Categories
erwin Expert Blog

Google’s Record GDPR Fine: Avoiding This Fate with Data Governance

The General Data Protection Regulation (GDPR) made its first real impact as Google’s record GDPR fine dominated news cycles.

Historically, fines had peaked at six figures with the U.K.’s Information Commissioner’s Office (ICO) fines of 500,000 pounds ($650,000 USD) against both Facebook and Equifax for their data protection breaches.

Experts predicted an uptick in GDPR enforcement in 2019, and Google’s recent record GDPR fine has brought that to fruition. France’s data privacy enforcement agency hit the tech giant with a $57 million penalty – more than 80 times the steepest ICO fine.

If it can happen to Google, no organization is safe. Many in fact still lag in the GDPR compliance department. Cisco’s 2019 Data Privacy Benchmark Study reveals that only 59 percent of organizations are meeting “all or most” of GDPR’s requirements.

So many more GDPR violations are likely to come to light. And even organizations that are currently compliant can’t afford to let their data governance standards slip.

Data Governance for GDPR

Google’s record GDPR fine makes the rationale for better data governance clear enough. However, the Cisco report offers even more insight into the value of achieving and maintaining compliance.

Organizations with GDPR-compliant security measures are not only less likely to suffer a breach (74 percent vs. 89 percent), but the breaches suffered are less costly too, with fewer records affected.

However, applying such GDPR-compliant provisions can’t be done on a whim; organizations must expand their data governance practices to include compliance.

GDPR White Paper

A robust data governance initiative provides a comprehensive picture of an organization’s systems and the units of data contained or used within them. This understanding encompasses not only the original instance of a data unit but also its lineage and how it has been handled and processed across an organization’s ecosystem.

With this information, organizations can apply the relevant degrees of security where necessary, ensuring expansive and efficient protection from external (i.e., breaches) and internal (i.e., mismanaged permissions) data security threats.

Although data security cannot be wholly guaranteed, these measures can help identify and contain breaches to minimize the fallout.

Looking at Google’s Record GDPR Fine as An Opportunity

The tertiary benefits of GDPR compliance include greater agility and innovation and better data discovery and management. So arguably, the “tertiary” benefits of data governance should take center stage.

While once exploited by such innovators as Amazon and Netflix, data optimization and governance is now on everyone’s radar.

So organization’s need another competitive differentiator.

An enterprise data governance experience (EDGE) provides just that.

THE REGULATORY RATIONALE FOR INTEGRATING DATA MANAGEMENT & DATA GOVERNANCE

This approach unifies data management and data governance, ensuring that the data landscape, policies, procedures and metrics stem from a central source of truth so data can be trusted at any point throughout its enterprise journey.

With an EDGE, the Any2 (any data from anywhere) data management philosophy applies – whether structured or unstructured, in the cloud or on premise. An organization’s data preparation (data mapping), enterprise modeling (business, enterprise and data) and data governance practices all draw from a single metadata repository.

In fact, metadata from a multitude of enterprise systems can be harvested and cataloged automatically. And with intelligent data discovery, sensitive data can be tagged and governed automatically as well – think GDPR as well as HIPAA, BCBS and CCPA.

Organizations without an EDGE can still achieve regulatory compliance, but data silos and the associated bottlenecks are unavoidable without integration and automation – not to mention longer timeframes and higher costs.

To get an “edge” on your competition, consider the erwin EDGE platform for greater control over and value from your data assets.

Data preparation/mapping is a great starting point and a key component of the software portfolio. Join us for a weekly demo.

Automate Data Mapping

Categories
Data Governance erwin Expert Blog

Data Governance & GDPR: How it Will Affect Your Business

If you’re a data professional, data governance and GDPR are likely at the top of your agenda right now.

Because if your organization exists within the European Union (EU) or trades with the EU, the General Data Protection Regulation (GDPR) will affect your operations.

Despite this fact, only 6% of organizations say they are “completely prepared” ahead of the mandate’s May 25 effective date, according to the 2018 State of Data Governance Report.

Perhaps some solace can be found in that 39% of those surveyed for the report indicate they are “somewhat prepared,” with 27% starting preparations.

But 11% indicate they are “not prepared at all,” and the most damning of revelations is that 17% of organizations believe GDPR does not affect them.

I’m afraid these folks and their organizations are misguided because any company in any industry is within GDPR’s reach. Even if only one EU citizen’s data is included within an organization’s database(s), compliance is mandatory.

So it’s important for organizations to understand exactly what they need to do before the deadline and the potential fines of up to €20 million or 4% of annual turnover, whichever is greater.

How Does GDPR Affect My Business

With the advent of any new regulation, it’s crucial that organizations know which elements of their organization are affected and what they need to do to stay compliant. Regarding the latter, the GDPR requires organizations to have a comprehensive and effective data governance strategy. In terms of the areas affected, organizations need to be aware of the following:

Personally Identifiable Information (PII)

GDPR introduces tighter regulations around the storage, management and transfer of PII. According to the GDPR, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

Personal data also comes in many forms and extends to the combination of different data elements that individually are not PII but contribute to PII status when consolidated.

Data governance allows organizations to more easily identify and classify PII and in turn, introduce appropriate measures to keep it safe.

Therefore, a good data governance solution should enable organizations to add and manage metadata – the data about data – regarding a unit of data’s sensitivity. It should also have strong data discoverability capabilities, and the ability to control access to data through user-based permissions.

Active Consent, Data Processing and the Right to Be Forgotten

GDPR also strengthens the conditions for consent, which must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Data subjects also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose. The data controller must provide a copy of said personal data in an electronic format – free of charge. This change is a dramatic shift in data transparency and consumer empowerment.

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

The information and processes required to address these restrictions can be found in the metadata and managed via metadata management tools – a key facet of data governance. Better management of such metadata is key to optimizing an organization’s data processing capabilities. Without such optimization, compliance with the GDPR-granted “right to be forgotten” can become too complex to effictively manage.

Gartner Magic Quadrant

Documenting Compliance and Data Breaches

GDPR also looks to curb data breaches that have become more extensive and frequent in recent years. Data’s value has sky-rocketed, making data-driven businesses targets of cyber threats.

Organizations must document what data they have, where it resides, the controls in place to protect it, and the measures that will be taken to address mistakes/breaches. In fact, data breach notification is mandatory within 72 hours if that breach is likely to “result in risk for the rights and freedoms of individuals.”

A comprehensive data governance strategy encompasses and enables the documentation process outlined above. However, a data governance strategy decreases the likelihood of such breaches occurring as it provides organizations with greater insight as to which data should be more closely guarded.

Data Governance and GDPR Compliance

Based on the results of the State of DG Report referenced at the beginning of this post, organizations aren’t as GDPR-ready as they should be. But there’s still time to act.

Data governance and GDPR go hand in hand. A strong data governance program is critical to the data visibility and categorization needed for GDPR compliance. And it will help in assessing and prioritizing data risks and enable easier verification of compliance with GDPR auditors.

Data governance enables an organization to discover, understand, govern and socialize its data assets – not just within IT but across the entire organization. Not only does it encompass data’s current iteration but also its entire lineage and connections through the data ecosystem.

Understanding data lineage is absolutely necessary in the context of GDPR. Take the right to be forgotten, for example. Such compliance requires an organization to locate all an individual’s PII and any information that can be cross-referenced with other data points to become PII.

With the right data governance approach and supporting technology, organizations can ensure GDPR compliance with their current, as-is architecture and data assets – and ensure new data sources and/or changes to the to-be architecture incorporate the appropriate controls.

Stakeholders across the enterprise need to be GDPR aware and enabled so that compliance is built in at a cultural level.

For more information about increasing your expertise in relation to data governance and GDPR, download our guide to managing GDPR with data governance.

Data Governance, GDPR and Your Business

Categories
erwin Expert Blog

State of DG: Shocking Number of Organizations Unprepared for GDPR, Is Yours?

The General Data Protection Regulation (GDPR) goes into effect in May, but a new study reveals that most organizations are overwhelmingly unprepared.

The State of Data Governance Report finds that only 6% of respondents consider themselves completely prepared for GDPR. That means a shocking 94% of the organizations surveyed are not ready for what is one of the most important data privacy and security regulations passed in recent years.

Failure to implement data governance (DG) to comply with GDPR will leave these organizations liable for fines of up to €20 million or 4% annual global turnover – whichever is greater.

But the news isn’t all bad; promising signs can be found. Although 46% of those surveyed indicate having “no formal strategy” in place for DG, 42% describe their data governance initiatives as a “work in progress.”

State of DG: Regulatory Compliance Driving Data Governance

Historically, data governance has left a lot to be desired. The value and ROI were insignificant to non-existent, and so executive buy-in and funding also has been low.

Business leaders usually left DG to their IT departments, but that created silos that cut off DG from it’s day to day “data owners” and “data stakeholders,” – in essence, everybody that uses data to drive business. With poor data discovery, lineage and context, data governance was largely abandoned or at least out of sight, out of mind.

Forty-two percent of the organizations participating in the State of DG Report survey indicate that lack of executive support is still a roadblock. But GDPR is spurring new interest in DG because companies must articulate what their data is, where it resides, what controls are in place to protect it, and the measures they will use to address mistakes/breaches.

An effective data governance initiative is critical for the data visibility and categorization needed to comply with GDPR. It also will help assess and prioritize data risks and enable easier verification of GDPR compliance to auditors.

Perhaps this is why 66% of those surveyed for the State of DG Report say understanding and governing enterprise assets has become more important or very important for their executives. And regulatory compliance is in fact the No. 1 driver for data governance.

State of DG: Implementing Data Governance for GDPR

It’s safe to say that organizations should be much further along with GDPR than they are.

The biggest challenge is to establish compliance with their current data architectures and then to build GDPR compliance into the processes for designing and deploying new data sources.

This requires visibility into the strategic roadmap and well-defined processes to govern new data deployments so that constant GDPR retrofits aren’t required.

Thankfully data governance has evolved from a siloed, IT-owned program primarily for data cataloging to support search and discovery. It has given way to proactive, enterprise-wide data governance to support regulatory compliance in addition to data-driven insights for achieving other organizational objectives.

Data Governance 2.0 understands that CTOs, CMOs and other C-level executives and business leaders across the enterprise are involved in data creation, management and use on a day-to-day basis. And GDPR compliance requires that all stakeholders be aware and empowered so that data governance is built in, and part of the culture.

By integrating data governance with enterprise architecture, business process and data modeling, you’ll have a GDPR compliance framework to:

  • Discover and harvest data assets
  • Classify data and create a GDPR inventory
  • Perform GDPR risk analysis
  • Define GDPR controls and standard operating procedures
  • Socialize and apply GDPR requirements across the organization
  • Implement GDPR controls into IT and business roadmaps for “compliance by design”
  • Prove compliance/respond to audits

Is your organization GDPR-ready?

Click here to get your State of DG Report to see how your organization compares to those we surveyed.

Of if you’d like to discuss how to improve your GDPR readiness with one of our solution specialists, click here.

State of DG: Get the full report

Categories
erwin Expert Blog

The Secret to Data Governance Success

Data governance (DG) 1.0 has struggled to get off the ground, but now DG is required for General Data Protection Regulation (GDPR) compliance, so businesses need a new approach to achieve data governance success.

When properly implemented, data governance is an empowering tool for businesses. But for many organizations just getting started with DG, implementation will be reactionary because of its mandatory status under (GDPR).

As such, businesses might be tempted into doing the bare minimum to meet compliance standards. But done right, data governance is a key enabler for any data-driven business.

The data governance success story

The first step in achieving data governance success is to define what it should look like. With clear goals, businesses can take the collaborative approach data governance requires – with the whole company pulling in the same direction – for proper implementation.

Data governance success typically manifests itself as:

  • Defined data: Consistency in how a business defines data means it can be understood across divisions, enabling greater potential for collaboration.
  • Guaranteed quality: Trusted data eases the decision-making process, allowing a business to make both faster and more assured decisions that lead to fewer false starts.
  • Compliance and security: With data governance, neither are sacrificed even as the volume of data and the accessibility of such data expands when silos are broken down. Of course, this is a key component of any business putting data at the heart of their operations.

With this in mind, your next steps should be to introduce Data Governance 2.0 by addressing the baggage of its predecessor, and learning from it. Two key lessons to take away: 1) treat data like physical assets and 2) treat data governance itself as a strategic initiative.

Treat data like physical assets

This year data went mainstream. In the two years prior, more data was created than in the whole of human history. With more and more businesses acknowledging the value of data insights, analysts correctly predicted that data would be considered “more valuable than oil” in 2017.

Businesses that have already experienced data-driven success recognized data’s potential value early on. Yet for the most part, data typically has been considered separate from physical assets. It has, therefore, been given subdued levels of vigilance compared to physical assets that are often tracked, maintained and updated to maintain peak operational performance.

Take the belt on a production line, for example. Lack of maintenance leads to faults, production delays, increased time to market and ultimately stifled profits and overall performance. Continuous neglect results in more costly repairs not to mention the costs related to down-time. The same is true for data.

If your data isn’t governed with due care, silos and bottlenecks easily develop, shutting off access to employees who need it and slowing down everything from data discovery to analytics.

Persistent neglect means your business will not understand where your most sensitive data is stored, making it more susceptible to breaches. As Equifax and Uber have demonstrated recently, such data breaches are costly enough without the fines that soon will be levied because of  GDPR.

Considering recent revelations surrounding the value of data, plus the imminent regulatory changes, it’s time businesses begin treating data with as much respect and care as their physical assets.

Treat data governance as a strategic initiative

The problem with historical data governance implementation is that it was seen exclusively as an IT-driven project. Therefore, governance was shoehorned through a collection of siloed tools with no input from the wider organization. More specifically, from line managers and C-Level executives to whom governed data is arguably most valuable.

In recent years, the problems with this approach have become further exacerbated by:

  • A demand for big data and analytics-driven growth
  • A need for digital trust in business dealings between organizations or between businesses and consumers
  • Upcoming personal data removal mandates with stronger individual privacy protections

In the current business climate, more than 35 percent of companies use information to identify new business opportunities and predict future trends and behavior. An additional 50 percent agree that information is highly valued for decision-making, and should be treated as an asset (BI-Survey.com).

Clearly, it’s paramount that organizations view their data as a valuable asset, and the governing of their data as a strategic initiative in and of itself.

For more best practices in achieving data governance success, click here.

Data governance is everyone's business