In the case of GDPR, the result has been €1,050,559,202 from 755 fines since the regulation was introduced in May 2018.
For businesses looking to get more out of the data they collect through interactions with customers, this presents a challenge – how do they ensure they make use of the potential opportunities, without exposing data to risk (and themselves to major fines, along with the associated loss of trust and impact to reputation)? As a Deloitte report put it, fundamentally, they are looking for ways “to protect personal privacy while using data analytics to reveal new insights and innovation to advance progress.”
It is an issue made more complicated by what McKinsey refers to as “the patchwork nature of regulation. Requirements are very different from one jurisdiction or market to another.” This has led many organizations to apply more stringent regulations to their activities in multiple jurisdictions – for instance, companies that have activities that fall under the oversight of CCPA have taken steps to apply the same regulations to their data collection, storage and usage in other parts of the United States.
This approach is only likely to become more prevalent. Gartner estimates that by 2023, 65% of the world’s population will have its personal data covered under modern privacy regulations, up from 10% in 2020.
That is all well and good, yet even applying GDPR regulations to all aspects of an organization, whether it interacts with EU citizens or not, is easier said than done. Businesses have to be able to take external regulations and translate them into rules that their own operations can understand and align to.
In other words, organizations need to implement governance into their data.
Data governance and its role in regulatory compliance
While the exact definition will differ depending on specific companies, data governance is an approach to data management that allows entities to organize their data to improve their understanding of how to handle it to extract value.
Value in this context means opportunities that lead to better organizational outcomes without exposing personal information to risk. Data governance also has a role externally – many see it as being a necessary step to helping improve data sharing, which is often restricted by concerns regarding privacy and commercial sensitivities. The OECD said that addressing these concerns has created “a need for data governance frameworks to be coherent across economic sectors, society, and countries.”
How does data governance help businesses meet regulatory requirements? By helping establish standards, both in the creation of and use of data, across the organization, data governance makes it easier for any entity’s data to be managed in a way that complies with regulators. In addition, having a standard approach to data built upon regulator guidelines makes it easier to comply with requests from those bodies, whether regular audits or one-off inspections.
Six steps for regulatory-approved data governance
What steps should businesses be taking to implement data governance that supports regulatory compliance? The same steps they would take to implement any form of governance.
1. Establish objectives: you need a clear understanding of what the objectives are. What regulations need to be adhered to, how are they policed, what audit information will be required and with what regularity?
2. Map assets: the proliferation of data means many organizations may not even realize what they are storing. By mapping it all, not only can you identify previously hidden pockets, but you will also begin to understand how much of the information you store is useful. It can be a waste of resource, particularly when one considers that, as Gregory Vial, Assistant Professor of IT at HEC Montréal, noted in an article for MIT Sloan Management Review, “generating value with data is not about having lots of data on hand; it is about using the right data”.
3. Know the weaknesses: evaluate the risks that could lead to penalties and fines. By being able to align objectives with assets, you see where the holes in your operations are. Are you regularly collecting data that sits in a public cloud for days or weeks? Did an acquisition leave a whole customer segment outside a corporate firewall? Identifying weaknesses will allow gaps to be plugged before external parties find and exploit them.
4. Put controls in place: identify data controllers who will oversee the data governance framework and ensure all data is aligned with it. Many regulations require these data officers to be identified formally, acting as the first port of call for any matters relating to data regulation both in and out of the organization.
5. Make data the center of security: historically, enterprise security was about ringfencing assets and keeping bad actors out with firewalls. Nowadays, with data moving across environments and endpoints connecting all over the network, that castle wall approach is increasingly redundant. With data being an organization’s most valuable asset, security needs to pivot away from fixed walls to protecting data whether in transit or at rest.
6. Implement: with everything in place, now is the time to roll out the framework. With so much at stake, the implementation of data governance should be as rigorous as external regulations – rather than spring it on the organization, give teams time to prepare, contributing to the best approaches to standardizing data and building in a comprehensive communications and change management program to support the implementation.
Data governance – a shortcut to regulation relief and better business performance?
Regulation is a fact of life. For those businesses that want to make the most of their data assets, they have to be law-abiding – the cost (both financially and with customer trust in mind) of non-compliance is only going to get worse. Data governance offers organizations a dual benefit – by designing it with regulations in mind, businesses can ensure their data meets requirements while improving the understanding and use of data across all departments. This, in turn, can lead to better business performance, exactly what everyone is looking for from their data.
Jon Evans is a highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men's interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.