I was recently interviewed for an article on Data Governance & Privacy for a number of periodicals including Info Risk Today on “Data Governance: How to Tackle 3 Key Issues: The Importance of Accountability, Data Inventory, and Automation. Below is the full text of my interview for additional context.
With privacy law getting stronger by the day, it has become all the more important for companies to know where the data lies. The problem is not new but I am not sure if companies have been able to find a solution to this. What are the two main challenges of data governance?
While global privacy regulations like the GDPR and CCPA have greatly impacted contemporary data governance discussions, enterprise projects, and software solutions, we often forget that privacy itself is far from a novel concept and, in fact, one with deep roots in centuries-old ethics and social mores. What’s different now, or even from twenty years back, and what does that mean for data governance today?
The truth is that many companies have had to comply with at least some privacy requirements for decades, but the ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data. That’s a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with. Especially since IT infrastructures and dependencies change quite rapidly. So the question becomes how do we build data governance rules that can keep up with these nuanced laws and demands while still supporting the greater needs of the business? The severity of fines and reputation damage from non-compliance has forced us to sit around the table and try to find the right balance between risk and reward. I think ultimately privacy-by-design as a fundamental aspect of enterprise architecture will bring needed order to some organizations despite handicapping them in the near term.
The second challenge is also privacy related, but in terms of exposure, much more consequential. Data breaches and ransomware have inundated infosec teams and exploiting poor data governance models is routine for hackers. Most breaches obviously originate with end-users, but the protection, encryption, anonymization, etc. of private data sets requires thoughtful and strict data governance to sustain disruption. How do meet that high bar and also provide a seamless customer experience? That’s a work in progress.
How have you approached these challenges? Can you walk us through the process?
We try to spend as much of our time understanding the regulatory environment our client is subject to as much as their risk tolerance. You can always look for a baseline in terms of a particular set of laws, but often a best practice approach makes more sense in the long run. I think a solution needs to be proportional to an organization’s true risk, and while it must meet certain standards, your compliance professionals, data fulfillment service teams and IT support must be able to work with each other and speak the same language. It’s not as simple as throwing together a data map. This is, to your previous question, a challenge because the stakes are now much higher and teams must now not only support each other’s requirements but go farther in understanding and appreciating the very nature of those rules. It’s not just collecting the metadata, it’s understanding the relation of the attributes not simply from a database perspective but from an ethical one. This is a convergence of law and technology that requires true cross-functional teamwork, where each stakeholder must respect and value the contribution of his or her colleague. It’s just not enough to know your little corner of the universe anymore. At Compliance & Privacy Partners we aim to facilitate discussions that enable that synergy and eventually support change management goals.
What did you discover during this journey? Where are most organizations missing the mark?
As far as privacy goes, and despite its long history as a basic component of ethics and law, most groups still haven’t understood you can’t just throw bodies and technology at something like this. The specialty is too new and the laws are in many cases too vague to leave it up to a project manager, a lawyer, a vendor, and an enterprise architect. I’m seeing a lot of companies try to check off details of regulations without understanding exactly how they fit together. What ends up happening is a whole lot of talk, a whole lot of capital spend and very little result. Companies have to take a step back. The smartest know they need to bring somebody in who can provide an overview and roadmap for their particular challenges and then take next steps. That planning is what’s really going to set up their in-house teams and leaders for long-term success.
What would be your advice to your contemporaries?
From my perspective, it would be to actually value privacy, not just as a consumer yourself, but as a smart business decision. Customers want companies they can trust and who provide solutions that help them solve their problem, but also don’t exploit their data. Do unto others as they say. I think building a culture that can internalize that as a golden rule will be transformative and lead to better data governance across the board.
Rafael Moscatel, CIPM, CRM, IGP, is the Managing Director of Compliance and Privacy Partners. He has developed large-scale information management, privacy and digital transformation programs for Fortune 500 companies such as Paramount Pictures and Farmers Insurance. His latest book, Tomorrow’s Jobs Today, is available soon from John Hunt Publishing. Contact him at www.capp-llc.com or follow him on Twitter @rafael_moscatel.