Categories
erwin Expert Blog

Keeping Up with New Data Protection Regulations

Keeping up with new data protection regulations can be difficult, and the latest – the General Data Protection Regulation (GDPR) – isn’t the only new data protection regulation organizations should be aware of.

California recently passed a law that gives residents the right to control the data companies collect about them. Some suggest the California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, sets a precedent other states will follow by empowering consumers to set limits on how companies can use their personal information.

In fact, organizations should expect increasing pressure on lawmakers to introduce new data protection regulations. A number of high-profile data breaches and scandals have increased public awareness of the issue.

Facebook was in the news again last week for another major problem around the transparency of its user data, and the tech-giant also is reportedly facing 10 GDPR investigations in Ireland – along with Apple, LinkedIn and Twitter.

Some industries, such as healthcare and financial services, have been subject to stringent data regulations for years: GDPR now joins the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the Basel Committee on Banking Supervision (BCBS).

Due to these pre-existing regulations, organizations operating within these sectors, as well as insurance, had some of the GDPR compliance bases covered in advance.

Other industries had their own levels of preparedness, based on the nature of their operations. For example, many retailers have robust, data-driven e-commerce operations that are international. Such businesses are bound to comply with varying local standards, especially when dealing with personally identifiable information (PII).

Smaller, more brick-and-mortar-focussed retailers may have had to start from scratch.

But starting position aside, every data-driven organization should strive for a better standard of data management — and not just for compliance sake. After all, organizations are now realizing that data is one of their most valuable assets.

New Data Protection Regulations – Always Be Prepared

When it comes to new data protection regulations in the face of constant data-driven change, it’s a matter of when, not if.

As they say, the best defense is a good offense. Fortunately, whenever the time comes, the first point of call will always be data governance, so organizations can prepare.

Effective compliance with new data protection regulations requires a robust understanding of the “what, where and who” in terms of data and the stakeholders with access to it (i.e., employees).

The Regulatory Rationale for Integrating Data Management & Data Governance

This is also true for existing data regulations. Compliance is an on-going requirement, so efforts to become compliant should not be treated as static events.

Less than four months before GDPR came into effect, only 6 percent of enterprises claimed they were prepared for it. Many of these organizations will recall a number of stressful weeks – or even months – tidying up their databases and their data management processes and policies.

This time and money was spent reactionarily, at the behest of proactive efforts to grow the business.

The implementation and subsequent observation of a strong data governance initiative ensures organizations won’t be put on the spot going forward. Should an audit come up, current projects aren’t suddenly derailed as they reenact pre-GDPR panic.

New Data Regulations

Data Governance: The Foundation for Compliance

The first step to compliance with new – or old – data protection regulations is data governance.

A robust and effective data governance initiative ensures an organization understands where security should be focussed.

By adopting a data governance platform that enables you to automatically tag sensitive data and track its lineage, you can ensure nothing falls through the cracks.

Your chosen data governance solution should enable you to automate the scanning, detection and tagging of sensitive data by:

  • Monitoring and controlling sensitive data – Gain better visibility and control across the enterprise to identify data security threats and reduce associated risks.
  • Enriching business data elements for sensitive data discovery – By leveraging a comprehensive mechanism to define business data elements for PII, PHI and PCI across database systems, cloud and Big Data stores, you can easily identify sensitive data based on a set of algorithms and data patterns.
  • Providing metadata and value-based analysis – Simplify the discovery and classification of sensitive data based on metadata and data value patterns and algorithms. Organizations can define business data elements and rules to identify and locate sensitive data, including PII, PHI and PCI.

With these precautionary steps, organizations are primed to respond if a data breach occurs. Having a well governed data ecosystem with data lineage capabilities means issues can be quickly identified.

Additionally, if any follow-up is necessary –  such as with GDPR’s data breach reporting time requirements – it can be handles swiftly and in accordance with regulations.

It’s also important to understand that the benefits of data governance don’t stop with regulatory compliance.

A better understanding of what data you have, where it’s stored and the history of its use and access isn’t only beneficial in fending off non-compliance repercussions. In fact, such an understanding is arguably better put to use proactively.

Data governance improves data quality standards, it enables better decision-making and ensures businesses can have more confidence in the data informing those decisions.

The same mechanisms that protect data by controlling its access also can be leveraged to make data more easily discoverable to approved parties – improving operational efficiency.

All in all, the cumulative result of data governance’s influence on data-driven businesses both drives revenue (through greater efficiency) and reduces costs (less errors, false starts, etc.).

To learn more about data governance and the regulatory rationale for its implementation, get our free guide here.

DG RediChek

Categories
erwin Expert Blog

Five Pillars of Data Governance Readiness: Initiative Sponsorship

“Facebook at the center of global reckoning on data governance.” This headline from a March 19 article in The Wall Street Journal sums up where we are. With only two months until the General Data Protection Regulation (GDPR) goes into effect, we’re going to see more headlines about improper data governance (DG) – leading to major fines and tarnished brands.

Since the news of the Facebook data scandal broke, the company’s stock has dropped and Nordea, the largest bank in the Nordic region, put a stop to Facebook investments for three months because “we see that the risks related to governance around data protection may have been severely compromised,” it said in a statement.

Last week, we began discussing the five pillars of data governance readiness to ensure the data management foundation is in place for mitigating risks, as well as accomplishing other organizational goals. There can be no doubt that data governance is central to an organization’s customer relationships, reputation and financial results.

So today, we’re going to explore the first pillar of DG readiness: initiative sponsorship. Without initiative sponsorship, organizations will struggle to obtain the funding, resources, support and alignment necessary for successful implementation and subsequent performance.

A Common Roadblock

Data governance isn’t a one-off project with a defined endpoint. It’s an on-going initiative that requires active engagement from executives and business leaders. But unfortunately, the 2018 State of Data Governance Report finds lack of executive support to be the most common roadblock to implementing DG.

This is historical baggage. Traditional DG has been an isolated program housed within IT, and thus, constrained within that department’s budget and resources. More significantly, managing DG solely within IT prevented those in the organization with the most knowledge of and investment in the data from participating in the process.

This silo created problems ranging from a lack of context in data cataloging to poor data quality and a sub-par understanding of the data’s associated risks. Data Governance 2.0 addresses these issues by opening data governance to the whole organization.

Its collaborative approach ensures that those with the most significant stake in an organization’s data are intrinsically involved in discovering, understanding, governing and socializing it to produce the desired outcomes. In this era of data-driven business, C-level executives and department leaders are key stakeholders.

But they must be able to trust it and then collaborate based on their role-specific insights to make informed decisions about strategy, identify new opportunities, address redundancies and improve processes.

So, it all comes back to modern data governance: the ability to understand critical enterprise data within a business context, track its physical existence and lineage, and maximize its value while ensuring quality and security.

Initiative Sponsorship: Encouraging Executive Involvement

This week’s headlines about Facebook have certainly gotten Mark Zuckerberg’s attention, as there are calls for the CEO to appear before the U.S. Congress and British Parliament to answer for his company’s data handling – or mishandling as it is alleged.

Public embarrassment, Federal Trade Commission and GDPR fines, erosion of customer trust/loyalty, revenue loss and company devaluation are real risks when it comes to poor data management and governance practices. Facebook may have just elevated your case for implementing DG 2.0 and involving your executives.

Initiative Sponsorship Data Governance GDPR

Business heads and their teams, after all, are the ones who have the knowledge about the data – what it is, what it means, who and what processes use it and why, and what rules and policies should apply to it. Without their perspective and participation in data governance, the enterprise’s ability to intelligently lock down risks and enable growth will be seriously compromised.

Appropriately implemented – with business data stakeholders driving alignment between DG and strategic enterprise goals and IT handling the technical mechanics of data management – the door opens to trusting data and using it effectively.

Also, a chief data officer (CDO) can serve as the bridge between IT and the business to remove silos in the drive toward DG and subsequent whole-of-business outcomes. He or she would be the ultimate sponsor, leading the charge for the necessary funding, resources, and support for a successful, ongoing initiative.

Initiative Sponsorship with an ‘EDGE’

Once key business leaders understand and buy into the vital role they play in a Data Governance 2.0 strategy, the work of building the infrastructure enabling the workforce and processes to support actively governing data assets and their alignment to the business begins.

To find it, map it, make sure it’s under control, and promote it to appropriate personnel requires a technology- and business-enabling platform that covers the entire data governance lifecycle across all data producer and consumer roles.

The erwin EDGE delivers an ‘enterprise data governance experience’ to unify critical DG domains, use role-appropriate interfaces to bring together stakeholders and processes to support a culture committed to acknowledging data as the mission-critical asset that it is, and orchestrate the key mechanisms that are required to discover, fully understand, actively govern and effectively socialize and align data to the business.

To assess your organizations current data governance readiness, take the erwin DG RediChek.

To learn more about the erwin EDGE, reserve your seat for this webinar.

Take the DG RediChek

Categories
erwin Expert Blog

Using Enterprise Architecture to Improve Security

The personal data of more than 143 million people – half the United States’ entire population – may have been compromised in the recent Equifax data breach. With every major data breach comes post-mortems and lessons learned, but one area we haven’t seen discussed is how enterprise architecture might aid in the prevention of data breaches.

For Equifax, the reputational hit, loss of profits/market value, and potential lawsuits is really bad news. For other organizations that have yet to suffer a breach, be warned. The clock is ticking for the General Data Protection Regulation (GDPR) to take effect in May 2018. GDPR changes everything, and it’s just around the corner.

Organizations of all sizes must take greater steps to protect consumer data or pay significant penalties. Negligent data governance and data management could cost up to 4 percent of an organization’s global annual worldwide turnover or up to 20 million Euros, whichever is greater.

With this in mind, the Equifax data breach – and subsequent lessons – is a discussion potentially worth millions.

Enterprise architecture for security

Proactive Data Protection and Cybersecurity

Given that data security has long been considered paramount, it’s surprising that enterprise architecture is one approach to improving data protection that has been overlooked.

It’s a surprise because when you consider enterprise architecture use cases and just how much of an organization it permeates (which is really all of it), EA should be commonplace in data security planning.

So, the Equifax breach provides a great opportunity to explore how enterprise architecture could be used for improving cybersecurity.

Security should be proactive, not reactive, which is why EA should be a huge part of security planning. And while we hope the Equifax incident isn’t the catalyst for an initial security assessment and improvements, it certainly should prompt a re-evaluation of data security policies, procedures and technologies.

By using well-built enterprise architecture for the foundation of data security, organizations can help mitigate risk. EA’s comprehensive view of the organization means security can be involved in the planning stages, reducing risks involved in new implementations. When it comes to security, EA should get a seat at the table.

Enterprise architecture also goes a long way in nullifying threats born of shadow IT, out-dated applications, and other IT faux pas. Well-documented, well-maintained EA gives an organization the best possible view of current tech assets.

This is especially relevant in Equifax’s case as the breach has been attributed to the company’s failure to update a web application although it had sufficient warning to do so.

By leveraging EA, organizations can shore up data security by ensuring updates and patches are implemented proactively.

Enterprise Architecture, Security and Risk Management

But what about existing security flaws? Implementing enterprise architecture in security planning now won’t solve them.

An organization can never eliminate security risks completely. The constantly evolving IT landscape would require businesses to spend an infinite amount of time, resources and money to achieve zero risk. Instead, businesses must opt to mitigate and manage risk to the best of their abilities.

Therefore, EA has a role in risk management too.

In fact, EA’s risk management applications are more widely appreciated than its role in security. But effective EA for risk management is a fundamental part of how EA for implementing security works.

Enterprise architecture’s comprehensive accounting of business assets (both technological and human) means it’s best placed to align security and risk management with business goals and objectives. This can give an organization insight into where time and money can best be spent in improving security, as well as the resources available to do so.

This is because of the objective view enterprise architecture analysis provides for an organization.

To use somewhat of a crude but applicable analogy, consider the risks of travel. A fear of flying is more common than fear of driving in a car. In a business sense, this could unwarrantedly encourage more spending on mitigating the risks of flying. However, an objective enterprise architecture analysis would reveal, that despite fear, the risk of travelling by car is much greater.

Applying the same logic to security spending, enterprise architecture analysis would give an organization an indication of how to prioritize security improvements.

Categories
erwin Expert Blog

Every Company Requires Data Governance and Here’s Why

With GDPR regulations imminent, businesses need to ensure they have a handle on data governance.

Categories
erwin Expert Blog

GDPR guide: Preparing for the new changes

By now many businesses would have already heard about the new General Data Protection Regulation legislation. But knowing is only half the battle. That’s why we’ve put together this GDPR guide. 

Categories
erwin Expert Blog

GDPR guide: Do you know about the change?

The countdown has begun to one of the biggest changes in data protection, but how much do you know about GDPR? In a series of articles throughout February we will explain the essential information you need to know and what you need to be doing now.

What is GDPR?

It stands for General Data Protection Regulation and it’s an EU legal framework which will apply to UK businesses from 25 May 2018. It’s a new set of legal requirements regarding data protection which adds new levels of accountability for companies, new requirements for documenting decisions and a new range of penalties if you don’t comply.

It’s designed to enable individuals to have better control of their own personal data.

While the law was ratified in 2016, countries have had a two-year implementation period which means businesses must be compliant by 2018.

Key points of GDPR

The changes to data protection will be substantial as will be the penalties for failure to comply. It introduces concepts such as the right to be forgotten and formalises data breach notifications.

GDPR will ensure a regularity across all EU countries which means that individuals can expect to be treated the same in every country across Europe.

How to comply

EU GDPR padlockFor processing personal data to be legal under GDPR businesses need to show that there is a legal basis as to why they require personal data and they need to document this reasoning.

GDPR states that personal data is any information that can be used to identify an individual. This means that, for the first time, it includes information such as genetic, mental, cultural, economic or social information.

To ensure valid consent is being given, businesses need to ensure simple language is used when asking for consent to collect personal data. Individuals must also have a clear understanding as to how the data will be used.

Furthermore, it is mandatory under the GDPR for businesses to employ a Data Protection Officer. This applies to public authorities and other companies where their core activities require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.

Data Protection Officers will also be required to complete Privacy Impact Assessment and give notification of a data breach within 72 hours.

The impact of Brexit

At this stage it is unknown how the UK exiting the European Union will affect GDPR. However, with Article 50 yet to be triggered – the exit from the European Union is still over two years away and as such the UK will still be part of the EU in 2018. This means that businesses must comply with GDPR when it comes into force.

Penalties for non-compliance

Penalties for failing to meet the requirements of GDPR could lead to fines of up to €20 million or 4% of the global annual turnover of the company for the previous year, whichever is higher. This high level of financial penalty could mean could have a serious impact on the future of a business.

Over the coming month, we will continue this series looking at how to get started preparing for GDPR now, why you need a Data Protection Officer and how GDPR will affect your international business.

Download the White Paper The Business Value of Data Modeling for Data Governance