Meet the three amigos of data: Governance, privacy and security
The three slices of the data pie -- data governance, data privacy and data security -- are often lumped together -- but although they naturally overlap, there are crucial differences that are important to understand.
Let’s slice up the pie. First, there’s data governance. You can think of it as the cornerstone; the thing that holds everything together. If you have the right data governance in place for all your data assets then it's much easier to apply the right privacy and security controls.
Data governance: the nuts and bolts of your data strategy
Data governance is a blanket term for everything that goes on to make sure an organization or business looks after its data properly. This includes the strategic and tactical overview and operational roles, responsibilities and processes. Data governance ensures the quality and security of the data you use. It’s the who, what and how; it defines who can do what, based on what data, under what situations and using what methods.
Most companies have already evolved some form of governance for individual applications, units, or functions but it’s often on an informal basis. Establishing formal processes and responsibilities is the key to managing data flow, ensuring compliance and scaling up.
The benefits of a well-crafted data governance strategy include minimized risks, coherent policies, metrics and processes, and better implementation of compliance and enhanced data value.
Data Privacy -- why is it so important?
Data privacy is the second slice of the pie. In our digital age, data privacy generally applies to the handling of critical personal information, also known as personally identifiable information (PII) and personal health information (PHI). If data is king then data privacy is the principal gatekeeper.
Data privacy is one of the most fundamental challenges facing society today and it’s important for many reasons -- which fall broadly into two categories. The first is asset management -- the ownership and leverage of data (often the most important asset a business owns). And the second is regulatory compliance: managing data to ensure it meets regulatory compliance is important for legal, ethical and business reasons.
In today’s 'data economy', collecting, sharing and using data about customers or users has huge value both now and potentially in the future. And since consumers expect their private information to remain private, there is an increasing focus on the importance of transparency. To build trust with customers, businesses must follow their privacy policies and request consent to keep and manage personal data. Better transparency around data privacy builds customer trust.
At the same time, every business has to meet the challenge of regulatory compliance, and failure to do so can lead to devastating fines under regulations such as GDPR or CCPA. The regulations exist for a reason; if a business is victim to a hack or ransomware, the consequences in terms of lost revenue and lost customer trust could be far worse.
Data Protection/Security is NOT Data Privacy
Data protection/security is the final piece of the pie, and it’s often mistaken for data privacy -- but they’re not the same thing. Data security is everything involved in securing/protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle. Think of it as the barbed wire fence and armed guard of the data triumvirate.
Put simply, data protection/security does what it says on the tin -- it protects data from external attackers, insider threats and human errors -- whereas data privacy governs how data is collected, shared and used. Data protection/security is essentially the technical framework of keeping data secure and available -- everything from physical security (hardware and storage devices) to administrative and access controls, as well as the security of software applications.
The US Commerce Department’s National Institute of Standards and Technology (NIST) created an internationally recognized Cyber Security Framework which is the foundation of most standards. Here are the five key areas it outlines:
- Identify -- work out your weak spots
Get a clear overview of your systems and services -- assets, data, people, data flows -- and identify potential attack points for hackers or breaches.
- Protect -- guard your crown jewels
All systems and services need protection, but some need more protection than others.
- Detect -- create an alarm system
Protecting a system or service is not a foolproof guarantee of safety and security. When implementing protection, it’s equally important to set up monitoring and alerts.
- Respond -- make a crisis response plan
If an attack/breach occurs, you need to have your response worked out in advance - who does what and in what order, and who you’re legally obliged to inform.
- Recover -- have a game plan for getting back on track
If the worst does happen, you’ll need to know how to bring systems or services back into operation, and in which order.
If only it were as easy as pie…
In this scenario the whole piece is definitely more powerful than the individual slices. To be most effective, data governance, privacy and security must all work seamlessly together. Ultimately, when it comes to data security, the buck stops with you. No matter how complex the situation, the onus is on each individual business to keep its data secure. You can’t keep your data secure without the right data governance and data privacy.
Michael Queenan is co-founder and CEO of Nephos