Picture: How Decision Management Supports GDPR

Picture: How Decision Management Supports GDPR

A client recently asked about how Decision Management and Decision Modeling supports GDPR, “in a nutshell“.

I paused considering my usual answer, perhaps something like:

Decision Management is a means of bringing a company’s business policies and decision-making ‘into the light’, making decisions an explicitly-managed, corporate asset, expressed in a standard, transparent format.


This explicit, transparent medium can be used to capture, analyze and communicate exactly how a company’s operations depend on key data attributes and business knowledge.


This is done so precisely, the result, the decision model, is actually executable.


As a result, it’s much more accurate at supporting a GDPR Information Audit or Privacy Impact Assessment than traditional paper techniques like process/data mapping: the data dependencies of all your business decisions are directly traceable.

Instead I drew the diagram above, illustrating directly how the pillars of GDPR are supported by Decision Management. Sometimes a picture really does say a thousand words. But, if you are more interested in the thousand words, see below.

What is Decision Management

Decision management is a technique and technology stack that provides:

  • Transparency: renders business policy and operational decision logic transparent to business experts and analysts, for rapid improvement, by representing complex logic in standardized, easy to understand formats such as decision tables;
  • Business Orientation: makes operational business policies measurable and accountable to all stakeholders in terms of business performance indicators;
  • Agility: decision models are executable (but not code), supporting rapidly-evolving, model-driven definition of compliance needs;
  • Dependency Management: checks decision integrity and drives out all their data dependencies, confirming that decisions are used consistently and reliably and identifying all required data support;
  • Complexity Management: allows even the most complex decisions to be represented compactly without code.

As a result, it directly empowers any GDPR initiative by:

Understanding and Justifying Current Data Use

The GDPR Data Audit and Privacy Impact Assessment are directly supported by decision management, including ensuring you only process the data you really need and checking that this processing is lawful.

Decision management is a powerful technique for capturing, analysing and communicating, in detail, how a company’s operations depend on key data attributes and business knowledge. It’s much more effective at supporting a GDPR Information Audit or Privacy Impact Assessment than traditional techniques like process/data mapping because it helps you to identify and justify which data is needed, which is superfluous and the justification for both – even when data dependencies are hidden within white-box predicative analytics. Decision management and modeling keeps all stakeholders informed of the outcomes of this analysis.

Decision management also provides a formal background for assessing and labelling the sensitivity, criticality, accuracy, retention period, distribution constraints and timeliness needs for all data inputs as part of a GDPR PIA. It can document data sources and consent traceability.

Unlike paper process/data maps, decision models are executable. So the data dependencies they reveal always reflect what’s actually happening in your business systems.

Remediating Non-Compliance

Decision management is a powerful means of identifying, making and checking the data use changes mandated by GDPR.

Decision management also provides powerful impact analysis, so when non-compliant data use is discovered, or a subject requests restriction, the company can very quickly and accurately assess the scope and impact of the necessary changes to business operations. Because decision models are executable, these changes can also be rapidly deployed.

Servicing Customer (Subject) and Regulator Requests

Decision management and modeling can enpower requests for policy information, erasure or portability.

Decision management facilitates the transparent and open capture, representation and execution of complex logic: decision-making (both general policies and specific case histories), customer profiling logic (including analytics), consent acquisition, retention policies, deletion policies, distribution constraints, production of portable data and expression of EU state-specific rules and variations (e.g., how to treat minors). All of which allows stakeholders, regulators and subjects to have a clear view of the company’s policies and its behaviours with regard to a specific case. The latter is most relevant to article 22.

Testing and Maintaining Compliance

The open articulation of these business policies and the fact that decision management allows their effectiveness to be monitored also supports testing compliance and maintaining privacy. It allows for breach frequencies to be incorporated directly into an on-going measurement of the effectiveness of your approach.

Find out more about GDPR and Decision Modelling. Find out how we can help you with GDPR.

How GDPR Makes the Case for Decision Management

How GDPR Makes the Case for Decision Management

GDPR undoubtedly represents one of the most onerous regulatory mandates of the past decade—the first to explicitly demand an after-the-fact ability to explain your decision-making. So how can decision management help?


The General Data Protection Regulation (GDPR) will revolutionize the way in which most companies with partners or clients resident in the European Union source, verify, secure, use, retain and distribute their data. Further, it gives new rights to EU citizens that are the subjects of this data. The biggest revolution in data handling compliance since the original 1995 Data Protection Act (DPA), GDPR will force medium and large companies to appoint new, independent personnel charged with monitoring data processing, servicing the rights of data subjects and reporting breaches. It also sets record fines if these regulations are not followed. With a target implementation date in May 2018, many companies are concerned about their ability to meet this regulatory standard.

Crucially, GDPR will impose new obligations on companies that will require new levels of transparency in their decision-making, necessitating the increased use of techniques such as decision management and modeling. For example, under some circumstances, GDPR will make companies responsible for explaining their automated decision making when challenged by data subjects who are affected by the outcome. We examine these new obligations and describe how GDPR helps make the case for decision management.

What is GDPR?

GDPR is a new compliance mandate that will impact the majority of companies that store, move or process data from, or involving, a European company or involving subjects domiciled in the EU. A stronger replacement for the Data Protection Act of 1995, GDPR will be enforced from May 2018 and will have a wider territorial scope, more obligations, be better harmonized across Europe and will have the backing of every EU state. Most significantly, it will entail much more punishing fines for non-compliance: 20M Euro or 4% of annual turnover, whichever is the larger—such fines are enough to compromise some companies.

Many make the mistake of assuming GDPR only controls European companies, but this is far from the truth. GDPR has jurisdiction over corporations processing data in the EU. However it also encompasses any company handing the data of EU subjects (persons or companies) or supplying services or goods to the EU regardless of: where it is based, whether or not money changes hands and whether or not the data processing takes place in the EU.

GDPR has the power to ensure that:

  • companies acquire data with appropriate consent;
  • companies do not hold excessive, stale or inaccurate data;
  • they hold data only for lawful reasons;
  • they do not collect or distribute it without active consent of the subject;
  • they have more stringent security, processing and breach control/reporting protocols controlled by documented personnel within the company (the Data Protection Officer and the Information Security Manager); and
  • they uphold key rights of data subjects, including the right to have inaccurate data corrected, to prevent data being used for direct marketing without their active consent and the right to have their data erased (to be forgotten).

Although GDPR will only affect medium and large sized companies (normally those with 250 or more employees), it cannot be evaded by sub-contracting out these responsibilities to subsidiaries or business partners as the DPA could. Its central obligations must be provided in-house after an extensive information audit to assess the company’s information assets, regular privacy impact assessments to ensure data streams are being handled appropriately and a demonstration that the company has the right to hold and process the data it does. Companies will be responsible for checking and documenting the adequacy of data suppliers to meet these needs and ensuring the physical location, security and integrity of the data.

How Does Decision Management Support GDPR?

Decision Management is a means of bringing a company’s business policies and decision-making ‘into the light’, to make decisions an explicitly-managed, corporate asset. Specifically decision management:

  • identifies and prioritizes operational decisions and their impact on the business;
  • makes operational business policies transparent and accountable to all stakeholders by representing complex logic in easy to understand formats such as decision tables;
  • renders business policy and decision logic transparent to business experts and analysts for rapid innovation and improvement;
  • checks decision integrity and drives out all their data dependencies;
  • helps to explain, after the fact, why a decision generated a specific outcome and
  • confirms that they are used consistently and reliably.

Decision Modeling is a vital part of decision management, it gives us a standard means of representing business decisions—The Decision Model and Notation (DMN)—that is much easier to understand than code or ad-hoc spreadsheets, that is a safer representation for business policies than leaving them in the minds of subject matter experts and, most importantly, that is directly executable. This means that decision models can be tested and deployed without the need to develop decision-making code. DMN enables a viable, model-driven approach to decision-making and evolution, allowing you to convert decision models into automated, highly-efficient decision services without needing to go through the error-prone and time-consuming process of translating decisions into programs.

So how does this help with regulatory compliance mandates like GDPR?

Decision Transparency and Article 22

Article 22 of the GDPR demands that subjects (an individual about whom a company holds information) be safeguarded against potentially damaging decisions being made on their behalf, or concerning them, without the possibility of human intervention. Business operations that are fully automated and that have outcomes that could disadvantage a subject or ‘have a significant or legal effect on them’ (e.g., determining if someone is eligible for a mortgage or a credit card) must support the following entitlements:

  • The subject has a right to obtain an explanation of the decision and its consequences
  • The subject has the right to express a view on the decision
  • The subject has the right to challenge the decision and obtain rectification if there are sufficient grounds

These rights are only waived if: the decision was required for entering or remaining in a contract with the data subject (and therefore the decision-making and its consequences are spelled out in the contract); it is authorized by law; or it is based on explicit, active consent by the subject.

Furthermore Article 22 of the GDPR stipulates that in circumstances where it is acceptable to profile a subject (e.g., for the purposes of targeting goods and services, determining the best next action or cross-selling), such profiling must be transparent. Specifically: the profiling logic must be meaningfully described; the subject must be aware of the consequences; companies must be able to demonstrate that appropriate logical, mathematical or statistical approaches have been used and they must prove procedures are in place to spot inaccuracies or mistakes.

Decision modeling offers a powerful means of supporting all these rights because it offers the most effective means of documenting decision-making in a transparent, open-standard format currently available. This standard, DMN, allows even the most convoluted decision-making to be represented transparently using straightforward layouts free from jargon and code. Furthermore, many decision management systems provide an after-the-fact explanation of decision behaviour, giving a blow-by-blow account of how and why an outcome was determined and all the data used. This powerful combination allows data processors to explain their automated decision-making in easy to understand terms, using decision tables and other accessible representations to answer subject queries. It helps them meet their obligations while at the same time giving them a framework to improve their automated decision making. Event when opaque data analytics are used in decision-making, decision modeling can help in making outcomes transparent.

Being Explicit About Data Sources

GDPR insists that companies perform a one-off information audit and regular privacy impact assessments. Both require a thorough understanding of the exact source of all inbound data and why and how it is used to support business decision-making. Companies need to understand how their decisions depend on data—down to the level of individual fields. This helps them to ensure the real need for every field. They also need to know what implications this use has on the GDPR compliance of their operations and the data’s completeness, accuracy, latency and retention time requirements. This knowledge is essential for two reasons. Firstly, the degree of sensitivity of some data fields, currently classified into one of four levels, determines if and how the data may be used for a given application; the use of sensitive attributes is severely restricted. Secondly, the constraints on which data may be used may change with future versions of GDPR or with alterations in the purposes for which the data is used.

Decision modeling explicitly captures and justifies the dependencies that decision-making has on data and business knowledge. Furthermore, it can capture the source of every attribute of data used. Many companies use decision modeling precisely because it enables a quick and thorough audit of what data is required, its origin, how sensitive it is and why (and for how long) it is needed. Furthermore, many decision modeling tools can support queries on how specified fields are used across the enterprise and the big-picture impact of restricting or eliminating the use of specified data fields for compliance purposes.

The strict accountability enforced by a decision management environment is also vital for thorough and transparent information audits and the sensitivity classification of data attributes.

Ability to Support Decision Complexity and Rapid Change

Like any new compliance mandate, GDPR has many geographical and jurisdictional variations and uncertainties. A good example of this are the rights young people have regarding how their sensitive data is used under the regulation. Specifically, how age is used to classify minors and determine the degree to which they can personally give consent, as opposed to their guardians. The age boundaries used depend on the nation of jurisdiction. Also, the mechanics of parental consent in the current version of GDPR is recognized as draft and is likely to change post go-live. These factors mean that any automated support for GDPR must be capable of expressing these variations and accommodating change quickly and safely.

Decision modeling is an ideal means of documenting complex decisions because it scales effectively and it is expressly designed to support jurisdictional and other variations. Decision management technology stacks support the rapid evolution of regulatory logic through the transparency of decision models, provision of a collaborative environment with change impact assessment and the fact that models are directly executable. Further, the regression testing facility that many stacks provide ensures that regulatory updates can be performed quickly and without error. We refer to this combination as safe agility.



Many compliance directives benefit from decision management, but GDPR undoubtedly represents one of the most onerous regulatory mandates of the past decade—the first to explicitly demand an after-the-fact ability to explain your decision-making but certainly not be the last. If your company falls under the scope of GDPR, using decision modeling, deploying a decision technology stack and executing your automated decisions on a highly performant decision execution engine are vital requirements to success.

Overcoming the Challenges of Financial Decisions with DMN

Overcoming the Challenges of Financial Decisions with DMN

Join Lux Magi and business partner, Trisotech, to discover how Decision Management addresses the key risks of regulatory compliance. This webinar outlined the practical difficulties of supporting mandatory regulatory compliance in finance IT systems and described how a key technique of Business Decision Management—Decision Modelling—can overcome these challenges. The benefits of using the Decision Model and Notation (DMN) were also presented. (more…)

Decision Modeling: The Bottom Line

Decision Modeling: The Bottom Line

Why should organizations model their important business decisions as part of digital transformation? We’ve been asked so many times to explain how our clients have benefited from decision modeling that we decided to capture it here. This article covers seven reasons to adopt decision modeling and summarizes the bottom-line benefits decision modeling has brought to companies that use it effectively.


How TDM Principles Inform Good Practice in DMN

How TDM Principles Inform Good Practice in DMN

Decision Modeling notations have been adopted by companies to improve the integrity, transparency and agility of their important business decisions. They facilitate the management of business decisions as a vital business asset.

Over the past eight years, Decision Modeling has been dominated by two standards: The Decision Model (TDM), defined by Sapiens Inc, established in 2009 and documented superbly in The Decision Model book by Larry Goldberg and Barbara von Halle and The Decision Model and Notation (DMN) an open standard first defined by the Object Management Group (OMG) in 2013 and documented in books by James Taylor and Jan Purchase and Bruce Silver. Both standards are in use and continue to evolve.

While James Taylor and I were collaborating on our Decision Modelling book, and discussing our experiences of using DMN after using TDM, we wondered: how does TDM experience inform good practice in DMN? What can newcomers to Decision Modelling and DMN learn from the earlier standard?

In short, a great deal.

We believe that new, and even experienced, Decision Modeling practitioners can benefit significantly from background knowledge of TDM. This article explains why and what these benefits are.