GDPR Metadata
As described in the topic How the Compliance Database Works, an important part of building up a GDPR compliance system with the Altova GDPR Compliance Database is to enter the relevant GDPR metadata. (Note that while data refers to the personal data collected by the organization, metadata refers to GDPR-related information that describes the personal data.) This metadata comprises not only information about the personal data that is being collected, but also information related to the structure of the organization collecting the personal data: the departments, persons, external entities, and storage locations involved with the processing of personal data held by the organization.
This metadata is entered via different pages of the compliance database, and the different pieces of information are built up by the compliance database into an internally held network of metadata relationships. This section describes how to enter these different items of related metadata. It is structured as follows:
•Information about the company (the data controller)
•Company information, which consists of departments that process personal data, and people in these departments who are responsible for the data and metadata
•Information about the collected data: this information is structured by identifying and defining data classifications, each of which is a criterion for describing personal data. Additionally, information about any external data processor that uses the collected data in any way is also recorded
•Data categories are needed so that the data used by each processing activity can be properly described. A data category is defined by assigning specific values for the data classifications that comprise the category.
•Data storage entities define the physical aspect of data storage, such as location and medium
•The Processing Activities section describes how processing activities (applications that process personal data) are defined