Blog on SQL Server, Business Intelligence and the Cloud

Achieve a GDPR Compliant Data Governance Strategy

Written by Brian Knight | Jan 09, 2017

The ever-growing need for data protection and security is creating legislation in various forms throughout the world. These laws and regulations often contain strict policies for organisations that handle personal data of citizens and how that data should be handled. One of the largest efforts we’ve seen is the European Union General Data Protection Regulation (GDPR).

According to the Official EU GDPR website, GDPR was “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.” The regulation goes into effect 25 May 2018 and affects all companies with a specific European presence.

With hefty fines of up to 4% of annual global turnover or €20 Million (whichever is greater), having a resolute data governance strategy is essential. It’s important to know what data your company possesses, who it belongs to, where it’s located, how it’s used and what may impact it for GDPR compliance. So, what does that mean to your organisation doing business in Europe? The new law comes down to the following big IT areas:

  1. Customers have the right to be forgotten – Once the law is enacted, consumers have the right to have their personal data removed from your systems. From an IT perspective, you must know where their data has landed for easy removal.
  2. Data portability – This tenant gives the customer rights to transfer their personal data from one provider to another.
  3. Companies must understand “data flows” – For the purpose of this conversation, let’s refer to a data flow as the exchanging of data with a partner or other organisation. Your IT organisation must understand thoroughly those touch points. This must be documented at the field level and available for audit or threat detection.
  4. Consent Companies must be able to provide proof that the customer agreed to have their data stored by your organisation.
  5. Privacy Enhancing Technology (PET) and Privacy by Design (PbD) – In this new world of privacy as a right, you must incorporate that right into your applications and how you anonymise data, even with the data is enhanced through other sources. In other words, you may receive some basic personal data from a customer but then purchase other data that further enhances their base profile from a survey company. This is all considered data that must be protected.

Our tools can help you achieve a GDPR compliant data governance strategy in the following ways:

Data Dictionary

DOC xPress’s Data Dictionary allows you to record responsibility for data as well as include that information in documentation through annotations and custom fields. This provides accountability for the ownership of the data in your company’s possession.

The Data Dictionary is also useful for recording responsibility for processing stages (particularly those within SSIS) as an added level of accountability.


Documentation for the core data is covered by the robust and customisable documentation tools within DOC xPress. DOC xPress creates documentation from SQL Server, SSAS, SSIS, SSRS, Excel, Oracle, Hive, Tableau and more and can generate documentation in a variety of formats. In addition, the documentation can be customised for different audiences, so that users only see the most relevant information for their role. This documentation is at the field level and helps clarify where personal data might be hiding in your organisation.

Lineage Analysis

Being able to quickly and easily see where a piece of data is being used allows you to make appropriate decisions on what needs to be included in an audit and why. DOC xPress’s Lineage Analysis tool helps you see where data originates and how it’s being used. With this tool, you can also identify possible data flows for sensitive data to be lost and/or leaked. Understanding the flow of data is key to ensuring that the flow is secure.

Automated Data Testing

Designing a data governance strategy should provide data protection by design and through auditing. LegiTest is an automated data-driven testing tool that can automatically test data at specified intervals to ensure validity. LegiTest also maintains appropriate records to prove test results to increase efficiency during the audit process.

DOC xPress and LegiTest are just two of the products within our popular Pragmatic Workbench. This bundles four of our most popular SQL Server tools, helping you utilise the BI stack while saving time and increasing efficiency. See how our tools can integrate into your environment and help you achieve a GDPR compliant data governance strategy: 


Please consult your legal team on how this regulation may impact your company.