Attitudes, actions around data privacy protections don't go far enough
In September 2019, a group of 100 data leaders from respectable NY financial institutions were asked whether they’d heard of the General Data Protection Regulation (GDPR – the far-reaching European law governing how EU citizen’s personal information is handled around the world). Five hands went up. When asked a follow-up question: how many had heard of the California Consumer Privacy Act (CCPA), two hands went down.
Over the summer, a small group of CFOs were interviewed and felt that GDPR is a mess, readiness was a waste of money, and that compliance is being addressed by “someone else.”
Organizations are making big investments in initiatives to take advantage of the transformative potential of data. This covers an incredible array of opportunities, from simply using data and analytics to enrich their products and services, all the way to inventing algorithms to mimic human thinking to improve the lives of millions.
The initiatives all have one thing in common: they depend of high quality data. Vast amounts of it, increasingly pertaining to people.
Breaches are also happening – bigger and more impactful. In 2019, records containing personal data were being stolen at a rate of over 15,000,000 per day. Regulators are stepping up their actions, and organizations are having to pivot to address new requirements reactively.
It’s time to act
More to the point, it has been “time to act,” but the regulatory requirements around data privacy are not going to get simpler. An effective program to enable business to use data while also managing risk and ensuring compliance must reflect three interlocking components: privacy, data governance and risk management. Together, they can protect an organization while serving as a catalyst to accelerate forward.
Increasingly, even though many organizations have a privacy compliance program, many don’t have a prominent leader assigned responsible for privacy – a chief privacy officer (CPO) or equivalent – and privacy is managed by legal or compliance groups as an adjunct, or even afterthought, to operations.
The informal poll referenced above revealed that privacy compliance is not embedded in the data programs, which is a dangerous disconnect. To be sure, data science is a key area where data is being handling outside the boundaries of the regulations (kept and processed for purposes beyond why it was collected, for example), but the breaches are mostly tied to weak controls on the operational side of companies – ranging from how and where it is tracked and stored, to how it is processed or disclosed for business purposes.
Addressing the challenge begins by assessing the current state of the privacy program against a privacy template or framework, such as the draft NIST Privacy Framework, and creating a gap analysis. The framework is useful because it breaks down the objectives of a privacy program in a way that aligns in with both regulations and the way organizations use data.
To be fair, the full Framework can be overwhelming for many companies – especially those not familiar with the NIST Security Framework, on which the Privacy Framework is based. But this can be addressed by first distilling the NIST framework down to a more manageable version that still preserves the key elements.
The gap analysis forms the basis for discussing how to enhance existing privacy efforts to achieve compliance, in a deliberate, sustainable, pragmatic way. If done right, it can be scaled – whether down to a small privacy team of, say 2-3, or up to a full enterprise-level team. This also allows a more focused approach to address specific pain points, such as:
- Compliance with GDPR or CCPA.
- Consideration for organizational placement of the program.
- Operationalizing Privacy, incorporating activities such as:
o Strategic oversight and stewardship o Managing and implementing policy
o Risk assessment
o Integration with business and IT change management
o Incident management, escalation and resolution
o Training and awareness
o Vendor management
o Contract review
Data programs are a high priority for CEOs – over 95% believe that leveraging data is key to continued success and to defend against external disruption. Yet Gartner concludes that 85% of data projects fail. Objectives are not defined at the outset, C-levels and the boards aren’t clear in what they are asking for, and may not understand the path to get there – or the cost.
Introducing data management and governance discipline to create the data equivalent of “scientific method” can dramatically reduce risk and increase the chance of success.
The value proposition is to implement sufficient management and governance activities to:
- Provide transparency and accountability in to the program, including ethics and legality.
- Ensure that data is handled in compliance with contractual or regulatory requirements, including privacy.
- Provide shared-service capabilities, including inventory, procurement, tracking and disposition.
- Create logical interface and touch-points into privacy, security, internal audit, compliance and legal programs.
- Close the gap between CEO expectations and the practical success rate of data projects.
Information Risk Management
Handling high value data assets definitionally increases the risk of theft or breach, when compared to keeping them locked up. But they often must be handled in order to derive value. As a discipline, Information RM frequently aligns with core IT process like strategy, architecture, change management and security, and not to data. So the question arises, how effective are they at helping to manage risk of data loss? Given that 15,000,000 records are breached every day, one might suggest “not very.”
By realigning Information RM to explicitly focus on data, the function can provide a critical interface between a data leverage program and a privacy/compliance program. This helps direct risk-mitigation resources to align with the actual risk to data and optimize mitigation techniques.
Organizations are increasing their use of data at a tremendous rate – and they should. The opportunities to gain competitive benefit are exploding. But the risk and consequences of missteps are growing as well.
By implementing data governance and integrating risk management and compliance, organizations can continue to explore the ways data leverage can provide benefits, while guarding against events that can impede progress.