A client recently asked about how Decision Management and Decision Modeling supports GDPR, “in a nutshell“.
I paused considering my usual answer, perhaps something like:
Decision Management is a means of bringing a company’s business policies and decision-making ‘into the light’, making decisions an explicitly-managed, corporate asset, expressed in a standard, transparent format.
This explicit, transparent medium can be used to capture, analyze and communicate exactly how a company’s operations depend on key data attributes and business knowledge.
This is done so precisely, the result, the decision model, is actually executable.
As a result, it’s much more accurate at supporting a GDPR Information Audit or Privacy Impact Assessment than traditional paper techniques like process/data mapping: the data dependencies of all your business decisions are directly traceable.
Instead I drew the diagram above, illustrating directly how the pillars of GDPR are supported by Decision Management. Sometimes a picture really does say a thousand words. But, if you are more interested in the thousand words, see below.
What is Decision Management
Decision management is a technique and technology stack that provides:
- Transparency: renders business policy and operational decision logic transparent to business experts and analysts, for rapid improvement, by representing complex logic in standardized, easy to understand formats such as decision tables;
- Business Orientation: makes operational business policies measurable and accountable to all stakeholders in terms of business performance indicators;
- Agility: decision models are executable (but not code), supporting rapidly-evolving, model-driven definition of compliance needs;
- Dependency Management: checks decision integrity and drives out all their data dependencies, confirming that decisions are used consistently and reliably and identifying all required data support;
- Complexity Management: allows even the most complex decisions to be represented compactly without code.
As a result, it directly empowers any GDPR initiative by:
Understanding and Justifying Current Data Use
The GDPR Data Audit and Privacy Impact Assessment are directly supported by decision management, including ensuring you only process the data you really need and checking that this processing is lawful.
Decision management is a powerful technique for capturing, analysing and communicating, in detail, how a company’s operations depend on key data attributes and business knowledge. It’s much more effective at supporting a GDPR Information Audit or Privacy Impact Assessment than traditional techniques like process/data mapping because it helps you to identify and justify which data is needed, which is superfluous and the justification for both – even when data dependencies are hidden within white-box predicative analytics. Decision management and modeling keeps all stakeholders informed of the outcomes of this analysis.
Decision management also provides a formal background for assessing and labelling the sensitivity, criticality, accuracy, retention period, distribution constraints and timeliness needs for all data inputs as part of a GDPR PIA. It can document data sources and consent traceability.
Unlike paper process/data maps, decision models are executable. So the data dependencies they reveal always reflect what’s actually happening in your business systems.
Decision management is a powerful means of identifying, making and checking the data use changes mandated by GDPR.
Decision management also provides powerful impact analysis, so when non-compliant data use is discovered, or a subject requests restriction, the company can very quickly and accurately assess the scope and impact of the necessary changes to business operations. Because decision models are executable, these changes can also be rapidly deployed.
Servicing Customer (Subject) and Regulator Requests
Decision management and modeling can enpower requests for policy information, erasure or portability.
Decision management facilitates the transparent and open capture, representation and execution of complex logic: decision-making (both general policies and specific case histories), customer profiling logic (including analytics), consent acquisition, retention policies, deletion policies, distribution constraints, production of portable data and expression of EU state-specific rules and variations (e.g., how to treat minors). All of which allows stakeholders, regulators and subjects to have a clear view of the company’s policies and its behaviours with regard to a specific case. The latter is most relevant to article 22.
Testing and Maintaining Compliance
The open articulation of these business policies and the fact that decision management allows their effectiveness to be monitored also supports testing compliance and maintaining privacy. It allows for breach frequencies to be incorporated directly into an on-going measurement of the effectiveness of your approach.