What Lives Between Data Privacy and Data Governance? Better Compliance
How building a proactive data governance program can address imminent privacy regulations
Data is powerful. It’s used by organizations to make better business decisions, streamline operations, and reduce overall operating costs. Many of today’s Fortune 1000 companies transformed their business by embarking on a digital journey that aligned data as their most valuable asset.
Of course, things that are valuable need to be protected. Data has the power to be transformative because it often contains sensitive information that could bring harm to the individuals it concerns.
Chief Privacy Officers (CPOs) face new regulatory requirements for protecting and reporting on that sensitive data, which has created an urgent need for companies to better manage their data assets in the first place. Previously unregulated organizations are enhancing their data governance programs to address this need. As part of that effort, it’s necessary for CPOs and CDOs to collaborate more efficiently to manage, protect, and report on their organizations’ data.
The GDPR and CCPA wake-up call
With the recent adoption of the General Data Protection Act (GDPR) and the California Consumer Privacy Act (CCPA), U.S. privacy regulations reached beyond the previously regulated sectors of finance, health, and children’s data to specify that any organization processing “personal data” or “personal information” (PI) must meet new compliance standards in their data practices—or submit to costly fines.
With data privacy under the spotlight and regulations evolving across the globe (as of this writing, 61 countries have privacy regulations in consideration), data-driven organizations are getting more strategic and forward-thinking about their data governance. Companies can no longer afford to treat each new privacy regulation as a standalone project or spend hours manually collecting and aggregating data for custom reporting on individuals. They need the right solutions to operationalize and automate their data assets at scale.
Unveiling the blind spot of data governance
Enter data governance and the role of the Chief Data Officer (CDO). Data governance is the management of the quality and integrity of data across an organization. It ensures that there is consensus and truth in the data, and that it can be relied on to be accurate and complete for all functions in an organization.
The CDO is responsible for executing on the activities necessary for managing data and for shaping the data policies and data sharing agreements. For any organization that collects and processes customer, employee, or business-sensitive data—and wants to ensure that data remains as accurate, complete, and “true” as possible—the CDO can be the CPO’s best friend. And in just about every organization, there’s a growing need for them to work together to achieve ongoing compliance.
As things stand, companies (especially those outside of previously regulated sectors like health and finance) may have gaps in their existing data management programs. These organizations either lack historical knowledge and documentation on the full breadth of their data assets, or that data is spread out across a diverse technological landscape. Plus, the sheer amount of metadata that is generated on a daily basis can create issues in efficiently fulfilling requests (including data subject access requests)—and that can only be fixed by addressing data governance.
Governance gets its day
Properly managed and governed data can support all of the organization’s business functions, including data privacy management.
So, while privacy regulations may be the catalyst, it turns out that one solution for achieving compliance comes down to the responsible handling of data. For many companies that have previously failed to build a sustainable data program, data governance is enjoying a moment in the spotlight. This is thanks to funding devoted to GDPR compliance and the game-changing formalization of data processing the regulation essentially demands.
The legal language surrounding these regulations fails to capture the complete and holistic picture of what governing an entire organization’s data assets looks like. For example, data discovery of personal information under CCPA is only a small portion of data governance activities. Data found near personal information (a.k.a. proximity data) expands the type of data that needs to be catalogued and categorized for further documentation on its availability, usage, and context.
Proximity data can include an IP address for a person, related health records, and even cookie settings, for instance. Since these expanded data sets also need to be included in the governance program specific to CCPA, a proactive approach is to build a flexible and expansive data program that can proactively prepare for various privacy-related reporting requirements.
Overall, organizations must make the best use of limited resources in order to support a variety of requirements. This translates into building a mature framework with repeatable and efficient processes that quickly respond to new—and sometimes conflicting—regulatory requirements.
When privacy and governance work together
There are several methods that privacy and data officers can use to create defensible programs for responding to imminent regulatory and privacy threats.
Define and Classify.
The most important focus should be on building a data foundation represented by discrete building blocks of data elements. These attributes include, but are not limited to:
- definitions
- purpose of use
- business rules
- business and data controls
- business processes
- data quality rules and scores
- risk impacts
- an ownership matrix
In addition, a data catalog is an inventory of available data and associated attributes, including classification, which describes data settings as confidential, sensitive, internal, and so on.
- For the data governance officer: This identifies how to treat data that is classified as confidential for access level or even the prioritization of governance projects.
- For the privacy officer: This helps spell out the risk associated with processing activities involving that data.
Tagging
The second data governance method for privacy regulation is the inclusion of a category in the data catalog.
- For the data governance officer: This attribute describes the purpose of usage for the data.
- For the privacy officer: Both GDPR and CCPA mandate that an entity must describe the purpose for how that data is used.
Identify data lineage.
The third method that aligns governance and privacy together is documenting how data flows from upstream to downstream.
- For the data governance officer: Data lineage documents and illustrates the full end-to-end journey of a data element, starting from the “authoritative” source that created the data to downstream sources and applications that store it, display it, or both.
- For the privacy officer: This reveals the original data source or provenance of where the data is collected, and its lifecycle throughout the business.
Full compliance, real insights
Any entity that processes data must do so in a responsible manner that puts the data of its customers and employees first. Data privacy and governance form an important intersection where that can happen—and where countless opportunities to address regulatory compliance live. While privacy may be the financial and regulatory impetus for a company’s decision to better evaluate its data assets, a solid data governance program can serve as the bedrock to manage and protect those data assets.
As such, it’s crucial that CDOs and CPOs collaborate effectively and frequently to develop new internal processes and procedures that efficiently manage, protect, and report on data. Organizations can implement technology software to map both structured and unstructured data, operationalize and automate all data holdings, eliminate duplication of data, manage breach investigations, and assist with required reporting activities.
By taking a bottoms-up approach to data, the CPO and CDO together can create a defensible privacy framework that not only puts its business into full compliance, but also provides value by creating real insights derived from data.