Purpose and Scope
This policy defines responsibilities, controls, and procedures for managing corporate data across Ablaze.Digital to ensure legal compliance, data quality, security, and utility. Applies to all employees, contractors, vendors, and systems handling Ablaze.Digital data.
Governance Principles
- Data is a corporate asset; decisions must weigh legal, operational, and ethical obligations.
- Accountability: every data domain has an assigned Data Owner and Steward.
- Privacy by Design and Default: systems and processes must minimize personal data collection and exposure.
- Security and Resilience: protect confidentiality, integrity, and availability.
- Auditability and Transparency: maintain records enabling audits and compliance with IFRS, PIPEDA, GDPR, CCPA, and HIPAA where contractual obligations require.
Roles and Responsibilities
- Board/Senior Leadership: oversight, resource allocation.
- Chief Data Officer (CDO): policy ownership, data strategy, KPIs.
- Data Owners: accountable for data domain decisions, classification, and access approvals.
- Data Stewards: manage day-to-day data quality, metadata, and lineage.
- DPO/Privacy Lead: privacy compliance, DPIA approval, Data Subject Request coordination.
- IT & Security: controls, incident response, backups.
- Legal & Compliance: interpret laws (PIPEDA, GDPR, CCPA, CASL, HIPAA), contract review, audit liaison.
Data Classification
Four classes: Public, Internal, Confidential, Restricted. Each class has handling rules for encryption, access approvals, transmission restrictions, and retention.
Data Lifecycle
- Collection: minimize and document purposes.
- Storage: centralize into approved repositories with classification controls.
- Usage: RBAC, logging, and periodic review.
- Sharing: use data-sharing agreements and DPAs for recipients.
- Archival and Deletion: retention schedules aligned to IFRS, tax, and legal obligations; secure deletion processes validated.
Data Quality and Metadata
Track metrics (accuracy, completeness, timeliness). Data Stewards remediate issues within SLAs. Maintain metadata catalog with lineage, transformation steps, owner, and retention.
Privacy and Risk Assessments
DPIAs required for high-risk processing (special categories, large-scale profiling, new third-party platforms). DPO must approve mitigation plans prior to production roll-out.
Security Controls
RBAC and least privilege, MFA for privileged accounts, encryption in transit and at rest, secure key management, logging, vulnerability scanning, regular patching, secure SDLC, periodic penetration testing.
Backup and DR
Backups for critical systems with tested restore. RTO and RPO defined and tested annually. DR aligns with business continuity.
Vendor and Subprocessor Management
Due diligence, security questionnaires, contractual DPAs, periodic reviews; stricter controls for Restricted data vendors.
Monitoring and Audit
Monitor access and anomalies. Quarterly governance reporting and annual independent audits for compliance.
Financial and Accounting Controls
IFRS reporting data: segregation of duties, immutable audit trails, version control, retention schedules.
Incident Response and Breach Notification
Follow incident response playbook. High-severity incidents trigger immediate notification to leadership, privacy, and legal; regulatory notifications executed as required.
Training and Awareness
Mandatory onboarding and annual training for privacy, security, CASL, and data governance; role-based modules for Owners and Stewards.
Policy Exceptions and Review
Exceptions require written approval from CDO and Legal. Reviewed at least annually and on material regulatory change.