Data governance -- balancing security against risk [Q&A]
Data is the lifeblood of businesses, but managing it effectively and keeping it secure presents some significant challenges.
How do you ensure that you have the latest information for example? And how can you be certain your compliance procedures are up to date?
We spoke to Michael Queenan, CEO and co-founder of data governance specialist Nephos Technologies, to find out more about the problems and what needs to change.
BN: Why has data governance become such a headache?
MQ: Effective data governance empowers organizations to make major improvements across a wide range of key operational and performance issues, from data integrity and accuracy to compliance, decision-making and bottom-line growth. Done well, the impact can be truly transformative, enabling leaders to act with new levels of insight and confidence.
All too common, however, are the experiences of organizations and their data governance teams who see their efforts frustrated by software tools that promise much but deliver relatively little. The result can be delayed or even failed projects and a reluctance to reinvest in the process for fear of repeating the same mistakes. This can have a knock-on effect on the ability of organizations to effectively address data governance and derive tangible business benefits from their efforts.
BN: How can you ensure you know what data you hold and extract value from it?
MQ: When it comes to data governance, the most common mistake organizations make is to immediately focus on governance outcomes without first addressing the need for effective data discovery and classification. For example, teams with the responsibility for delivering data governance will often assume that there are tools out there that can be given access to data sources to analyze and identify governance violations instantaneously. In reality, this process is impossible without understanding what you are looking for in the first place.
It's vital that data governance best practices should first define what data classification looks like for each unique situation. Customer data, for instance, will be held in different locations and databases in every organization. Whether it's public, private, confidential or restricted, good governance is only possible if this data is correctly identified and classified. From that point onwards, it becomes practical to apply gap analysis to understand whether there are violations, such as restricted data sitting on public sources. Without it, any attempts at data governance cannot hope to succeed.
BN: How can you be confident that you're not falling foul of compliance regulations?
MQ: Managing data to ensure regulatory compliance is one of the most important outcomes data governance delivers. A business may have to meet legal responsibilities about how they collect, store, and process personal data, and non-compliance could lead to huge fines under regulations such as GDPR or CCPA. If the business becomes the victim of a hack or ransomware, the consequences in terms of lost revenue and lost customer trust could be even worse. Data governance enables organizations to meet compliance regulations by defining who within an organization has authority and control over data assets and how those data assets may be used. It establishes the methods, responsibilities and processes to standardize, integrate, protect, and store corporate data.
BN: Are current data protection laws fit for purpose? What needs to change?
MQ: Absolutely not! There needs to be specific data governance / data privacy law legislation that covers the responsibilities of companies as to what they're permitted to use your data for. GDPR is great, but it’s just a framework. It doesn't tell organizations what they can and can't do and it certainly doesn’t have the end users' best interests at heart. It just says organizations get to decide what they do, as long as they record that they're processing.
BN: Do we need to move to a new model where individuals take more responsibility for their data?
MQ: One of the biggest issues facing society today is personal data privacy, and who owns and controls it. Currently, the onus of responsibility on how to use, protect, sell and leverage our personal data lies with big companies and government institutions. That needs to change. Data privacy should be similar to where permissions management/access is moving to, which is a 'least privilege' model. It should be down to the individual what they share, and also how much. If one application just needs a name and address, it should not be necessary to share date of birth or medical history, for example. I hope we will see a shift to consumers owning their own data and only giving access to the people that need it, when they need it. That might be a long way off but needs to be the direction that is taken in the UK and elsewhere.