In September 2019, A group of 100 data leaders from respectable NY financial institutions were asked whether they’d heard of the General Data Protection Regulation (GDPR – the far-reaching European law governing how EU citizen’s personal information is handled around the world); 5 hands went up. When asked a follow-up question: how many had heard of the California Consumer Privacy Act (CCPA), 2 hands went down.
On December 26, 2019, CNN published a story explaining why consumers are all of a sudden receiving so many privacy notices, which goes on to summarize CCPA, including the activity that triggered it. The article explained – at a high level – the events that led legislators to pass the law.
Over the summer, a small group of CFOs were interviewed and felt that GDPR is a mess, readiness was a waste of money, and that compliance is being addressed by “someone else”.
Companies want to increase the degree to which they store and process personal information, but in an effort to protect the rights of individuals, law-makers are seeking to reduce the number and severity of incidents by imposing regulations.
Companies are making big investments in initiatives to take advantage of the transformative potential of data. This covers an incredible array of opportunities, from simply using data and analytics to enrich their products and services, all the way to inventing algorithms to mimic human thinking to improve the lives of millions.
The initiatives all have one thing in common: they depend of high quality data. Vast amounts of it. Increasingly pertaining to people. Companies are building systems that pull together and combine data from a myriad of sources – internal and external.
Breaches are happening – bigger and more impactful. In 2019, records containing personal data were being stolen at a rate of over 15,000,000 per day. The consequences to organizations are significant – financial and reputational. Regulators are stepping up their actions, conducting investigations, and imposing fines. Companies are having to pivot to correct issues and address new requirements reactively because many have failed to implement a data management framework efficiently adapt to regulatory changes.
Many companies don’t have a prominent leader assigned responsible for privacy – a Chief Privacy Officer (CPO) or equivalent. Privacy is managed by legal or compliance groups as an adjunct to operations. As a result, the people doing the day to day business of the company are not aware of their privacy responsibilities. So is there any wonder why companies are mishandling personal data?
It’s time to act
More to the point, it has been “time to act”, but the regulatory requirements around data privacy are not going to get simpler, and companies should consider implementing an operational framework, with appropriate tools, enabling them to adopt new requirements in a time and cost effective manner.
An effective program to enable business to use data while also managing risk and ensuring compliance must reflect 3 interlocking components: Privacy, Data Governance and Risk Management. Together, they can protect an organization while serving as a catalyst to accelerate forward.
Most companies have a Privacy compliance program. However, the informal poll referenced above revealed that privacy compliance is not embedded in the data programs. This gap is very significant, since provisions of the laws speak very specifically to plans data scientists are pursuing, The result is certain initiatives will have to slow down or get re-tooled.
And it’s not just data science teams who are dangerously disconnected. Data science is probably a key area where data is being handled outside the boundaries set by the regulations (kept and processed for purposes beyond why it was collected, for example), but the breaches are mostly tied to weak controls on the operational side of companies – ranging from how and where it is tracked and stored, to how it is processed or disclosed for business purposes.
“Privacy by design” has eluded organizations since it was first envisioned in 1995, in part because it is frequently promoted by an under-resourced parallel organization, trying to apply one-size-fits-all techniques. It doesn’t have to be like this. Privacy programs can be structured to bridge to data users in an foundational sense, where privacy obligations are taken into account through-out project or operations lifecycles. Risk goes down.
Addressing the challenge begins by assessing the current state of the privacy program against a privacy template or framework, such as the latest draft NIST Privacy Framework, and creating a gap analysis. The framework is useful because it breaks down the objectives of a privacy program in a way that aligns in with both regulations and the way organizations use data. To be fair, the full Framework can be overwhelming for many companies – especially those not familiar with the NIST Security Framework, on which the Privacy Framework is based. But this can be addressed by first distilling the NIST framework down to a more manageable version that still preserves the key elements.
The gap analysis forms the basis for discussing how to enhance existing privacy efforts to achieve compliance, in a deliberate, sustainable, pragmatic way. If done right, it can be scaled – whether down to a small privacy team of, say 2-3, or up to a full enterprise-level team. This also allows a more focused approach to address specific pain points, including:
- Compliance with GDPR or CCPA, which might range from early stage assistance, to specific process solutions (e.g., data subject access requests, data inventory upkeep, privacy-by-design, training and awareness, etc.)
- Consideration for placement of the program, to integrate into company culture; companies are struggling with where to assign privacy, if not in Legal, and it’s landing with the CISO, who often needs help getting ramped up
- Operationalizing Privacy, making the program resilient and sustainable, incorporating activities such as:
- Strategic oversight and stewardship, including obtaining executive and Board support
- Monitoring for legislative changes,
- Updating and implementing policy,
- Risk assessment,
- Process and control documentation and testing,
- Integration with business and IT change management,
- Incident management, escalation and resolution,
- Vendor management, and
- Contract review.
Data programs are high priority for CEOs – over 95% believe that leveraging data is key to continued success and to defend against external disruption. Yet Gartner concludes that 85% of data projects fail. How is this possible? Oftentimes, data initiatives are launched without implementing basic management and governance techniques. Objectives are not defined at the outset, C-levels and the Board aren’t clear in what they are asking for, and may not understand the path to get there – or the cost.
Introducing data management and governance discipline to create the data equivalent of “scientific method” can dramatically reduce risk and increase the chance of success. Many companies – especially those in regulated industries – have records management programs that can be adapted to provide a management framework for data to be leveraged for monetization or through analytics or AI initiatives.
The value proposition is to implement sufficient management and governance activities to
- Provide transparency and accountability in to the program, including ethics and legality,
- Ensure that data is handled in a way that doesn’t violate compliance obligations, whether contractual or regulatory
- Provide shared-service capabilities, including inventory, procurement, tracking and disposition.
- Create logical interface and touch-points into privacy, security, internal audit, compliance and legal programs
- Triggers and objectives are to close the gap between CEO expectations and the practical success rate of data projects.
- Expose the relative value and sensitivity of data to enable proper risk and threat management, in collaboration with others, such as a Chief Information Security Officer.
Information Risk Management
In a metaphorical sense, data programs are taking the jewels out of the safe and passing them around. Handling high value assets definitionally increases the risk of theft or breach, when compared to keeping them locked up. But they must be handled in order to derive value. Many companies have built information risk or IT risk management capabilities over the last several years; the question is how well are they tied into data initiatives or aligned with the way data is used? Given that 15,000,000 records are breached every day, one might suggest “not very”.
In the context of the increased use of data for market-facing benefit, Information-related risk needs to be assessed in a more focused way. As a discipline, IT RM has created a good foundation, however it frequently aligns with core IT process like strategy, architecture, change management, and security, and not to data.
Information risk management can provide a critical interface between a data leverage program and a privacy/compliance program. The techniques used to assess information risk result in key insights into the nature, relative value, uses and threats to information. This helps direct risk-mitigation resources to align with the risk. Specifically, it helps to recognize whether risk can be mitigated through, say, security controls, or whether the employee community needs tools that better align with their jobs (obviating the need for them to find their own solutions to business problems), or whether increasing awareness can help people make better judgements.
Companies should consider identifying, categorizing and managing risk by looking at initiatives through an information lens – as opposed to a technology lens. This changes the dialog with business stakeholders, which increases their understanding and appreciation of what could go wrong, what is acceptable residual risk, and the steps needed to bridge the gap.
As indicated, IT RM in the marketplace has achieved a level of maturity, and there exists opportunities to adjust the scope and approach to more effectively identify and manage information-related IT risks, which arguable, can help manage overall financial, regulatory and brand exposure for companies.
Companies are increasing their use of data at a tremendous rate – and they should. The opportunities to gain competitive benefit are exploding. But the risk and consequences of missteps are growing as well. By implementing data governance and integrating risk management and compliance in a pragmatic way, organizations can continue to explore the ways data leverage can provide benefits, while taking proportional measures against events that can impede progress.