Why governance is critical in the era of data privacy

whitelisting computer security security oversight admin lockout control by metamorworks getty images
metamorworks / Getty Images

The never-ending quest to provide better products and services has led to a massive growth in spending on data management and analytics as organisations strive to meet rising expectations.

At the same time, the increased use of consumer data by commercial and public sector organisations has caught the attention of regulators and raised questions regarding how that data is being used and stored.

This has resulted in the introduction of new data privacy regulations around the world. The scope of regulation is also broadening from just covering higher-risk industries such as financial services and health care to encompass almost all businesses that handle consumer data.

According to the research group Gartner, by 2023, 65 percent of the world will be covered by data privacy regulations, up from just 10 percent today.[1]

In New Zealand, we see evidence of increased regulation through changes to the NZ Privacy Act that came into effect on December 1. These changes include the introduction of mandatory data breach reporting and restrictions on the offshore transfer of personal information.

“New user rights and corporate duties all reveal a real need for data governance, but also for companies to gain a new level of data trust that drives business action and value,” observed Stu Garrow, senior vice president of sales, Asia Pacific at Talend.

While the burden of compliance can be significant, which is especially problematic for organisations that operate across multiple jurisdictions, the challenge now is to remain compliant while still being able to use data to deliver exceptional outcomes for customers.

Compliance, however, as an unconditional requirement, should not come at the cost of innovation.

Meeting sovereign requirements

Many new privacy regulations relate specifically to how personal data is transferred and stored.  Emphasis is usually placed on the need for it to be stored within the jurisdiction from which it was collected, or in jurisdictions with similar safeguards.

This immediately creates problems in situations where data will be processed and stored in cloud-based systems that are based in another country.

For New Zealand-based organisations, the changes to the Privacy Act see them having to ensure that the transfer of personal data out of the country occurs with authorisation from the individuals it describes, or alternately, that the data is safeguarded in a way that is comparable to the mandates of New Zealand’s privacy laws. These rules apply to any organisation that conducts business in New Zealand.

However, these remedies are only as effective as the organisation’s ability to apply suitable governance to the use of data on an ongoing basis. This can be challenging in an era where moving data in a non-compliant way is as simple as paying for a cloud service using a credit card.

Exploration of possible solutions

The best path is to implement a comprehensive data governance program that aligns legal, compliance, privacy, and enterprise data management teams. Companies also need to establish data trust, by measuring and maintaining the health of their data based across a range of criteria including quality, timeliness, usage patterns and user ratings. This ensures the consistent use of approved and trusted data governance mechanisms and reinforces the importance of compliance to prevent rogue behaviour.

“With several personal data requests coming in every day, organizations must have strong data quality practices in place to ensure the data is accurate, complete, and up to date,” Garrow advised.

This process starts with defining and communicating a robust and easily understood definition of personal data. Clarity can also be enhanced by establishing strong data quality guidelines, such as confirming data ownership, establishing collection and use standards, and defining risk and impact standards, all the way through to implementing compliance controls and enforcement protocols.

More information on this process can be found in the document Data Governance & Privacy Compliance: 16 Practical Steps towards GDPR Compliance with Talend.

The growth in data privacy regulation around the world is a challenge for many organisations. But while the threat of penalties for non-compliance provides a strong incentive for implementing data compliance and governance programmes, these should also be viewed as an essential requirement for building trust with the customers whose data is being managed and stored.

“Collective consciousness is growing throughout the globe, and new regulations are being put in place,” said Garrow. “Now is the time for organizations to turn the risk into an opportunity to improve customer experiences and services.”

With personal data proving so essential to the development and delivery of market-leading services, a strong data governance programme is a requirement that no organisation can afford to forgo.

References

[1] Gartner Projects Major Jump in Data Privacy Regulations; From 10% of the World Covered in 2020 to 65% in 2023 

Copyright © 2020 IDG Communications, Inc.