A key element of GDPR compliance relates to something called ‘metadata’.

With GDPR’s introduction on 25th May 2018 fast approaching, this vital aspect is something every business will need to brush up on.

Which begs the question…

What is metadata?

Metadata is often referred to as ‘data about data’, which in plain English means it describes data, the concepts it represents and the connections it has.

From metadata, we can workout what the data elements are and the business processes or applications they relate to.

Metadata helps a business understand more about the data it holds and the way it flows through the organisation. It also makes it far easier to gain access to individual records held within large databases.

Databases can’t be managed or interrogated without metadata, which is why it will be integral to GDPR compliance come next May.

How metadata relates to GDPR activities

The GDPR is all about understanding where your privacy-sensitive data comes from, who’s using it, how it’s being used and being able to respond effectively in the event of a data breach.

Metadata management falls under the above remit, and there are seven activities during which it will prove most useful:

1. Consent management

The way you’ll process data under the GDPR will be governed by the consent of the owner, and metadata enables you to easily register and administer the consent for privacy-sensitive data.

2. Data breach notifications

In the event of the personal data you store being compromised, you’ll need to notify your data protection supervisory authority (SA) - quickly.

Metadata will help considerably here, by providing information on the creation date of the file, the name of the database hacked and when the data breach took place.

3. The data protection officer

You may be required to appoint a data protection officer when the GDPR comes into effect, and the metadata repository will be that person’s most valuable source of information when checking on the measures that need to be taken to protect personal data.

4. Privacy by default

Privacy by default simply means your business has taken the necessary technical and procedural measures to ensure personal data is only processed for specific purposes that are in-line with the overall purpose of the business.

With metadata, you can enforce the technical measures required to ensure processing is only performed in that way.

5. Privacy impact assessments

Under the GDPR, you might be required to perform a privacy impact assessment (PIA).

This will map out the privacy risks inherent within the organisation when it comes to processing personal data and is usually asked for when a high privacy risk is believed to be at play.

Efficient execution of a PIA will rely on good metadata management, which will help you efficiently identify the data that is privacy sensitive.

6. Data processing

GDPR requires businesses to document the personal data they process and the purpose for doing so.

This isn’t something you can avoid, and it can be a tricky task without decent metadata. The documentation will need to be easily accessible and ready for use when required; metadata will support the fast insights required.

7. The rights of data owners

A major role of the GDPR is to improve the level of control given to owners of personal data (often referred to as ‘data subjects’).

These improved privacy rights require data processors to react quickly to any request for access to personal data, and metadata enables fast access to even the largest repositories.

The GDPR is undeniably complex, and requires a knowledgeable pair of hands to ensure compliance, but the more you can raise awareness internally about elements such as metadata, the better prepared you’ll be for May 2018.