Categories
erwin Expert Blog

Keeping Up with New Data Protection Regulations

Keeping up with new data protection regulations can be difficult, and the latest – the General Data Protection Regulation (GDPR) – isn’t the only new data protection regulation organizations should be aware of.

California recently passed a law that gives residents the right to control the data companies collect about them. Some suggest the California Consumer Privacy Act (CCPA), which takes effect January 1, 2020, sets a precedent other states will follow by empowering consumers to set limits on how companies can use their personal information.

In fact, organizations should expect increasing pressure on lawmakers to introduce new data protection regulations. A number of high-profile data breaches and scandals have increased public awareness of the issue.

Facebook was in the news again last week for another major problem around the transparency of its user data, and the tech-giant also is reportedly facing 10 GDPR investigations in Ireland – along with Apple, LinkedIn and Twitter.

Some industries, such as healthcare and financial services, have been subject to stringent data regulations for years: GDPR now joins the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and the Basel Committee on Banking Supervision (BCBS).

Due to these pre-existing regulations, organizations operating within these sectors, as well as insurance, had some of the GDPR compliance bases covered in advance.

Other industries had their own levels of preparedness, based on the nature of their operations. For example, many retailers have robust, data-driven e-commerce operations that are international. Such businesses are bound to comply with varying local standards, especially when dealing with personally identifiable information (PII).

Smaller, more brick-and-mortar-focussed retailers may have had to start from scratch.

But starting position aside, every data-driven organization should strive for a better standard of data management — and not just for compliance sake. After all, organizations are now realizing that data is one of their most valuable assets.

New Data Protection Regulations – Always Be Prepared

When it comes to new data protection regulations in the face of constant data-driven change, it’s a matter of when, not if.

As they say, the best defense is a good offense. Fortunately, whenever the time comes, the first point of call will always be data governance, so organizations can prepare.

Effective compliance with new data protection regulations requires a robust understanding of the “what, where and who” in terms of data and the stakeholders with access to it (i.e., employees).

The Regulatory Rationale for Integrating Data Management & Data Governance

This is also true for existing data regulations. Compliance is an on-going requirement, so efforts to become compliant should not be treated as static events.

Less than four months before GDPR came into effect, only 6 percent of enterprises claimed they were prepared for it. Many of these organizations will recall a number of stressful weeks – or even months – tidying up their databases and their data management processes and policies.

This time and money was spent reactionarily, at the behest of proactive efforts to grow the business.

The implementation and subsequent observation of a strong data governance initiative ensures organizations won’t be put on the spot going forward. Should an audit come up, current projects aren’t suddenly derailed as they reenact pre-GDPR panic.

New Data Regulations

Data Governance: The Foundation for Compliance

The first step to compliance with new – or old – data protection regulations is data governance.

A robust and effective data governance initiative ensures an organization understands where security should be focussed.

By adopting a data governance platform that enables you to automatically tag sensitive data and track its lineage, you can ensure nothing falls through the cracks.

Your chosen data governance solution should enable you to automate the scanning, detection and tagging of sensitive data by:

  • Monitoring and controlling sensitive data – Gain better visibility and control across the enterprise to identify data security threats and reduce associated risks.
  • Enriching business data elements for sensitive data discovery – By leveraging a comprehensive mechanism to define business data elements for PII, PHI and PCI across database systems, cloud and Big Data stores, you can easily identify sensitive data based on a set of algorithms and data patterns.
  • Providing metadata and value-based analysis – Simplify the discovery and classification of sensitive data based on metadata and data value patterns and algorithms. Organizations can define business data elements and rules to identify and locate sensitive data, including PII, PHI and PCI.

With these precautionary steps, organizations are primed to respond if a data breach occurs. Having a well governed data ecosystem with data lineage capabilities means issues can be quickly identified.

Additionally, if any follow-up is necessary –  such as with GDPR’s data breach reporting time requirements – it can be handles swiftly and in accordance with regulations.

It’s also important to understand that the benefits of data governance don’t stop with regulatory compliance.

A better understanding of what data you have, where it’s stored and the history of its use and access isn’t only beneficial in fending off non-compliance repercussions. In fact, such an understanding is arguably better put to use proactively.

Data governance improves data quality standards, it enables better decision-making and ensures businesses can have more confidence in the data informing those decisions.

The same mechanisms that protect data by controlling its access also can be leveraged to make data more easily discoverable to approved parties – improving operational efficiency.

All in all, the cumulative result of data governance’s influence on data-driven businesses both drives revenue (through greater efficiency) and reduces costs (less errors, false starts, etc.).

To learn more about data governance and the regulatory rationale for its implementation, get our free guide here.

DG RediChek

Categories
erwin Expert Blog Data Governance

Data Governance & GDPR: How it Will Affect Your Business

If you’re a data professional, data governance and GDPR are likely at the top of your agenda right now.

Because if your organization exists within the European Union (EU) or trades with the EU, the General Data Protection Regulation (GDPR) will affect your operations.

Despite this fact, only 6% of organizations say they are “completely prepared” ahead of the mandate’s May 25 effective date, according to the 2018 State of Data Governance Report.

Perhaps some solace can be found in that 39% of those surveyed for the report indicate they are “somewhat prepared,” with 27% starting preparations.

But 11% indicate they are “not prepared at all,” and the most damning of revelations is that 17% of organizations believe GDPR does not affect them.

I’m afraid these folks and their organizations are misguided because any company in any industry is within GDPR’s reach. Even if only one EU citizen’s data is included within an organization’s database(s), compliance is mandatory.

So it’s important for organizations to understand exactly what they need to do before the deadline and the potential fines of up to €20 million or 4% of annual turnover, whichever is greater.

How Does GDPR Affect My Business

With the advent of any new regulation, it’s crucial that organizations know which elements of their organization are affected and what they need to do to stay compliant. Regarding the latter, the GDPR requires organizations to have a comprehensive and effective data governance strategy. In terms of the areas affected, organizations need to be aware of the following:

Personally Identifiable Information (PII)

GDPR introduces tighter regulations around the storage, management and transfer of PII. According to the GDPR, personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

Personal data also comes in many forms and extends to the combination of different data elements that individually are not PII but contribute to PII status when consolidated.

Data governance allows organizations to more easily identify and classify PII and in turn, introduce appropriate measures to keep it safe.

Therefore, a good data governance solution should enable organizations to add and manage metadata – the data about data – regarding a unit of data’s sensitivity. It should also have strong data discoverability capabilities, and the ability to control access to data through user-based permissions.

Active Consent, Data Processing and the Right to Be Forgotten

GDPR also strengthens the conditions for consent, which must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Data subjects also have the right to obtain confirmation as to whether their personal data is being processed, where and for what purpose. The data controller must provide a copy of said personal data in an electronic format – free of charge. This change is a dramatic shift in data transparency and consumer empowerment.

The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

The information and processes required to address these restrictions can be found in the metadata and managed via metadata management tools – a key facet of data governance. Better management of such metadata is key to optimizing an organization’s data processing capabilities. Without such optimization, compliance with the GDPR-granted “right to be forgotten” can become too complex to effictively manage.

Gartner Magic Quadrant

Documenting Compliance and Data Breaches

GDPR also looks to curb data breaches that have become more extensive and frequent in recent years. Data’s value has sky-rocketed, making data-driven businesses targets of cyber threats.

Organizations must document what data they have, where it resides, the controls in place to protect it, and the measures that will be taken to address mistakes/breaches. In fact, data breach notification is mandatory within 72 hours if that breach is likely to “result in risk for the rights and freedoms of individuals.”

A comprehensive data governance strategy encompasses and enables the documentation process outlined above. However, a data governance strategy decreases the likelihood of such breaches occurring as it provides organizations with greater insight as to which data should be more closely guarded.

Data Governance and GDPR Compliance

Based on the results of the State of DG Report referenced at the beginning of this post, organizations aren’t as GDPR-ready as they should be. But there’s still time to act.

Data governance and GDPR go hand in hand. A strong data governance program is critical to the data visibility and categorization needed for GDPR compliance. And it will help in assessing and prioritizing data risks and enable easier verification of compliance with GDPR auditors.

Data governance enables an organization to discover, understand, govern and socialize its data assets – not just within IT but across the entire organization. Not only does it encompass data’s current iteration but also its entire lineage and connections through the data ecosystem.

Understanding data lineage is absolutely necessary in the context of GDPR. Take the right to be forgotten, for example. Such compliance requires an organization to locate all an individual’s PII and any information that can be cross-referenced with other data points to become PII.

With the right data governance approach and supporting technology, organizations can ensure GDPR compliance with their current, as-is architecture and data assets – and ensure new data sources and/or changes to the to-be architecture incorporate the appropriate controls.

Stakeholders across the enterprise need to be GDPR aware and enabled so that compliance is built in at a cultural level.

For more information about increasing your expertise in relation to data governance and GDPR, download our guide to managing GDPR with data governance.

Data Governance, GDPR and Your Business