How data governance can support data privacy compliance
GDPR. CCPA. What’s next? Data privacy regulations are just starting to take hold. As of the end of 2018, we’re over 6 months past the GDPR deadline, and barely a year away from the California Consumer Privacy Act. Many companies are still analyzing and formulating their approaches to these new regulations. A recent survey by the International Association of Privacy Professionals notes that more than 50 percent of companies estimate that they are not yet compliant with the GDPR.
However, these regulations are part of a growing desire by consumers to ensure that organizations take more care with their data. Their impact is global and real, and there will be more enacted, in the form of additional states (Georgia?), or even at the federal level.
The first major GDPR fine was Google’s $57 million fine from the French data authority, which Google plans to appeal. The regulator laid out two areas in which Google was failing to meet GDPR standards:
- Information relating to what data was being collected, why it was being processed and how long it would be stored was not easily accessible, sometimes requiring five to six steps for users to locate. Once located, information was not always presented in a clear or comprehensive manner, inhibiting user understanding of Google’s processing operations for ad personalization.
- Consent obtained from users for data processing was not sufficiently informed and was not “specific” or “unambiguous.” Users were not aware of the extent of data processing, and consent was not obtained for each distinct processing operation.
Many fines related to GDPR have since been levied. Some are related to data breaches. Others are more concerned with how data is managed and used. For example:
According to The Privacy Adviser on January 3, 2019, the first GDPR fine in Portugal was issued against a hospital for 3 violations. First was a violation of the minimization principle, allowing indiscriminate access to an excessive number of users. Second was a violation of integrity and confidentiality as a result of non-application of technical and organizational measures to prevent unlawful access to personal data. Third was the non-implementation of technical and organizational measures to ensure a level of security adequate to the risk.
These new laws and ensuing fines have exacerbated the need for enterprise wide regulatory compliance from a data privacy perspective. A data governance operating model enables many aspects of regulatory compliance and should be considered a part of the overall solution.
The good news
These data privacy regulations make it possible for your organization to wind up in a better spot, forcing business and IT to work together to ensure “privacy by design” and “data protection by default.” These are basic good practices that many companies have ignored in their growing need for data. As a result of these regulations, companies now need to make the effort to better understand what data they have and how it’s being used.
Ensuring compliance with data privacy is also good for business. Organizations need to demonstrate that customers can start to trust that they are good stewards of their data. Those organizations who cannot demonstrate proactive data privacy or who actually are fined as a result of these regulations are likely to lose customers. An overt concern for data privacy can become a solid selling point for data-heavy organizations.
Under GDPR, data subjects can ask for the details of any information you have on them. They can ask that you pass along their data to another organization, or even that you permanently delete their personal information, particularly when you no longer have a defined need for it. Companies will need to show that they are in full control of their data and data practices, and that they understand where data comes from, where it resides, who uses it and why, and where it goes.
What makes these new laws so challenging is the expanded definition of personal information. It now includes data such as photos, GPS location data, social media user names, IP addresses, bio-metrics, etc. It also includes all data types, including structured, semi-structured, unstructured, online, near line, offline, digital, physical, etc.
The more data organizations deal with, the more challenging it will become to figure out ownership, control and management of any given bit of personal data. The growing abundance of self-service data management and manipulation and the associated silos of data throughout an organization will make this task even more challenging.
Below are some of the primary steps that should be taken to ensure data privacy readiness from a data management perspective. Each of these can be managed much more effectively with a data governance capability in place.
An effective starting point is to build a comprehensive data inventory and data map that identifies all of the necessary criteria. While this effort can seem to be an arduous endeavor, putting a data inventory in place should be one of the first efforts when working toward compliance. The inventory needs to be approached from both a top-down (interviews/surveys) and a bottom-up (systems/applications) perspective. This is because organizations will need to develop an understanding, not just of the data and where it resides, but who uses it, how it’s used and how it relates to business processes.
Some of this information can only be captured through interviews and working sessions and needs to be complementary to any technical inventories. A data governance capability can facilitate these inventories by leveraging data owners and stewards, who should be data SMEs for their particular areas of expertise, and by capturing all of this information as business and technical metadata, tagging and mapping it to business processes, systems, etc.
As part of data privacy compliance, organizations need to be able to demonstrate that they know what data they have and are able to manage it throughout the data life-cycle. The data life-cycle is defined in many ways. To put it simply, data is (1) created, (2) stored, (3) used, (4) archived or destroyed. data governance facilitates the development of policies, standards and procedures to support this life-cycle.
For example, data domain owners or specific policy owners, in collaboration with appropriate areas of the company (risk, legal, compliance, etc.) can define policies on data storage, data architecture, data standards, data quality, data classification, data access, data use, data sharing and data retention (to name a few!), and relate these policies to data privacy accordingly. The data governance office can then work with the data domain owners or policy owners to identify the appropriate monitoring processes and metrics once these policies have been implemented. Without a data governance operating model, coordinating these requirements and ensuring compliance is a complicated endeavor.
A multi-factor risk scoring approach based on requirements, data categories and classification, as well as measures associated specifically with the data such as access frequency, user activity, proliferation, volumes, etc. will then enable risk-based prioritization of any data privacy related issues and gaps.
The inventory, policy assessment and risk clarification will all lead to an action plan that will be needed to ensure compliance. There will be gaps that need to be addressed. Some of these can also be enabled through a solid data governance program. For example, consider master data management for identification of individuals and for management of consents. Consider data quality management to enable visibility to the accuracy of personal information. Both of these capabilities leverage data stewardship and tools to ensure appropriate business rules are defined, implemented and monitored on an ongoing basis.
Data governance specializes in areas such as metadata, data quality management, master data management, policy management and data life-cycle management. Developing a data governance operating model and structure will provide the appropriate roles, responsibilities and accountability, as well as the appropriate governing bodies, to identify, document and better understand the data environment and landscape. Developing the accompanying data framework through data governance can then enable the needed visibility, risk analysis and controls.
In addition, the data governance office can develop training and ensure that documentation resides in the data governance knowledge base. Organizations that already have a data governance capability in place have a solid head start and can leverage it to facilitate many aspects of data privacy compliance. Organizations that don’t have a data governance capability will find that this is becoming more and more of a necessity for any organization that plans to continue to leverage and optimize their data to grow their business.
This article was written by Nancy Couture and originally appeared in cio.com from IDG
Take Back Your Day
Learn how the latest technologies can free up your time so you can focus on your business