used in research projects to ensure that data are collected, stored, processed and shared responsibly and efficiently. The objective of the DMP is to establish the policies and procedures necessary to ensure that data are managed in a way that complies with ethical, legal and security requirements.

In this sense, both tools are important to use in research projects to ensure data management. On the one hand, PIA should include an assessment of the risks associated with data management in a research project and suggest measures to mitigate these risks. And, on the other, the DMP should implement these measures and establish policies and procedures to manage data responsibly and securely, in line with the above.

The decision as to whether a Data Management Plan (DMP) is required for each data project or whether one plan is sufficient for a company-wide data platform will depend on a number of factors, such as the nature and complexity of the data projects, the amount and types of data being handled, and legal and compliance requirements.

1. Very heterogeneous data projects
   Generally, if the data projects are very different, in reference to the data being used and the data management needs, it may be necessary to develop a project-specific DMP. An appropriate DMP should specify project objectives and goals, data requirements, data structure, security, privacy and compliance procedures, and the responsibilities and roles of the data management team.
    
2. Homogeneous data projects
   In the case of data projects with similar data management requirements, it may be more efficient and practical to use a single DMP for a company-wide data platform. Here, the DMP should be flexible enough to encompass the different projects and the specific requirements of each one.

The DMP and PIA are key aspects to consider when selecting a data governance tool, as they are part of the data management circuits, but there are more. If you would like to know which selection criteria are relevant, be sure to read the following article.