Picture: How Decision Management Supports GDPR

Picture: How Decision Management Supports GDPR

A client recently asked about how Decision Management and Decision Modeling supports GDPR, “in a nutshell“.

I paused considering my usual answer, perhaps something like:

Decision Management is a means of bringing a company’s business policies and decision-making ‘into the light’, making decisions an explicitly-managed, corporate asset, expressed in a standard, transparent format.


This explicit, transparent medium can be used to capture, analyze and communicate exactly how a company’s operations depend on key data attributes and business knowledge.


This is done so precisely, the result, the decision model, is actually executable.


As a result, it’s much more accurate at supporting a GDPR Information Audit or Privacy Impact Assessment than traditional paper techniques like process/data mapping: the data dependencies of all your business decisions are directly traceable.

Instead I drew the diagram above, illustrating directly how the pillars of GDPR are supported by Decision Management. Sometimes a picture really does say a thousand words. But, if you are more interested in the thousand words, see below.

What is Decision Management

Decision management is a technique and technology stack that provides:

  • Transparency: renders business policy and operational decision logic transparent to business experts and analysts, for rapid improvement, by representing complex logic in standardized, easy to understand formats such as decision tables;
  • Business Orientation: makes operational business policies measurable and accountable to all stakeholders in terms of business performance indicators;
  • Agility: decision models are executable (but not code), supporting rapidly-evolving, model-driven definition of compliance needs;
  • Dependency Management: checks decision integrity and drives out all their data dependencies, confirming that decisions are used consistently and reliably and identifying all required data support;
  • Complexity Management: allows even the most complex decisions to be represented compactly without code.

As a result, it directly empowers any GDPR initiative by:

Understanding and Justifying Current Data Use

The GDPR Data Audit and Privacy Impact Assessment are directly supported by decision management, including ensuring you only process the data you really need and checking that this processing is lawful.

Decision management is a powerful technique for capturing, analysing and communicating, in detail, how a company’s operations depend on key data attributes and business knowledge. It’s much more effective at supporting a GDPR Information Audit or Privacy Impact Assessment than traditional techniques like process/data mapping because it helps you to identify and justify which data is needed, which is superfluous and the justification for both – even when data dependencies are hidden within white-box predicative analytics. Decision management and modeling keeps all stakeholders informed of the outcomes of this analysis.

Decision management also provides a formal background for assessing and labelling the sensitivity, criticality, accuracy, retention period, distribution constraints and timeliness needs for all data inputs as part of a GDPR PIA. It can document data sources and consent traceability.

Unlike paper process/data maps, decision models are executable. So the data dependencies they reveal always reflect what’s actually happening in your business systems.

Remediating Non-Compliance

Decision management is a powerful means of identifying, making and checking the data use changes mandated by GDPR.

Decision management also provides powerful impact analysis, so when non-compliant data use is discovered, or a subject requests restriction, the company can very quickly and accurately assess the scope and impact of the necessary changes to business operations. Because decision models are executable, these changes can also be rapidly deployed.

Servicing Customer (Subject) and Regulator Requests

Decision management and modeling can enpower requests for policy information, erasure or portability.

Decision management facilitates the transparent and open capture, representation and execution of complex logic: decision-making (both general policies and specific case histories), customer profiling logic (including analytics), consent acquisition, retention policies, deletion policies, distribution constraints, production of portable data and expression of EU state-specific rules and variations (e.g., how to treat minors). All of which allows stakeholders, regulators and subjects to have a clear view of the company’s policies and its behaviours with regard to a specific case. The latter is most relevant to article 22.

Testing and Maintaining Compliance

The open articulation of these business policies and the fact that decision management allows their effectiveness to be monitored also supports testing compliance and maintaining privacy. It allows for breach frequencies to be incorporated directly into an on-going measurement of the effectiveness of your approach.

Find out more about GDPR and Decision Modelling. Find out how we can help you with GDPR.

Decision Modeling: The Bottom Line

Decision Modeling: The Bottom Line

Why should organizations model their important business decisions as part of digital transformation? We’ve been asked so many times to explain how our clients have benefited from decision modeling that we decided to capture it here. This article covers seven reasons to adopt decision modeling and summarizes the bottom-line benefits decision modeling has brought to companies that use it effectively.


How TDM Principles Inform Good Practice in DMN

How TDM Principles Inform Good Practice in DMN

Decision Modeling notations have been adopted by companies to improve the integrity, transparency and agility of their important business decisions. They facilitate the management of business decisions as a vital business asset.

Over the past eight years, Decision Modeling has been dominated by two standards: The Decision Model (TDM), defined by Sapiens Inc, established in 2009 and documented superbly in The Decision Model book by Larry Goldberg and Barbara von Halle and The Decision Model and Notation (DMN) an open standard first defined by the Object Management Group (OMG) in 2013 and documented in books by James Taylor and Jan Purchase and Bruce Silver. Both standards are in use and continue to evolve.

While James Taylor and I were collaborating on our Decision Modelling book, and discussing our experiences of using DMN after using TDM, we wondered: how does TDM experience inform good practice in DMN? What can newcomers to Decision Modelling and DMN learn from the earlier standard?

In short, a great deal.

We believe that new, and even experienced, Decision Modeling practitioners can benefit significantly from background knowledge of TDM. This article explains why and what these benefits are.


Integrating Business Decisions and Processes: Effective Collaboration of DMN and BPMN

Integrating Business Decisions and Processes: Effective Collaboration of DMN and BPMN

Join us for this live presentation in picturesque Dublin to learn about the best practices and traps of integrating business processes with business decisions.

Why should organizations model their business decisions? What are the benefits of using DMN and BPMN to capture and define the logic of your business decisions and analytics within the context of a business process? How should you best split business concerns between the process and decisions and what are the pitfalls of interfacing the two? We will discuss all of these points.

This live presentation will examine how process and decisions work together and walk through real BPMN and DMN models from financial compliance explaining how process and decisions have been integrated in projects. Learn proven best practices for overcoming key business challenges: including overly complex rules, improving ROI of expensive processes and agile migration to automated decision services.


Ruleflows Considered Harmful

Ruleflows Considered Harmful

For some time users of Business Rule Management Systems (BRMS) have used rule execution sequence as a means of binding together and orchestrating the rules in a set—providing a ‘top level’ view of their content. Nearly all BRMS products have enshrined this idea in the ‘ruleflow’ concept. In many of these products the creation of a ruleflow is seen as a standard step in packaging a rule set and many rule authors find it a natural activity.

We argue, using an example, that not only are flows rarely required, but that they are frequently harmful to the agility of a rule set, can introduce harmful and hard to find errors and can make rule sets difficult to understand by business users. Furthermore, users frequently misunderstand the goal of ruleflows and misuse them.

We show that there is an alternative to ruleflows that orchestrates rules (especially large rule sets) more effectively and is easier to understand—the business decision model. (more…)

How Decision Modeling Allows Business Rules to Scale

How Decision Modeling Allows Business Rules to Scale

Experience has shown that sets of business rules, even those administered using Business Rule Management Systems (BRMS), become very hard to manage and understand once they reach a certain level of size and complexity. Although small, very tightly focused rule sets can be effective for simple business domains, large rule sets are challenging to create and even harder to maintain. Small rule sets that become large over time (scale up) present the most difficulty. They are at risk of collapsing under the weight of their own growing complexity or becoming the sole preserve of a small number of ‘gurus’ and ‘high priests’ who alone understand them—defeating a key objective of business rules.

In a previous article, I described how to overcome the challenges of maintaining a business rules over a long period. But how can you manage the complications of rapidly growing rule sets: keeping them easy to understand, changing them safely without unintended consequences  and avoiding ‘stale’ and duplicate rules? Here we show, by example, how Decision Modeling, used from the outset can address all these problems and we discuss in more detail the difference between business decisions and business rules. (more…)