DATA GOVERNANCE in the ERA of HEIGHTENED REGULATION.
The increasing use of AI in areas such as granting mortgages, adjudicating insurance claims, and diagnosing medical conditions reflects how data will see greater oversight, Lewis continued. "Companies do address data quality issues for near-term needs, but they may ultimately be forced to deal with the root of the problem, which is data proliferation."
Katie Fabiszak, CMO of Riversand, calls it a "love/hate relationship with data," borne out of an "organization's ability to truly understand how they need to use data to reach their full potential." For starters, she stated, "data needs to be viewed as on organization-wide responsibility." This calls for looking beyond the technology aspect of data management, she continued. "What has gone wrong in the past is viewing data as something to just be managed by technology or systems. Instead, we truly need to make data ubiquitous throughout an organization. For the past decade we have been talking about data being a strategic asset, but we haven't really arrived there yet."
The industry has been responding to the challenge of requiring more enterprise-wide data with solutions such as customer data platforms (CDPs). CDPs are considered a step beyond the current generation of CRM systems, which tend to be limited by their narrow focus on internal customer data. CDPs open up insights into a wide range of data sources, from IoT data to social media. A recent survey by Forbes Insights found 78% of enterprises either have, or are developing, a CDP that is a dedicated environment managed by their marketing organization and is separate from other databases or platforms. Forty-five percent already have such systems in place. Effective targeted marketing--"including cross-selling, up-selling, social media targeting, and so on--requires getting a better handle on customer data," said Lewis. "Right now, most companies have at least some splintering of customer data in disparate systems, and getting a complete 360-degree view is difficult."
Accessibility of data to the people and applications that need it is critical but could lead businesses astray if not of the highest possible quality. "Beware if data isn't accurate but is still used to drive business processes," said Fabiszak. "Take the HR on-boarding process--can you imagine if the new employee's information was incorrect? That information would be shared throughout the organization leading to other issues. For example, if the Social Security number was incorrect, that could impact payroll systems and could have future implications on taxes and retirement plans."
In addition, data security also continues to be front and center. The desire to build business value from data "means that more people than ever before need to be able to handle data--finding it, trusting it, sharing, and using it for insights that drive the business," said Rob Perry, VP of product marketing at ASG. "At the same time, the more people that handle data, the more risks there are. Phishing attacks can lead to exposure of personal data. Creation of personal copies of data can cause misunderstandings and inconsistency. There has to be a culture of data responsibility--a pervasive concern for the ethical and appropriate use of data. Data governance plays twin roles. It can guide users to the best data to address specific business needs. It can also monitor potentially inappropriate data-related issues while controlling access and change, which maintains trust."
There are both external and internal forces demanding accessible and accurate data. GDPR is the most obvious from the perspective of geographic scope of enforcement, scope of covered entries, content and information impact, and permeation into diverse industries, said Hiro Imamura, senior vice president and general manager, business imaging communications group for Canon U.S.A. This type of legislation isn't limited to Europe. "California passed similar privacy legislation--the California Consumer Privacy Act or CCPA--that will take effect in July 2020, allowing businesses a 2-year window to bring themselves into compliance. New Mexico, Massachusetts, Washington state, Virginia, and Florida are a few other states enacting their own versions of consumer privacy laws." There is a movement to enact such laws on the federal level as well, he added.
GDPR has already sent shudders through the data management world, said Lewis. "Most large organizations have had to take a risk-management approach to this regulation, meaning that they have done their best to address the greatest risk with the lowest cost, if they've addressed it at all. I don't think it would take much digging to find violations. With so many publicized breaches and the proliferation of personal information, it's inevitable that companies will need to respond."
There are numerous demands for better governance of data from an internal perspective as well, industry observers agree. "The exponential growth of content, increasing inclusion of IoT and mobile devices, and increasing internet commerce makes targets more visible and accessible to external threat actors and a broader audience when organizations are victims, which in turn damages their reputations," said Imamura. "Disruptive technologies and the demand to keep pace with competitive offerings have pressed many businesses to reduce spending and investment in quality assurance, potentially opening security holes in IoT and mobile devices making incursions into the business."
"Having a firm understanding of the definition of PII is extremely important," said Mitch Kavalsky, director of security governance and risk, Sungard Availability Services. "While there are a list of known datapoints, there are still gray areas. For example, there are multiple datapoints that when used together qualify as PII, but when used individually are not considered PII. In addition, being able to isolate a specific user's data and remove it without impacting the system is a consideration that was previously not a priority. Organizations are keeping up with these requirements as best they can. The fines levied against Google show that the European nations are taking GDPR seriously and other companies are taking notice. While Google may debate the validity of the fines, other companies are doing everything they can to make sure they don't get hit with fines as well."
Any organization working with data is likely now to have an international reach and needs to prepare accordingly for the bevy of privacy mandates, industry observers agree. Companies with a global reach need to develop well-focused enterprise strategies for all data coming in and moving out of their organizations. This includes understanding how to approach and implement policy for these scenarios with a repeatable model due to worldwide impact, said Nathan Turajski, security operations and data security lead at Micro Focus. For example, they need to consider what requirements apply to the EU (GDPR), California (CCPA), and other regions for consistency of approach to the most stringent baseline requirements. "Organizations won't be ready to protect data if they haven't fully discovered and classified it across the organization as a prerequisite. Those are imperative considerations, as well as understanding your own organizational maturity, when developing data governance strategies."
THE DATA-SAVVY ORGANIZATION
As awareness of the requirements for data cohesiveness, as well as the need to meet legal requirements, gets baked into corporate data cultures, it is becoming necessary to manage accordingly, industry observers state. "Organizations get savvier with each passing year," said Fabiszak. "But more work needs to be done to ensure that people are comfortable working with data. It cannot just be the domain and discipline of data stewards or database administrators any longer." Instead, "organizations need to be data-centric and educate employees on the expectation that data is a critical part of their everyday jobs."
A challenge encountered by many organizations "is keeping data governance on the agenda," said Rene Bentvel, global data protection officer for Unit4. "Every organization struggles with this and it's a case of aligning data governance strategies with day-to-day business objectives. Regularly discussing incidents, ongoing awareness initiatives, and training are crucial to keeping up. Although many companies have already adopted privacy processes and procedures consistent with GDPR, the directive contains a number of new protections for EU data subjects that affect international companies, as well as European companies."
Too often, companies "hire a chief data officer [CDO] or establish an enterprise data governance program without considering how these functions fit within the rest of the organization," said Lewis. "The most successful organizations look carefully at existing business functions and processes, and find ways to link aspects of data governance to those functions. For example, CDOs should participate in strategic planning to provide advice on the latest capabilities, while also planning the data strategy in direct support of the company strategy."
This can be a challenge for small to medium-sized businesses. "The more progressive, globalized organizations and regulated industries, such as financial and insurance, and those that have had to comply with diverse mandates outside a single market such as the U.S., are able to keep up more quickly," said Turajski. "They've already had to respond to privacy mandates, such as PCI DSS and GDPR, so they have a head start. For those companies, it's now more about expanding the scope of sensitive data controls going forward. Smaller organizations have less exposure risk, so they are able to take a more wait-and-see approach, as opposed to the larger organizations with big targets on their backs."
Keeping information simple and concise enough that employees and customers will read it and remember it is important, said Bentvel. "When information is too verbose or is hard to find, people can slip up because they're not fully informed. Ensuring compliance is much more than just putting the processes in place. People need to understand the reason policies were put in place in order to feel incentivized to follow them. Compliance is about balancing data governance and security while still meeting the enterprise's data needs." Some of the initial steps an organization should take include driving awareness, considering the existing and new rights of data subjects, and recording data processing.
Turajski urged greater attention to data governance fundamentals "to discover sensitive data, classify that data, apply protection to the data, and then to manage access controls." He also pointed to "increased use of analytics for discovery and classification to automate controls when managing big data across disparate repositories." This requires "a holistic approach and user engagement and automation are key factors to effective data governance. Users need to be part of the solution, just as much as technology requires more automation to keep up with the exploding amount of data." Increased use of analytics can help mitigate risks and create a culture for handling data responsibly across all parts of the organization, which leads to increased consumer trust and helps promote a privacy-by-design mindset.
Organizations "are evolving to derive value from their valuable data assets," said Perry. "Managing an organization in the information economy means developing new skills, engaging staff to understand data governance, and knowing and complying with regulations. New roles have emerged--data scientist and data citizen, for example--with responsibility to explore and find insights from the ever increasing data resource. There's a spectrum of data responsibility--for some people, data is a major part of the job. Others bring more of a business focus to their data analysis. And, collaboration is the key to ensuring that data is properly obtained, understood, used, shared, and eventually disposed of. Responsible use of data is, at least, an implied part of every job description."
Ultimately, an effective data governance program is about more than data--it's about growing the business. "More businesses are now successfully cultivating open communication between various departments because of their data governance program," said Emily Washington, senior vice president of product management at Infogix. "This suggests that many companies are ready to expand their data governance program to a more strategic focus beyond just governing data. Instead, businesses need to take governance one step further to enhance their analytical insights. Although many businesses are now collaborating across departments, there is still a disconnect between the analytics team and those that are focused on governance efforts, resulting in various metadata definitions across teams. By introducing governance to analytical models, businesses can aggregate the metadata around their models to ensure all teams have a complete understanding of their data and can leverage it in analytical models."
by Joe McKendrick
|Printer friendly Cite/link Email Feedback|
|Publication:||Big Data Quarterly|
|Date:||Jun 22, 2019|
|Previous Article:||Clustering for SQL Server High Availability.|
|Next Article:||How to Take Your Security Operations Center to the Next Level.|