Knowledge Accelerators policies and rules
The Knowledge Accelerators provide a sample set of governance polices and governance rules in the area of Data Privacy.
Policies
The sample selection of governance policies in the area of Data Privacy are further broken down into policy subcategories. These subcategories contain individual policies that illustrate how you can define your own policies in this area. You can use this category structure to create policies in other areas such as sustainability, or diversity. Policies are descriptive rather than enforceable in IBM Knowledge Catalog.
- Data Accountability Policies
- Data Accuracy Policies
- Data Custodianship Policies
- Data Disclosure Policies
- Data Fairness Policies
- Data Minimization Policies
- Data Retention Policies
- Data Security Policies
- Individual Rights Policies
- Purpose Limitation Policies
An example of a Data Disclosure Policy is Masking Personal Data.
- Mask or de-identify Personal Information
- Redact Sensitive Personal Information
- Learn More: Policies in IBM Knowledge Catalog.
Governance Rules
Knowledge Accelerators provide a sample selection of governance rules in the area of Data Privacy. These rules express how you intend to implement your policies. Governance rules can be related to one or more governance policies. They can also be related to business terms where such terms are clearly applicable to the rule. Like policies, governance rules are not enforceable. The sample that is provided with the Knowledge Accelerators illustrates how you can define your own expanded set of rules.
An example of a Data Governance rule is Notify Personal Data Breach To Relevant Personal Data Authority:
Definition: Based on the Data Controller or Data Privacy Office's assessment of the extent of the Data Privacy Breach detected (type of breach, type and volume of personal data, and number of Data Subjects impacted), notify the relevant Personal Data Authority(s) for the jurisdiction(s) impacted of the nature and extent of the breach within xx hours/days.
- Identified Person
- Organization
- Organization Type
- Learn More: Governance rules in IBM Knowledge Catalog.
Data Protection Rules
Data protection rules are actionable rules that define how to control access to data. Actions range from denying access to a data asset, filtering out rows based on specified value matching, or masking data in specific columns.
The Data protection rule criteria and actions are typically built based on governance artifacts that describe the data such as business terms, data classes, and classifications, but can also specify user access based on individual users, user roles or groups. Rules can also be created based on the technical metadata of the data assets such as column name, asset name, or schema. When the rules are based on governance artifacts, these artifacts must be pre-assigned to the data assets, usually as part of the metadata enrichment process.
For example, as part of the Knowledge Accelerators governance policy Masking Personal Data, you can create and link a data protection rule to control access to email address data (which is classified as Personal Information), in all columns with Email Address data class assigned. This rule might be further refined to restrict access to users with User Roles such as Data Engineer, or to use advanced masking options to replace specific values with generated values such as user name or common email service.
Knowledge Accelerators data classes and business terms that are considered relevant to personal data have a classification of Personal Information (PI) or Sensitive Personal Information (SPI), depending on the sensitivity of the data it describes. These suggested classifications can be reviewed and adjusted in line with regional or organizational data privacy requirements. PI and SPI classifications help in the identification of personal data in data assets, which would typically be areas where data protection rules are required.
- Learn More: Data protection rules in IBM Knowledge Catalog.