Data Governance: How to Tackle 3 Key IssuesThe Importance of Accountability, Data Inventory and Automation
The European Union's General Data Protection Regulation, the California Consumer Protection Regulation and other laws are forcing more organizations to improve data governance as they strive to comply.
See Also: Move Beyond Passwords
Three key emerging governance challenges are: defining who is accountable for privacy within an organization; identifying where all personally identifiable data resides so it can be protected; and applying automation to help respond to consumers' requests, such as for an accounting of their data that an organization stores.
Here's a closer look.
Challenge: Defining "ownership" of data privacy responsibility is essential to ensure accountability for privacy protection, says Subhajit Deb, CISO at Dr. Reddy's Laboratories, a global pharmaceutical company based in India.
"There is no clear ownership or data owners defined in many organizations," Debs tells Information Security Media Group. "The most common phenomenon is to have IT assigned as the owner - as opposed to the business. Due to the lack of defined roles such as data owner, data custodian, data steward etc., the accountability of data governance and handling is somewhat misplaced."
Solution: Some security practitioners argue that larger organizations should designate different accountable parties for protecting the privacy of customer, product and financial data - or even designate those in charge in each region. But organizations need someone at the top of the chain, such as a chief data officer, so that federated ownership can be kept in check, Deb says.
Deb has also implemented a RACI - responsible, accountable, consulted and informed - matrix that helps him assign data owners.
"So respective business units or their heads own the data and the accountability," he says. "For instance, IT is the data custodian, assurance functions are the data governors and so on. That way, an entire RACI matrix is built for every application, platform and data we process internally."
Roadblocks: One of the major roadblocks in the data governance process is the problem of shadow IT, Deb says. Shadow IT is where development happens either in-house or through an outsourced partner without the supervision and governance of the IT InfoSec and privacy teams.
"When this happens, there is no control or ownership on the data by the assurance functions. Hence, all the data governance controls fail. The problem is the security team loses visibility of the digital asset created. You wouldn't know what data is being processed, how and where they are stored, if its lawful processing, if purpose is limited and if it's being used for a secondary purpose as well," Deb says.
Hence, shadow IT remains a primary hurdle in data governance. Development and processing can occur with no oversight from data privacy thus leading to a wide gap," Deb says. Also there are limited data processing controls at a vendor's location where the oversight is minimal, he adds.
"A data owner can outline the processing levels and impose restrictions only when they know what's being created. Shadow IT is a complete blind spot," Deb says.
Advice: It can be cumbersome to handle all this at once, Deb says. "You have to prioritize which issues to handle first in data governance. So a lens of prioritization is a must."
Conducting a Data Inventory
Challenge: With information constantly being added, few organizations have an accurate picture of all the PII they store, says India-based Patrick Pitchappa, former head of information security at BNP Paribas, a French International Banking Group. And data cannot be protected until it's inventoried.
Solution: Organizations must identify all of their repositories of data, Pitchappa says. "It is important to know that sources of repositories are usually the various applications of an organization," he says. "Most, if not all, applications would usually write into a database. "The primary focus of a company should be to have an accurate inventory of their databases at various departments, such as finance, customer service/relations, HR, operations, etc. If an inventory doesn't exist, a CMDB [configuration database management] must be built ASAP."
Roadblocks: Too many organizations neglect to launch "data minimization" efforts to limit the information they store. "Sometimes applications and processes are too cumbersome to be modified to reduce data intake," Pitchappa says. "Data minimization remains a challenge most organizations need to find a solution for."
Advice: The solution is to use a "privacy by design" model applied in all steps of PII data processing, Patrick says. All data processors, including third parties, needs periodic audits and supervision to ensure consistency of data governance controls and practices," he says.
Challenge: Applying automation enables organizations to better respond to consumers' requests, such as for an accounting of their data that an organization stores, as required under certain regulations.
But organizations face a significant challenge "accelerating automation to cover the vast inventory of data across different geographical locations, systems and clouds, says Boston-based Stephen Gatchell, head of data governance at Bose Corp., an audio equipment company. As part of conducting an inventory, organizations must track data lineage, identify where personal information resides and categorize confidential information and business metadata, he says.
Solution: "There has to be enough resources dedicated to ensuring compliance that crosses key disciplines of information security, privacy, legal, and data stewardship," Gatchcell advises. "We also have to develop processes that embed privacy review, security review and data management."
All organizations need to form a data governance team that includes business as well as technical experts, he recommends.
Roadblocks: "The problem is most companies want to have all data governance capabilities at once. They take on too many use cases by trying to build processes and capabilities," Gatchell says. "The use case value delivery cycle is too long, and stakeholders tend to lose their focus.
Too many organizations miss the mark by starting with analytics, artificial intelligence, machine learning, and data science rather than first understanding their business needs and their data maturity level, he adds.
Advice: Gatchell advises organizations to devise ways to quickly deliver value. "Develop capabilities that can deliver value for use cases vs. waiting a year to develop all capabilities before executing use cases," he says. "For example, if a data glossary delivers value, then develop that capability and deliver it vs. having all data governance capabilities at once."
Shift in Concept of Privacy
Privacy requirements have changed dramatically as a result of GDPR and CCPA, says Rafael Moscatel, managing director at Compliance and Privacy Partners, a California-based consultancy.
"The ease of digitally storing and monetizing personal information has now run up against the rights of consumers to access and in some sense, reclaim ownership of that data," he says. "That's a paradigm shift that introduces a number of logistical burdens that some organizations, even relatively new ones, are not prepared to deal with."
Moscatel says organizations need to identify and adopt appropriate privacy best practices.
"A solution needs to be proportional to an organization's true risk, and while it must meet certain standards, your compliance professionals, data fulfilment service teams and IT support must be able to work with each other and speak the same language. It's not as simple as throwing together a data map," he says. "It's not just collecting the metadata; it's understanding the relation of the attributes not simply from a database perspective but from an ethical one."