This post was co-authored with Elizabeth Tse, an Associate at Metis Strategy.
Companies continue to face implementation challenges as they rush to comply with data privacy regulations such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This is due largely to a mismatch between their management of data and the stringent requirements set by the regulations.
Organizations can address the complexities of privacy regulations via a well-defined data governance framework, which leverages people, processes and technologies to establish standards for data access, management and use. Such a framework also enables companies to address elements of privacy, including identity and access management, consent management and policy definition.
As leaders implement data governance models with privacy in mind, they may face challenges, including lukewarm executive buy-in, lack of a cohesive data strategy, or diverging opinions about how data should be used and handled. To address these obstacles, leaders should consider the following actions:
- Establish cross-functional data ownership and awareness
- Streamline data policies and procedures
- Upgrade technology and infrastructure
Establish cross-functional data ownership and awareness
While a Chief Data Officer or CIO may lead the implementation of a data governance framework or model, data governance should be a shared responsibility across a company. At a minimum, the IT department, privacy office, security organization, and various business divisions should be involved, as each has an important stake in data management. Bringing in a variety of stakeholders early allows firms to establish key data objectives and a broader data governance vision. This collaboration can take the form of a dedicated task force or may involve regular reporting on data governance and privacy objectives to the executive board.
Data privacy, similarly, is also a shared responsibility. All employees have a part to play in maintaining data privacy by following accepted standards for data collection, use and sharing. Indeed, implementing a successful data governance model with privacy in mind requires educating employees on governance concepts, roles and responsibilities, as well as data privacy concepts and regulations (e.g. the definition of “personal information” vs. “consumer information”).
After establishing a governance vision and driving employee awareness, organizations can define their desired data governance roles – such as data owners, data stewards, data architects and data consumers – and tailor the roles to their needs. Some companies may distinguish between data stewards and data owners, for example, with the former responsible for executing daily data operations and the latter responsible for data policy definition. For one client with a large and complex IT department, Metis Strategy established a governance hierarchy with an executive-level board, combined data steward/owner roles, and other positions (e.g. data quality custodians). This structure facilitated ease of communication and enabled the client to scale its data management practices.
In the long term, firms should incorporate data governance and management skills into their talent strategy and workforce planning. Given the expertise required and the shortage of qualified people for some data-intensive roles, organizations can consider enlisting the help of talent-sourcing firms while focusing internal efforts on talent retention and upskilling. As companies’ strategic goals and regulatory requirements change, they should remain flexible in adjusting their data governance roles and ownership.
Streamline data policies and procedures
To respond adequately to consumer privacy-related requests for data, organizations should establish standardized procedures and policies across the data lifecycle. This will allow companies to understand what data they collect, use and share, and how those practices relate to consumers.
For example, the CCPA provides consumers with the right to opt out of having their personal information sold to third parties. If a retailer needed to comply with such a request, it would need to be able to answer questions in the following categories:
- Data classification: What data elements pertaining to the consumer does the company have, such as address, credit card information or product preferences? Has the company classified these data elements appropriately, if at all?
- Data lineage: Where did the customer’s data originate and what happens to that data across its lifecycle? For example, does the company only share the customer’s data internally, or does it share the data with marketing and payment vendors to facilitate transactions or personalized ad campaigns?
- Data collection and acceptable use: How does the company currently collect data from the consumer? Does the company have the appropriate consent from the consumer to collect and process their data? If the company shares the customer’s data with external parties, are there appropriate data sharing agreements with those parties in place?
Establishing policies and standards for the above can help organizations quickly determine the actions needed to respond to customer requests under privacy regulations. Companies should communicate policies widely and ensure that they are being followed, as failing to do so can propagate the use of inconsistent templates and practices. At one Metis Strategy client, for example, few stakeholders had sufficient awareness of data management and access standards, despite the fact that the client’s IT department had established extensive policies around them.
Consider technology and infrastructure upgrades
To successfully implement data governance frameworks and ensure privacy compliance, firms may also need to address challenges posed by legacy infrastructure and technical debt. For example, data often is stored in silos throughout an organization, making it difficult to appropriately identify the source of any data privacy issues and promptly respond to consumers or regulatory authorities.
Firms also need to evaluate the security and privacy risks posed by outsourced cloud services, such as cloud-based data lakes. Those using multiple cloud providers may want to streamline their data sharing agreements to create consistency across vendors.
Some technologies can help companies leverage customer data while mitigating privacy risks. In a Metis Strategy interview, Greg Sullivan, CIO of Carnival Corporation, noted that data virtualization enhanced his organization’s analytics capabilities, drove down operational and computing costs and reduced the company’s exposure to potential security and privacy gaps.
Companies can also consider new privacy compliance technologies, which can enhance data governance through increased visibility and transparency. Data discovery tools use advanced analytics to identify data elements that could be deemed sensitive, for instance, while data flow mapping tools help companies understand how and where data moves both internally and externally. These tools can be used to help organizations determine the level of protection required for their most critical data elements and facilitate responses to consumer requests under GDPR and CCPA.
Although legacy technology overhauls can be time-consuming and costly, firms that are decisive about doing so can reduce their privacy and security risks while avoiding other challenges related to technical debt.
Creating an adaptable model
As the global data privacy landscape evolves, organizations should continuously adapt their data governance models. Companies should proactively address their obligations by designing data governance roles, processes, policies, and technology with privacy in mind, rather than reacting to current and forthcoming privacy legislation. Companies doing so can not only improve risk and reputational management, but also encourage greater transparency and data-driven decision-making across their organizations.