Healthcare Data Privacy Checkup – The Integris Software 2019 Data Privacy Maturity Study

Integris Software recently conducted a survey to an exclusive community of 258 top business executives and IT decision makers at mid-to large-sized enterprises across six verticals including financial services, technology and healthcare.

Key findings from the full report included: that most organizations expressed overconfidence in their technical maturity; that a proliferation of data sharing agreements are causing issues across industries; and that data privacy concerns impact a wide range of business decisions from M&A to machine learning and AI projects.

Healthcare Data Privacy Concerns

In this second part of our series investigating the state of data privacy maturity and security, we analyzed the technical and organizational data privacy maturity levels of leading healthcare organizations.

We found that despite the healthcare industry’s history of stringent privacy regulations, it is not keeping an accurate pulse on the sensitive data it maintains, transmits or acquires.

Even though the industry had the second largest amount of cybersecurity breaches and the highest rate of exposure per breach last year, key healthcare decision makers still expressed overconfidence in their data privacy management practices.

Further, organizational maturity for data privacy management also scored much higher and more consistent than technical maturity within study findings. Despite healthcare organizations understanding and investing in the importance of securing personal data for compliance purposes, they were not able to effectively track, monitor or know which data they held.

Top findings from the data and privacy research include…

Misplaced Confidence in Data Privacy and Security: While the healthcare industry shows high levels of organizational maturity when compared to other sectors, it still lacks technical maturity.

In addition, data flowing in and out of data lakes is also a blind spot for many healthcare organizations. Data lakes ingest disparate pieces of customer data from a variety of sources. When combined, this data has the potential to reveal customer identities along with highly sensitive personal information.

  • Within this environment of routine data sharing and collection, more than half (53 percent) of respondents said they needed to access 50 or more data sources to get a defensible picture of where their sensitive data resides.
  • Meanwhile, only 50 percent of respondents update their personal data even once a year, without holding an ongoing view of their data under management.
  • This finding contradicts with the 70 percent of respondents who claimed to be “Very” or “Extremely Confident” in knowing exactly where sensitive data resides.
  • Even more concerning, only 17 percent could access their sensitive data across the five common data source types.

Industry Regulations Set the Pace: The healthcare industry is better prepared for security compliance mandates than other industries due to stringent regulations that drive the pace of adoption leading to higher levels of organizational maturity. But these requirements have also led to overconfidence on the technology side, which is where policies get operationalized across the organization. Healthcare organizations must proactively monitor the data they hold and be able to trust the capabilities of their data sharing partners to protect sensitive information.

  • An impressive 95 percent of respondents had data privacy teams in place, and over a quarter of respondents (27 percent) had data privacy teams of 25 people or more.
  • Organizations were also mature when it came to handling customer consent and communicating when things went wrong. 85 percent had policies, procedures, and mechanisms in place to track customer consent across channels.
  • Healthcare companies were best prepared for GDPR with 35 percent scoring themselves as “Fully Prepared.” No one scored themselves as unprepared.
  • However, respondents were behind when it came to domestic preparedness. Only 16 percent said they were “Fully Prepared” for the California Consumer Privacy Act (CCPA).

Data Powers the Industry: The healthcare industry relies on and requires extensive data sharing amongst providers, insurance companies, specialists and billing parties to function, but this necessity makes it more challenging to keep sensitive data private.

  • A single healthcare transaction may get replicated across a hundred data repositories. Healthcare companies are constantly consuming and sharing information to build better patient profiles and improve outcomes.
  • Additionally, as healthcare companies consolidate through mergers and acquisitions, they acquire unknown datasets and data transfer agreements with new business partners.
  • Fifty percent of respondents had 50 or more data sharing agreements in place. That’s a variance of 20 percent more than all industry respondents. This is probably due to the highly intertwined nature of the healthcare industry (EHRs, insurance, etc.).
  • Respondents were much more confident in their own ability to respect data sharing agreements than their partners’ ability to reciprocate in kind (there was a 61 percent increase in “Very Confident” and “Extremely Confident” levels in their own compliance efforts vs. their partners).

 

How Healthcare Organizations Can Improve Data Privacy

These study findings and the ongoing data breaches plaguing the healthcare industry paint a dire picture, but organizations can improve their data privacy and security practices. Compliance isn’t enough, to build a more secure future healthcare organizations need to:

  • Harness current technological tools to continuously monitor and map the sensitive data they collect and store across locations.
  • Avoid blind spots by also identifying and monitoring data in motion, to know what data is entering and leaving their organizations and adhere to data handling policies.
  • Establish and enforce their own data retention policies, that are above and beyond current requirements.

While the healthcare industry is outpacing many other sectors for organizational data privacy maturity, its volume of severe security breaches and overconfidence in technical maturity are concerning. We hope this study helps shine a light on these contradictions and encourages organizations to improve the health of their data management systems and processes.

Download the Full Report Here

Five things to do to Prepare for CCPA

Requirements for the California Consumer Privacy Act (CCPA) go into effect on January 1, 2020. Like GDPR, the CCPA is broad in its definition of “personal information.” It defines it as personal information that “could reasonably be linked, directly or indirectly, with a particular consumer or household.”

You won’t find the word “household” in GDPR. It implies that personal information doesn’t have to be tied to a specific name or individual (think home address, home devices, geolocation data, home network IP addresses, and the like).

GDPR lesson learned? Don’t do the same work twice.

Many companies started preparing for GDPR by hiring lawyers and consultants to do impact assessments, map out workflows, manually survey data sets, and introduce internal guidelines. This documentation is certainly important. But operationalizing GDPR and CCPA, such that compliance is automated, requires applying this work to a diverse set of data repositories—in addition to leveraging existing IT security tools, and other IT systems (e.g., SIEM, ticketing, data governance). Thus, it’s critical to get your CTO, CISO, data governance team, and chief privacy officer together to do it right the first time.

Five things to do to prepare for CCPA

  1. Establish a team, define responsibilities, and get your CxOs on the same page (business and technologists).
  2. Know which personal data you have and where it resides. Account for all data types—both at rest and in motion.
  3. Understand why and how you’re using your data, and be able to map it back to obligations such as CCPA and GDPR.
  4. Assess existing ticketing tools and other applications to help accelerate data subject access requests (DSAR).
  5. Operationalize and automate early. Use CCPA as an opportunity to apply data privacy automation to GDPR compliance, third-party data sharing agreements, and internal data use policies—on both personal information and intellectual property.

Highlights of CCPA compliance requirements, challenges, and how Integris responds

Using Integris Software, you can identify and tag personal data across any system, apply regulatory rules and contractual obligations, assess risk, and automate actions.

Summary Description
of Requirements for Sections 1798.100 and 1798.175
Data Privacy
Management Challenges
Integris
Responds
The Right to Access,
and Applicability Consumers have the right to request that a business that collects their personal information disclose the categories and specific pieces of personal information it has collected. Personal information isn’t limited to what’s collected electronically or over the internet; it also applies to the collection and sale of all personal information collected by a business about a consumer or household.
Not all personal data has an obvious tie back to a user ID (e.g., household data, GPS locations, voice to text, or follower lists on Instagram). Sensitive data has an  evolving nature. What’s considered a sensitive category or piece of data today may not be considered sensitive tomorrow, and vice versa.

Understanding derivative personal data is important, yet challenging. For example, food choices on an RSVP card can infer religion.

The number of sensitive data categories a business needs to track varies widely depending on its industry and specific business type.

Categories will often fall into different classifications and schemas (depending on the organization) and have different handling and access restrictions.

Companies may need to limit the sale or transfer of personal information based on its classification level.

Integris will never ask you to send us large customer data sets, because we assume all data is identifiable—even if it’s not directly tied to user IDs. By using a combination of contextual awareness, natural language processing, and machine learning, we map all sensitive data elements for complete and accurate results.Using machine learning, our deeper inspection identifies data down to the data element level so as to assess privacy, integrity, and handling violations.

Your data privacy landscape includes a detailed understanding of personal data categories, classifications, and individual data elements—including derivative personal data. You can even create your own definitions of sensitive data or let our machine learning make suggestions for you.

Integris’ ability to handle data in motion is key to helping you understand which data is entering or leaving your organization via data sharing agreements, and the streams and feeds your data scientists rely on for continuous innovation.

Summary Description
of Requirements for Sections 1798.110 and 1798.135
Data Privacy
Management Challenges
Integris
Responds
Right to Request Disclosure of Information Collected, and Compliance Obligations

A consumer shall have the right to request that a business that collects personal information disclose to the consumer the categories of third parties with which it shares personal information, and the specific pieces of personal information it has collected.

For consumers who exercise their right to opt out of the sale of their personal information, businesses must refrain from selling it.

There’s often a disconnect between what has been agreed to on paper by lawyers and what’s happening with the actual data. Often times, the people who negotiate the contract differ from those shipping the data, causing public embarrassment and loss of consumer trust.

Also, the way contracts are written is not necessarily the way data is represented. The word “location” might appear in a contract, but the data set contains latitude and longitude values. Therefore, businesses must account for how data elements might be combined to fit the legal terms on their data sharing agreements.

Integris continuously monitors your sensitive data against data sharing agreements, and ties relevant information back to contractual obligations.

We help you identify data and assign it to categories, giving it classifications such that you have granular control over the use and transfer of customer data.

Summary Description
of Requirements for Sections 1798.105, 1798.120 and 1798.130
Data Privacy
Management Challenges
Integris
Responds
Right to Deletion, Right to Opt Out, and Disclosure Obligations

Consumers have the right to request that a business delete any personal information it has collected about them.

Consumers can, at any time, direct a business that sells personal information to third parties to not sell their personal information. This is referred to as the right to opt out.

Businesses need to be able to associate information, provided by a consumer in a verifiable request,
to any personal information previously collected by the business about that consumer.

Not all personal data is tied to a user ID. Even without an ID the individual can still be identified in a data set. By simply mapping IDs to pre-existing metadata, businesses run the risk of creating a false sense of security about the data they have, which security parameters are being applied, and whether they’re in compliance with any regulatory mandate.   Integris operates at the data element level to inform you exactly what’s in your data set, not just what the metadata implies. The result? We’re able to support your DSAR effort and map data elements back to a specific consumer for complete and accurate results.

In addition, we can flag issues relating to data residency and retention, misclassification and mislabeling, and security issues, such as lack of encryption for highly sensitive data.

Integris makes it easy to respond to data subject access requests. Customer service reps can input data, find requested information, and share it back out with customers. They can preview DSAR reports, add private notes, and send them to the next step in your workflow.

Integris integrates with your existing ticketing system, and provides detailed logs for internal audits and compliance needs.

This second post of our two-part series provides an overview of the data governance market, vendors, and tools.  In part one, we provided an overview of the practice of data governance.

List and Online Reviews of Data Governance Vendors and Tools

The variety of vendors in the data governance market is quite wide. The list below narrows the selection down to some of the leading products on the market, recognized by industry experts such as the Forrester analyst group, the Gartner analyst group and Information Management magazine.

According to the report The Forrester Wave™: Data Governance Stewardship And Discovery Providers, Q2 2017, the main objectives of these solutions are to:

  • Manage data policies and rules centrally. Data stewards, including business and tech management stakeholders, use these tools to improve the quality, uniqueness, security, privacy, and life cycles of their data. Better data governance and reporting help improve process efficiency, reduce tech management and business risk, enforce compliance, and improve trust.
  • Discover and document data sources. Data stewards must do this for all internal and external data sources — both to meet regulatory requirements and to support the new usage of data within systems of insight.
  • Manage compliance with evolving regulations. New data projects must determine which policies and rules will affect them and how to manage these requirements.
  • Industrialize privacy management. This includes broader regulations like the European Union’s General Data Protection Regulation (GDPR), which affects many roles across the enterprise.

Gartner calls this market Metadata Management Solutions, citing data governance as one use case of those solutions. Gartner published a Magic Quadrant for Metadata Management Solutions in August 2018, and we’ve included the solutions from that report in the list of tools below.

Here, then, in alphabetical order (i.e., not ranked order) are some of the leading data governance/metadata management vendors with products on the market today.


Adaptive Inc.

Adaptive Metadata Manager

Founded in 2002, Adaptive is a global company headquartered in Aliso Viejo, California. The company has fewer than 100 employees.

Adaptive offers standards-based solutions that help organizations better align their valuable information by supporting specific management challenges including Data Governance, Data Quality, Metadata Management, Enterprise Architecture Management and IT Portfolio Management while ensuring Knowledge is retained as systems evolve. Adaptive is positioned in the Visionaries quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

The Adaptive Metadata Manager product comprises a number of highly configurable software components that provide an organization with the eight core capabilities required to govern and improve virtually any data-driven business capability. These capabilities are: Data Lineage, Data Quality, Impact Analysis, Business Terminology, Business to Technical Traceability, Version Management, Change Approval Workflow, Stewardship, and Automated Harvesting & Stitching.

Adaptive Inc. Reviews:


Alation Inc.

Alation Data Catalog

Alation is headquartered in Redwood City, CA, USA with major offices in London and India. The company was founded in late 2012 and is currently in late-stage venture funding with 10 investors. Alation has between 100 and 250 employees. Alation falls into the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

Alation offers a metadata catalog focused on supporting analytics. Its product features customizable dashboards and alerts for data stewards and non-technical business. “We believe that enterprise data catalogs are core to building a data culture. Data catalogs will fundamentally change the way data consumers, data creators, and decision-makers find, understand and trust data.”

Use cases for this solution include collaborative analytics, governance for insight, Hadoop search and discovery, Redshift search and discovery, and Tableau data catalog.

The solution can be deployed on-premise or in the cloud.

Alation Data Catalog Reviews:


ALEX Solutions

ALEX

Alex Solutions is a start-up company based in Melbourne, Australia. It was founded in January of 2016 and has approximately 65 employees at this writing. Despite its start-up status, ALEX Solutions finds itself in the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

This cloud-based data governance solution is designed to support business and technical users. Its key features are structured and unstructured data scanners, profiling, data usage tracking, and simple value and impact ratings. The solution is able to automatically classify sensitive information and determine which users can access it based on their predefined roles. The product strategy is focused on establishing an enterprise data marketplace, a collaborative platform through which enterprise data can be managed and shared with stakeholders to leverage the business value of enterprise data assets.

Use cases for this solution include privacy, governance risk and compliance, risk portfolio simplification, data risk management, data governance and strategy, and asset simplification.

ALEX Solutions Reviews:


ASG Technologies

Enterprise Information Management Suite

Founded in 1986, the company is headquartered in Naples, Florida. The company has more than 1,000 employees.

ASG’s Enterprise Information Management portfolio of products help customers become Information Companies in this era of digital transformation. They manage a high volume of information, create understanding and trust, and deliver this information into processes and applications that are transforming businesses. The solution suite is in the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

ASG Technologies Reviews:


BackOffice Associates

Data Stewardship Platform

This company was founded in 1996, but a majority stake was sold to Bridge Growth Partners in 2017. It is headquartered in Hyannis, Massachusetts with offices throughout the U.S., Europe, Asia Pacific and the Middle East. The company has approximately 1300 employees.

BackOffice Associates is an enterprise information data governance and data stewardship solution provider that supports the data management journey from migration, archival, data quality, and analytics to data governance and master data management. It provides data scanners, data profiling, data quality, and collaboration, and a basic but useful data valuation approach. Backoffice Associates is addressing new domains for data governance, including complex privacy governance as required by GDPR.

The solution can be deployed on-premise or in the cloud.

In September 2018, BackOffice Associates was named to Big Data Quarterly’s 2018 Big Data 50. The list honors forward-thinking companies that are working to expand the possibilities in collecting, storing, protecting, and deriving value from data.

BackOffice Associates Review:


Collibra Inc.

Collibra Data Governance Center

Collibra was founded in mid-2008 as a spin-off from STARLab at the VUB University of Brussels. It’s currently in late-stage venture funding including the Brussels Imagination, Innovation and Incubation Fund, Brustart (GIMB), and business angels. Collibra is headquartered in the greater New York City area. The company has local offices in North America and Europe, and via partners in Asia, the Middle East, and South America. Collibra has between 251- and 500 employees. The solution is in the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

A provider of data governance and catalog software, Collibra helps organizations across the world gain competitive advantage by maximizing the value of their data across the enterprise. The Collibra solution is purpose-built to address the gamut of data stewardship, governance, and management needs of the most complex, data-intensive industries. The flexible and configurable cloud-based or on-premises solution puts people and processes first – empowering every data citizen to find, understand and trust the data to unlock business value.

Among the many use cases are data lake management, data distribution (search/shop), and report certification. The solution can be deployed on-premise or in the cloud.

Collibra Reviews:


DATUM LLC (an Infogix company)

DATUM Information Value Management

The company was founded in March of 2009. Its main contact office is outside Chicago, Illinois. There are between 51and 100 employees. Gartner places DATUM in the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

DATUM offers a metrics-focused, SaaS-based platform for enterprise-wide “system of record” governance and digital transformation. The product integrates with existing data quality and MDM tools with data automation, workflow and metadata. It makes “data shopping” possible by making data assets findable, understandable and accessible through automated data discovery search.

Use cases include analytical insights, reporting and compliance, and operational excellence. The solution can be deployed on premise or used as a SaaS offering.

DATUM Reviews:


erwin Inc.

erwin DG

Parallax Capital did a leveraged buyout of the company in March 2016. erwin is headquartered in the greater New York City area and has between 101 and 250 employees. erwin has been named to CRN’s 2019 Big Data 100 list for Big Data management and integration, recognizing them as a ground-breaking technology supplier.

erwin DG is a SaaS product that uses a role-based UI. It provides an integrated business glossary, data dictionary and catalog. It integrates via a common metadata repository with Erwin data modeling, enterprise architecture and business processes. Among the use cases are regulatory compliance, analytics and Big Data, decision making, reputation management, and customer satisfaction.

erwin DG is a SaaS offering that is sold through a global partner network.

Erwin Reviews:


Global Data Excellence

DEMS (Data Excellence Management System)

This privately owned company was founded in 2007. It is headquartered in Geneva, Switzerland and has fewer than 50 employees.

This solution uses artificial intelligence and semantics to automate data governance, business excellence, and analytics. The company leverages advanced university research in semantic models and AI to automate numerous, currently painful manual tasks for data governance.

Global Data Excellence earned the excellence prize from the European Commission’s Horizon H2020 research and innovation Programme with the corresponding grant. DEMS scored 13.88 out of 15 whereas the excellence threshold is 13. DEMS is considered by the EU as an alternative future technology for the creation of a new society of excellence governed by value as a response to the Artificial Intelligence and governance technologies coming from the US.

The product can be deployed on-premise or in the cloud.

DEMS Reviews:


Global IDs

Data Governance Solution Suite (DGSS)

Founded in 2001, Global IDs is a privately funded company with between 100 and 250 employees. It is headquartered in Princeton, New Jersey.

DGSS is a comprehensive suite of applications that allows organizations to govern their core data assets in a systematic way. In order to create a foundation for data governance, DGSS performs four core activities: Data Discovery, Data Profiling, Data Quality, Master Data Integration. Among the use cases are metadata governance, master data governance, reference data governance, and Big Data Governance.

Global IDs appears in the Visionaries quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

Global IDs Data Governance Solution Suite (DGSS) Reviews:


IBM

IBM Stewardship Center and Information Governance Catalog

This venerable company was founded in 1911 and is headquartered in Armonk, New York, with operations in over 170 countries. IBM has more than 366,000 employees worldwide.

This product offers a common data governance layer across standard and enterprise MDM server editions. It enables an organization to create diverse policies defined in natural business language. Stewardship Center provides data stewards, data steward managers, and data source owners with a central browser-based interface where they can collaborate on and manage data quality issues. Information Governance Catalog (IGC) is a web-based tool that enables exploring, understanding and analyzing information. This solution can be deployed on-premise or in the cloud.

IBM appears in the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

IBM Stewardship Center and Information Governance Catalog Reviews:


Informatica

Axon Data Governance

Informatica was founded in February 1993 and is headquartered in Redwood City, CA, with offices around the world. The company has more than 3600 employees. Informatica appears in the Leaders quadrant of the Gartner Magic Quadrant for Metadata Management Solutions as well as in the Gartner Magic Quadrant for Data Quality Tools.

This product is the collaboration hub for successful data governance programs. It uses the power of AI and machine learning to automate today’s most challenging data governance tasks: finding data, measuring its quality, and locating the right people to help govern it. Data stewards everywhere have access to trusted data and the ability to access it, act on it, and implement governance processes. The product can be deployed on-premise or in the cloud.

Informatica Data Governance Reviews:


TIBCO Software (formerly Orchestra Networks)

TIBCO EBX

Orchestra Networks was founded in 2000 and acquired by TIBCO Software in December 2018.

TIBCO/Orchestra Networks offers an integrated master data management/master data governance/reference data management product. EBX lets users manage, govern and share any and all data assets, including master data, reference data and meta data, because effective data management often requires more than a point solution. It features linkages between conceptual and physical data; has standalone data governance or can be integrated with Master Data Management. It can be deployed on-premise or in the cloud.

For the third consecutive time, Gartner has named TIBCO EBX a Leader in the Magic Quadrant for Master Data Management Solutions.

Tibco EBX Reviews:


SAP SE

SAP Master Data Governance

SAP was founded in June 1972. The company is headquartered in Walldorf, Baden-Württemberg, Germany with regional offices in 180 countries. It has nearly 90,000 employees worldwide.

This product offers ready-to-use governance applications integrated with SAP ERP. It has a predefined and extensible data model; prebuilt and flexible workflows; and multi-mode data replications. It is listed in the Visionaries quadrant of the Gartner Magic Quadrant for Metadata Management Solutions.

SAP SE Reviews:


Utopia Global Inc.

Utopia

This privately-owned company was founded in 2003. It is headquartered in the Greater Chicago area and has approximately 400 employees.

As SAP’s worldwide software partner for master data governance, Utopia is the exclusive developer of solution extensions for SAP Master Data Governance focused on enterprise asset management, retail and fashion. The company’s solutions help organizations migrate to SAP S/4HANA® leveraging MDG as the bridge, and maintain data integrity between digital twins, across multiple systems of record.

451 Research Analyst Report Says Integris Addresses the ‘Missing Link’: Automated Remediation and Control of Sensitive Data Once It Is Identified

As data privacy and data protection regulations around the world continue to proliferate – each with its own nuances and requirements – many enterprises are now struggling to identify data down to the data element level and create cohesive human processes to manage data and control workflow. Given escalating volumes of structured and unstructured data, the need for automation is a given.

No single software product can make an organization compliant with GDPR, CCPA or similar regulations, so the enterprise typically employs several solutions. However, there is often a gap in tooling when multiple products are in place: the step of automatically enacting appropriate policy on sensitive or personal data once it has been identified. This is the layer of control that Integris helps customers to implement, and it’s a critical one for continuous, defensible compliance. Integris makes extensive use of automation and machine learning, for both detection of sensitive data and assignment/execution of policy, which are necessary given escalating volumes of enterprise data that cannot be manually evaluated and assigned protective policies.

In a new report published in March 2019, the analyst firm 451 Research outlines how Integris Software helps companies achieve their comprehensive data control objectives through automation. We are pleased to make the full report, Integris Software leverages automation for continuous data privacy compliance, available for complimentary reading. Here are a few highlights from the report:

  • Integris Software is designed to help automatically detect sensitive and personal data, and importantly, automate remediation and policy execution once that data has been identified. The company calls its approach “data privacy automation”, and these capabilities ensure that data is automatically protected with appropriate measures once it has been identified.
  • At a high level, the Integris platform provides a data privacy hub for multiple stakeholders including CIOs, CTOs, CDOs, CISOs and CPOs, as well as various lower-level practitioners.
  • Tools for visibility into where sensitive data resides, and the ability to automate policy actions on that data, help ensure that data isn’t just discovered and documented, but that an appropriate control workflow is kicked off as well.
  • Integris’ capabilities can be leveraged as a data logic layer, so organizations can add and control any type of rule to any type of data, for any use case, not just regulatory mandates. Privacy is simply the ‘tip of the spear.’

Read more about what 451 Research has to say about Integris Software’s approach to data privacy automation here.

This first post in a two-part series provides an overview of the practice of data governance. In part two, we’ll review a list of top data governance vendors and tools.

Best Practices to Support an Enterprise Data Governance (aka Metadata Management) Program

Data is the lifeblood of every enterprise organization. Therefore, companies must ensure that the data used in their business processes is consistent and trustworthy. This is critical as more organizations rely on data to make business decisions, optimize operations, create new products and services, and improve profitability. The formalized process of caring for data is known as data governance (DG).

What is data governance?

The Data Governance Institute says data governance is “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.” Here’s a more straightforward definition: “Data governance is the overall management of the availability, usability, integrity and security of data used in an enterprise.”

Data governance includes the people, processes and technologies needed to manage and protect the company’s data assets in order to guarantee generally understandable, correct, complete, trustworthy, secure and discoverable corporate data. Typically, DG includes a governing body, well-defined procedures and a plan for implementing those procedures.

What does a data governance program include?

A solid DG program establishes internal policies for data use in order to minimize risk and to better position the organization to implement and meet compliance requirements, such as for HIPAA, CCPA or GDPR. A good program can increase the value of the data by defining how and when it can be used for different business purposes, and by making it available to the appropriate users. For example, digital transformation and data readiness are top priorities for large enterprises striving to deliver more agile business models based on data transparency, data standardization, predictive analytics and high-quality data sets.

What is data stewardship and what are data stewards accountable for?

A major objective of data governance is to assure data quality in terms of accuracy, accessibility, consistency, completeness and updating. Thus, a DG program necessitates the appointment of one or more stewards who are accountable for various portions of the data. Large enterprises often appoint teams of data stewards to guide the data governance implementation. Data stewards work with individuals throughout the organization to help ensure data use conforms to a company’s data governance policies.

What are data governance goals and best practices?

One of the goals of data governance is to ensure that data meets the needs of the organization. Other goals include resolving issues related to data, reducing the costs of managing it, and positioning data as a highly valued asset within the organization. There is much work to be done by everyone involved. While each company may take its own approach to data governance, here are a few best practices from the consulting firm, Consolidated Technologies that have helped many organizations through the process over the years.

  • Identify Benefits and Opportunities – Focusing on the benefits that data governance provides can help you in creating your data governance strategy and help motivate people within the organization to improve how they manage data. When beginning to develop your data policies, take a look at your current practices and opportunities that improving them could provide. You can then develop your strategy around taking advantage of those opportunities. Implementing a significant change within an organization is challenging, and having buy-in from others in the company is critical for success. Identifying the potential benefits of data governance can help get buy-in from upper-level management, which is necessary for launching such an initiative. You also need buy-in from others who handle data at all levels of the organization. When people understand the reason for implementing a change, they may be more motivated to do the work needed to make it. Some of the benefits of data governance include improved data quality, better decision-making, enhanced operational efficiency, regulatory compliance and increased revenue.
  • Start Small – Data governance requires participation across your entire organization and can involve complex systems, numerous groups of people or large amounts of information. Getting started with data governance can be intimidating. Starting small can help and may, in the end, lead to better results. Although your overall goal in your data governance is large, it’s advisable to start with just one business area or data issue and expand from there. Break your larger overall program down into smaller steps for a better chance at success. Starting with one area makes the organizational change more manageable. It allows you to test out ideas and processes to determine what works best. When you move to the next area after your initial roll-out, your process will be more refined and therefore more efficient and cost-effective.
  • Measure Progress – Measuring the success of your data governance framework through the use of metrics is critical for meeting your data goals. It helps you to ensure that you’re on the right path with your data management and helps you determine what parts of your strategy are working well and what parts you should change. Metrics are also essential for demonstrating the benefits that a data governance framework has for a company. The kinds of metrics you should measure depends on your goals. Choose metrics that help you determine if your framework is fulfilling its objectives.
What Data Governance Goals Should You Measure?
Data Governance Metric Definition
Data quality scores You can measure the quality of your data according to its completeness, accuracy and timeliness. Measuring data quality in the same way across the organization will make your data quality metrics more useful.
Adoption rates For a data management strategy to be successful, you need people to implement it. The rates at which people within your organization are complying with your standards and procedures can help you determine if your system is working.
Number of risk events Bad data management can result in inaccurate decisions, lost clients and fines from regulators. Data loss and cybersecurity incidents can be especially costly. In fact, downtime caused by data losses can cost many thousands of dollars each day. Data governance aims to reduce the frequency and severity of these events. Analyzing these events over time will tell you if your system is succeeding in this.
Data rectification costs Data governance aims to fix bad data as early in the process as possible or prevent it altogether. Fixing bad data comes with costs, especially when the problem has existed for longer. Data governance should reduce data rectification costs over time.
  • Communicate – Data governance is about data, but it’s also about people. You need strong internal communication for a data governance plan to work. Communication plays a role in every stage of creating and implementing a data governance strategy. As part of creating your data governance framework, you should also establish a strategy for communicating about it. Early in the process, you need to convey the benefits of data governance to get buy-in. Communicating the successes of the strategy through the use of metrics can help cement buy-in and keep people motivated to participate. It’s also essential that the group in charge of the implementation clearly communicates what the roles of each participant in the data management strategy will be. Each participant should have a clear understanding of what their goal is and the guidelines they should follow in accomplishing their goal. As you assess your strategy, you’ll also need to communicate about any changes you have to make to it. Those affected by the changes should understand why they’re making them and how to do so.Without proper communication, misunderstandings and lack of buy-in can cause problems in implementing a data strategy. With strong communication, however, you have a much higher chance of success.
  • Make It Continual – An essential aspect of data governance is that it’s a practice, not a project that you set aside once it’s finished. Data governance doesn’t have an end date like a typical project does. Instead, it requires fundamental changes to the way a business operates. People within the organization will need to incorporate the standards and procedures into the way they do their jobs for data governance to be successful. You’ll also need to make decisions about how to handle data as needs change, data volume increases or you start gathering new types of data. Your standards and policies can guide these decisions, but you’ll need to make them in real time. It’s also critical to periodically review your data management policies and strategies, evaluate their effectiveness and make any changes needed to improve them. This requires keeping track of metrics to determine what works well and what does not for your organization.

Source: Consolidated Technologies, Inc.

In part two of this blog post, we’ll dive into the data governance market and provide a list of top data governance vendors and tools.

Government mandates, data sharing agreements and spreadsheets sow confusion amid an avalanche of private data

Companies are inundated with data. A single bank transaction might get replicated across a hundred data repositories. Companies are constantly purchasing data from third parties to build better customer profiles. In addition, as companies consolidate through mergers and acquisitions, they acquire completely unknown datasets and data transfer agreements between business partners. In this environment, it’s no wonder that respondents’ data privacy programs scored much lower on technical maturity than on organizational maturity.

Survey Demographics and Firmographics

258 respondents completed the survey, each of whom had to meet the following minimum criteria:

  • Reside in the USA
  • At least “Somewhat Knowledgeable” on how data privacy and data security are managed at their current company
  • Mid to senior level professionals and executives
  • 500 employees or more (62.4% had over 5,000 employees)
  • $25 million or more in annual revenue (69.38% had over $1 billion in annual revenue)
  • Functional roles/areas had to be in IT, general management, or risk and compliance

Key Findings:

Data privacy management overconfidence: 40% were Very or Extremely Confident in knowing exactly where sensitive data resides despite only taking inventory once a year or less, and; a mere 17%  of respondents are able to access sensitive data across five common data source types.

Data privacy impacts much more than regulatory compliance: Enforcing internal data handling policies like classification and retention was cited 69% of the time. Proving compliance with business obligations like data sharing agreements was cited by 63% of respondents. About one third of respondents cited the impact on M&A due diligence (34%) and data lake hygiene (32%). About a quarter of respondents (24%) viewed data privacy as impacting the delivery of AI / ML projects.

The proliferation of data sharing agreements: In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements. 40% of respondents had 50 or more of these data sharing agreements in place. However, respondents reported being 43 percent more confident in their ability to be compliant compared to how they perceived their partners.

Data privacy management budgets reside in IT departments: About 50% of data privacy budgets are concentrated in IT departments.

Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

Download the full report here

Do you conduct interstate business in the US? Prepare now for CCPA.

The California Consumer Privacy Act was passed in June 2018 and goes into effect in January 2020. Although it’s ostensibly a state law, CCPA is trying to forge a de facto standard for data privacy in the US in the absence of federal legislation. CCPA is similar to GDPR in that it uses economic presence to urge other regions – US states – to adopt similarly high standards. But GDPR and CCPA do have their own requirements and nuances, and a compliance program specifically architected to address GDPR will not necessarily translate. Businesses with interstate operations will need to take a more holistic and less regulation-specific approach to data management and compliance to remain competitively viable.

The analyst firm 451 Research published the report The California Consumer Privacy Act: not just ‘America’s GDPR’ in March 2019. Integris Software is pleased to offer complimentary access to the report to help companies understand and prepare for the requirements of CCPA. Here are a few highlights of the report:

  • Data privacy and data protection around the world has reached a tipping point. The EU’s GDPR, in effect since May 2018, has been a model for other countries concerned about consumer privacy protections. Moreover, individuals are becoming more aware and more educated regarding the value and sensitivity of their data. 
  • How companies handle individuals’ personal data affects consumer trust and confidence in those companies. A recent 451 Research survey shows that 26% of US consumers are less trusting of US businesses than they were one year ago. Significantly, 90% of the survey respondents expressed concern about the ability of the companies they do business with to adequately protect their personal data. 
  • Most large businesses in the US have California residents as customers, thus pressing the adoption of CCPA’s standards elsewhere in the nation. Other states are in the process of developing their own privacy laws. What could result, in the absence of a federal standard, is disparate privacy requirements in the US, with each state having different protections for its residents. 
  • GDPR and CCPA have much in common in their core principles, but they also differ significantly in the details. It’s key for organizations is to tackle core, shared requirements at the architectural data management level and address individual nuances of each regulation with tools higher in the stack only as necessary. Such an approach allows for flexibility amid evolving regulations, and ultimately, cost savings. 
  • Data privacy and data protection regulations are largely more process-oriented than they are technology-oriented. Investment in platforms that help coordinate processes across various data protection and data privacy stakeholders can especially benefit the business, even when these platforms do not exert direct control on data themselves.

Learn how GDPR and CCPA are similar as well as how they differ. Read the full 451 Research report here.

Nine industry experts provide sage advice on how to protect your customers’ sensitive data in 2019, as well as some things you should NEVER do

C-suite execs have a lot on their plates when it comes to protecting their customers’ sensitive data in 2019. Please tell us:

1)  What’s one sage piece of data privacy management advice or tip to help them in 2019?

2)  What’s one thing they should never do, or a pitfall to try to avoid in 2019?


David Hoffman

Associate General Counsel and Global Privacy Officer, Intel, Inc.

@hofftechpolicy

1)  As we move towards a more data-centric economy, understanding what data an organization has, and how it is be used, is critical for both shareholder value and protecting privacy. Organizations need to build the right processes to map where their data is, how they can make innovative use of it, and how they will show they are accountable to the individuals to whom the data pertains.

2)  An organization should never rely solely upon third parties to have access to data without showing they will be accountable for how it is used. Upstream and downstream data inventory management will be critical in 2019.


Cameron Etezadi

Deputy CTO, SAP Concur

@cetezadi

1) Modern enterprises move data through streaming pipelines, where it can be hard to protect provenance and canonicity. Tracing where the data ends up is as essential as protecting the data itself. Once you publish data internally, it can be very hard to control where it goes or how it’s used. Enterprises should implement strong controls and good hygiene in establishing trust and access – and then verify the results.

2) Avoid playing “catch up”; many organizations end up “compliant” at a point in time but gradually fall apart as new software is written or deployed, new people join the organization, etc. Protection is a process that many organizations fail to bake into the upfront architecture of their projects and then scramble towards when it’s too late. It’s too easy to leave holes, pay too much, or find yourself in an impossible situation if privacy is always a bandage applied at the end.


Jennifer Leggio

Chief Marketing Officer & VP Operations, Flashpoint

@mediaphyter

1)  Engage in external collaboration and information sharing. There are a number of secure, trusted communities that facilitate these activities among security and privacy practitioners, so if your company isn’t already a member, join one. These communities range from large and industry-specific, such as the various ISACs, to small and vendor-specific, but all exist for the same reasons: to provide like-minded experts with the means to quickly and easily share relevant information with, and seek guidance from, other like-minded experts. Doing so can expose your company to greater resources and expertise that can help you to better protect your customers’ data.

2)  Never conflate compliance with security. GDPR, for example, has fueled great progress in how companies address the privacy of customer data, but the standards it enforces are by no means sufficient for securing customer data. This is largely because there are many critical areas of security that GDPR does not regulate, including encryption, security awareness and education, business continuity and penetration testing, and technical and policy controls, to name a few. The same goes for similar compliance bodies such as PCI DSS and HIPAA. Just because a company is deemed compliant does not mean that its customers’ data is fully immune to compromise. Compliant businesses can and do experience data breaches, which is why achieving compliance should be never be viewed as an end goal—but rather as one of many essential components of a comprehensive security strategy.


Kristina Bergman

Founder, CEO at Integris Software

@KristinaKerr

1)  Know where your data is. When I was working in venture capital five years ago and first started researching the data privacy space for investment purposes, I found that the biggest glaring problem was that no one knew what data was where, let alone if they were in compliance with any laws, contracts, or other business obligations. The foundation to complying with any law, whether it’s GDPR or CCPA or any of the other new bills being considered, is to know what data you have.

2)  Never assume that your work is done just because you’ve got great policies and procedures in place. A key component to ensuring compliance, or at least defensibility, is the operationalization of those policies and procedures. Being able to audit your data sources to prove compliance with the law is critical to protecting your brand and reputation.


Marc Groman

former Senior Advisor for Privacy in the Obama White House
former Chief Privacy Officer of the Federal Trade Commission
Principal, Groman Consulting Group LLC
Adjunct Professor, Georgetown University Law Center

@MarcGroman

1)  Today, data often is a company’s most strategic and valuable asset. Companies must treat it that way, by implementing a comprehensive, enterprise-wide, continuous and risk-based privacy and security program. Step one – know what data you have.

2)  Never make assumptions about the data your organization collects, creates and stores. Rely on facts, evidence, and documentation.


Barbara Cosgrove

Chief Privacy Officer, Workday

@cosgrove_barb

1)  Privacy will be center stage in 2019, so be proactive and reevaluate your processes to ensure that you not only remain GDPR compliant but also anticipate any future U.S. and global privacy legislation that could be coming in 2019. Start by establishing a cross-functional taskforce to perform an assessment of your current state of compliance. During this process, take the time to understand what’s been successful and where there have been challenges from a business perspective prior to introducing new processes. Once you’ve done that, map new laws and regulations to your existing controls and processes, and determine where you may be required to implement changes. Once implemented, be sure to set a regular cadence for the taskforce to regroup to assess compliance.

2)  With new regulations like the California Consumer Privacy Act (CCPA) in the pipeline, be sure you don’t evaluate them in isolation. Build a comprehensive privacy governance framework, which enables you to continually re-assess your compliance with existing privacy regulation like GDPR and emerging ones.


Mark Kraynak

Entrepreneur, Venture Partner, Aspect Ventures

@AspectVC

1)  Get a handle on employee/contractor off-boarding. Latent privileges are a big, unnecessary risk. Also, automate your process of understanding what sensitive data you have. Most organizations have too much data in too many places for human processes to be reliable or consistent enough to be effective.

2)  Don’t stop at Encryption. The most common pitfall I see is when I hear someone’s answer about data security is, “We encrypted our data, so we don’t need to do anything else.” Encryption is good for mostly bulk, mostly static use cases, but tends to fail for data in use.


Paige Bartley

Senior Analyst – Data, AI & Analytics at 451 Research

PaigeBartley
@451Research

1)  View data protection and data privacy as an opportunity, rather than a burden. There’s a pervasive enterprise perception that consumer controls for data will result in less analysis and insight, or that privacy controls somehow “lock down” data. This misses the bigger picture. Data-driven regulation, such as GDPR and similar mandates, all share the same common requirement of strong, granular control of data at the architectural level. Strong control of data, in turn, has downstream benefits for other proactive data-driven initiatives within the organization. A robust data protection and privacy program, implemented enterprise-wide, has benefits for data quality, coordination of self-service access rights, and building consumer trust. At a high level, data privacy and data protection requirements are a golden opportunity to reconsider and optimize data management architecture and practices.

2) We’ve officially entered the data protection and privacy era, and the enterprise can no longer have a combative attitude towards compliance if it wishes to remain competitively viable. The biggest pitfall is viewing data privacy or data protection requirements as a list of burdensome technical “checkboxes” that need to be ticked off one by one for each new regulation. This view of the individual trees misses the broader forest: the core principles that are shared across regulatory frameworks. Implementing new siloed tools and new processes for each new regulation is not sustainable, economical, or scalable. Instead, organizations need to focus on optimizing underlying data management architecture and workflows from the ground up. Focus on the core commonalities, rather than the differences, between regulations. From there, implement highly-specialized point solutions higher in the stack only when necessary.


Craig Speizle

Managing Director, Agelight Digital Trust Advisory Group
Founder & Chairman Emeritus, Online Trust Alliance

@craigspi
@onlineintegrity

1)  2018 will likely go down as the year of questionable ethics. From the data sharing and mining practices of Facebook, Google and most recently the Weather Channel’s app, to the abuse of social networks, we all need to be concerned. All too often these entities who were supposedly “stewards of our privacy and trust” appear to have acted unethically. While executives need to be held accountable, one has to also question employees who failed to come forward and follow their own moral compasses. Our industry is at the center of a seismic change with the convergence of big data and artificial intelligence (AI). The oceans of digital information and low-cost computing power are providing endless marketing opportunities. At the same time, we are being confronted with ethical dilemmas challenging users’ digital dignity and redefining privacy norms.

My big focus for 2019 is Data Ethics: the convergence of big data, AI and Ethics. I have been steadfast on the need to move from compliance to stewardship. Ethics is an extension to this in light of the practices and what I call “data laundering,” which is occurring.

The question at hand is: Can industry and governments be trusted to responsibly regulate AI? Second, how can ethical guardrails be developed to help prevent abuse? There is no question AI will have a profound effect on how marketers engage consumers. Done right, consumers will get better and more relevant ads, content and services. This can be a win-win, but only if we get it right and address the ethical unintended consequences in advance.

2)  The one thing executives should avoid is remaining silent. They need to question their business and data strategy and not fall silent like so many employees at offending companies have. The question is, are they willing to follow their moral compass and rise above compliance?

Feel like data privacy and protection requirements are a chore? Turn them into a business advantage.

Most organizations view data privacy and data protection regulation such as GDPR and CCPA as a costly and time-consuming burden. However, the core data management capability required for compliance – granular data control – is also necessary for proactive leveraging of data for business purposes. Companies should view data control and architectural optimization as a strategic opportunity to uncover hidden insight and benefit their data-driven business initiatives.

The analyst firm 451 Research published the report Architectural data control: turning privacy requirements into a blessing, not a curse in January 2019. Integris Software is excited to make the report available help companies see the dual-sided benefits they can derive from holistic data control. Here are a few highlights of the report:

Both regulatory compliance and effective leverage of data share the common requirement of granular data control. Today’s data privacy and data protection requirements, then, should be viewed by the enterprise as an opportunity to optimize data management architecture from the ground up.

  • Organizations cannot protect or provide privacy controls for data if they cannot quickly and consistently locate data, identify and resolve duplicates, accurately associate personal information with identities, and enforce policies. Both structured and unstructured data must be controlled with the same rigor.
  • With strong data control capabilities, the effects of silos are minimized, resulting in the ability to aggregate and analyze diverse data sources in a more contextual way. Data privacy and data protection mandates effectively shift the balance of power back from data quantity to data quality.
  • When consumers or data subjects are given more choices over the use of their data, trust is fostered. When a trusting relationship is built, consumers voluntarily provide more accurate information over time. Consumer trust, in turn, is correlated with more profitable lifetime relationships, lower churn, and more positive word-of-mouth presence in the market.

In summary, data control is the common requirement for both reactive compliance and proactive data leverage capabilities. It is also essential to building trust with consumers that drive long-term profitability. If the enterprise is to strategically fulfill compliance requirements while maintaining the ability to competitively maximize the insight it derives from data, it must optimize its data management architecture and strive toward a unified view of data.

Learn more about the myriad benefits of architectural data control in this complimentary 451 Research report here.

5 Ways to Ensure Your Data Storage Systems Protect Customer Data

This article first appeared in TheNewStack.

Five-hundred million. That’s how many individuals recently found themselves getting a notice that their personal information had been compromised in the recent Marriott data leak. The seemingly endless disclosure of major breaches (another 100 million from Quora was announced as I started writing this article) are causing an awakening among consumers and regulators.

While Marriott’s database had been hacked and malicious actors had unfettered access to its data, many companies struggle to maintain control of the private data that their employees, partners and customers entrust them with. The sad fact is that customers no longer trust organizations to protect their data and therefore are very concerned about the type and volume of private data that organizations hold. It’s not enough to claim security best practices. Customers want to know what and why companies have their private data.

Data protection is the responsibility of all of the technical teams at a company. But data storage administration and configuration are crucial in ensuring that the private data is protected, whether it be customer PII or your research team’s IP. Here are five tips to help ensure that data is handled responsibly.

1)  Know What, Where, and How Much Private and Sensitive Data Is Held by the Organization

This is often easier said than done. Traditional solutions like Data Loss Prevention have promised to find and classify our data, but scalability issues, the inability to identify data in motion and lack of accuracy continue to plague DLP offerings.

Modern technologies such as Docker containers and Kubernetes clusters running in auto-scaling cloud platforms such as AWS, Azure and GCP, can eliminate scalability issues. We often find the largest volume and highest rate of data collection to be in big data lakes. It can be very useful to make use of the compute power built into such data lakes in the form of map reduce jobs to scan, label and classify data at scale.

Data knows no boundaries. Private and sensitive data can be anywhere. Efficiency means having visibility into your data — whether it’s structured or unstructured, in a traditional DBMS or big data lake, out in the cloud or in your data center.

So, while you’re in the process of discovering data, it’s not enough to look only where it should be. You must have the capability to search, discover and classify data everywhere it resides.

2)  Map the Data Journey

Data is often the currency of business today, which means that data is constantly moving throughout the customer or product journey. Data is either a byproduct of customer activity or is actively requested and collected. Data is bought and sold to other organizations. And as a result of this data in motion, private data can be exposed in channels that aren’t designed to hold it.

While I wouldn’t ever put my private details such as account number or password into the chat box that seems to pop up on every website offering to help, my mother does this all the time. While providing such a service is important and valuable to the business, monitoring data traveling through these channels is critical to ensuring that private and sensitive data is kept in the proper location and scrubbed from areas such as chat logs.

It’s imperative to identify all the places that data moves in or out of your systems. Watching data as it moves across all touch points can provide verification that data is flowing in compliance with regulations, policy, contracts, or other obligation. Monitoring data in motion can help you stay ahead of any problems.

3)  Check to See That the Data That Should Be Encrypted Actually Is

Encryption is certainly not a panacea for all sensitive data issues. But at the same time, encryption can be a powerful mitigating control — but only if the data that should be encrypted is encrypted. If all social security numbers (SSNs) in a table are meant to be encrypted, are they actually? You have to check to make sure.

This should start with checking the accuracy of the initial discovery and classification effort. If it’s just assumed that all SSNs in a table are in the correct column and that column is encrypted, can you be sure all SSN’s are encrypted? Data often finds its way into unexpected places. This leads not just to problems of encryption, but also mis-classification and mis-categorization. And this can be the data most vulnerable, as it’s often not watched as closely, leading to the next point.

4)  Don’t Stop with Users

Sensitive data is not always attached to users, so, don’t limit your search to user-based data. Also, consider derived sensitive data as seemingly innocent data points can lead to very private information.

Organizations generally focus on user accounts and the data associated to those accounts. But as discussed earlier, data is often misplaced. Is an SSN any less sensitive because it’s not linked in the database to a first and last name? Of course not. On the other hand, seemingly non-sensitive data can become sensitive when it is linked to a user.

For example, it’s unlikely you have religion listed with employee names in your HR database. But you probably do have requested days off. It’s often easy to derive a religious preference from the PTO days an employee requests. And while this data might not be used or even understood by the employer, it will certainly be understood and used by a third party who might have access to this seemingly innocent data. Sensitive data is sensitive data and should be treated as such.

5)  Know Your Data Obligations

Private and sensitive data comes with obligations from regulations, external requirements and internal policies. How do you know if you’re meeting all of these?

You’re most likely familiar with obligations in the form of internal policies. These policy obligations might be regarding which data elements should be encrypted, what data should be backed up, and the service level agreements on the restoration of such data.

And you might also be familiar with regulatory obligations like General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPPA), Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard (PCI-DSS) and others.

However, obligations can also be contractual. Are you buying, selling, or otherwise transacting data with other third parties or partners? There are typically contracts in effect that place obligations on that data. Obligations can also be public statements, such as a privacy statement made on the company’s website. A data privacy strategy should include visibility into such obligations and evidence that they are being met. Knowing the relationship of data to the obligations on that data can certainly make life easier when questions arise.

Conclusion

Building a system that protects private data is crucial. Whether you’re spinning up a new development environment for a new venture or simply conducting an audit to ensure compliance with the shifting regulations and privacy laws, how you structure your data storage and management technologies can have a significant impact on your company’s success. Making sure you’re protecting all of your data from various sources at all times is essential — and failing to do so can be costly.