Data has undeniable business value, but as the world becomes increasingly digital, the need for enhanced data governance is becoming clear. Since the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect in 2018, we have seen numerous regulations drafted and implemented around data privacy. They have forced organisations to rethink their fundamental approach to data, but the landscape dynamic and constantly changing. Rather than reacting to each of these changes as they happen, businesses need to develop a more holistic and proactive approach. Data governance need not be a burden, if approached correctly. It can be a significant opportunity to build efficiency and improve customer trust.
The shifting regulatory landscape
The GDPR, while essentially a European law, had far-reaching effects, as any business with dealings in the EU must comply. It therefore had a broad impact on the way organisations secure and process customer data.
Although the GDPR was the first of its kind, it is only the tip of the iceberg when it comes enforcing data governance and data privacy today.
The California Consumer Privacy Act (CCPA) in the United States of America (USA) came into effect at the beginning of 2020. South Africa’s Protection of Personal Information (PoPI) Act is due to be enforced this year, and the proposed Indian Data Protection Act will once again change the global landscape around data sovereignty.
The regulatory landscape is constantly shifting as countries and regions implement their own policies around how business needs to handle information. These are only a few examples of the many laws and regulations introduced or in the pipeline.
The impact of regulation on IT and business
All of these laws have similar aims: to improve on the transparency and integrity of data storage and processing. This impacts business as a whole, but typically the onus is on IT to ensure compliance. One of the biggest challenges is data security, driven largely by the fact that organisations do not have a complete handle on their data. Many businesses simply do not know what data they have, why it was gathered, where it is stored, or what sensitive information it may contain. This is particularly true of unstructured data sources.
The need for more effective and transparent data governance means that business can no longer take the approach of collecting everything and finding the value later. Businesses need to ensure they are collecting the right data for the right purpose, otherwise it has the potential to be a liability rather than an asset.
It is vital to adopt a more strategic method to ensure compliance, and imperative to understand what data you already have including what you are allowed to use it for. Data privacy laws state that organisations need to be transparent as to what data is being collected for, and impose heavy penalties if businesses use it for other purposes. In addition, the right controls need to be in place to ensure that businesses are not unknowingly exposed to risk through the use of data for unauthorised purposes. This requires strong data governance.
Data governance is not just an IT problem
Data touches every aspect of business, and data governance affects marketing, security, data management, data retention, legal and more. Simply building a privacy policy or updating a storage system will not lead to compliance. There needs to be organisational effort behind any initiative, with all areas working together to give full visibility into what it takes to be compliant and how this can be achieved.
Compliance, and therefore data governance, are not IT issues, but technology is an important part of tackling the problem. Automation is crucial given the vast volumes of data that organisations have to deal with, and it can be used to effectively augment people and control processes. However, education must form part of any data governance strategy. The human element always introduces risk and the potential for error, and ongoing education is key to solving many compliance challenges.
Get the basics right and take a holistic view
The global nature of today’s business means that the regulations of other countries often need to be taken into account. It is essential therefore to conduct due diligence to identify risk in the territories in which a business operates. In general, compliance with GDPR and CCPA provides a solid foundation, but regional regulations will have their own specific requirements. These may overlap or possibly conflict with other laws, so a simple tick box approach will not result in compliance.
The reality is that there is a plethora of data regulation already in place and more coming down the line. Instead of reacting to every new law as it comes along, taking a holistic view of data management and data governance can simplify compliance challenges.
Instead of looking at compliance as the need to avoid financial penalties, businesses should take it as an opportunity to improve business in the long-term by implementing effective data governance. Compliance represents only the absolute minimum that businesses should be doing to secure data. Moving from compliance to governance ensures businesses only collect and store data that is of value, optimising processes and improving customer trust.