Data Governance is Key to Automating Privacy Operations for Lower Risk and Costs

The predictions are in and data privacy compliance in 2021 is an enterprise budget top priority to increase maturity in response to a perfect storm of converging risks.

‍

1. The number of remote workforces has doubled during the pandemic, exposing more data, along with more IoT devices used outside of traditionally safe corporate networks

2. Increased exposure from data analytics based on data democratization efforts across the enterprise, enabling new insights along with new privacy and ethical use concerns

3. Accelerated cloud migration where digital transformation is exposing risks outside of on-premises systems where legacy controls are often non-portable to hosted platforms

Another important consideration as global regulation continues to evolve: how do we drive value creation opportunities while preserving customer trust through responsible data use?

Priority #1: We all need to be on the same page

If you ask 10 data stewards across departments, they may offer 10 definitions of “privacy compliance,” depending on each stakeholder’s job title. While a CISO or IT architect may focus on shoring up access control security, a regulatory compliance team sees the risk exposure of inappropriate data use. Or a CDO may simply see obstacles to revenue agendas.

The truth is every one has a valid perspective for their role or function within the enterprise. More mature organizations are taking a data governance approach to privacy, as this enables both the transparency to coordinate data stakeholders around a common set of definitions, such as data purpose and workflow policies, and align on investment priorities.

The emerging discipline of data privacy governance through automating processes and procedures is now the way forward for codifying best practices, aligning stakeholders, and optimizing data use by reducing risks using active controls.

Priority #2: Getting started with data privacy governance requires metadata-driven intelligence

Everyone has a mandate to govern data responsibly, safeguard customer experience, and protect brand reputation. So how does data governance help automate privacy controls so that they are part of an integrated program?

Data privacy governance needs to provide a scalable but flexible framework, one that is based on a common foundation of metadata intelligence to enable guided decisions for appropriate data exposure. This framework includes:

• Defining policies to align stakeholders. Creating and documenting privacy policies digitally brings together business and technical teams across functions. Whether privacy officer or data architect, collaboration in one location enables a common understanding of data workflows, policies, processes, and procedures. This includes the scope of data, who owns the data and where and how is it used, and alignment on the purpose and importance as a starting point to operationalizing data privacy controls.
• Automatically discovering personal and sensitive data at risk. For data privacy governance to scale, data must be catalogued, and personal data classified across platforms by using AI and machine learning to accelerate knowledge, saving time and effort. This includes building an inventory of critical metadata such as location of data, proliferation and movement, usage, protection status, sensitivity, and monetary value or liability for further contextual insights into proper uses.
• Linking personal data to identities. Creating a data subject registry helps enable visibility, including tracking personal data uses across the enterprise to support inquiries such as DSARs, and facilitates breach notifications and other transparency obligations. Automation is critical due to regulatory agencies enforcing fines for noncompliant response. Manually linking data with identities is not practical as privacy requirements scale globally, increasing workload to support.
     
     

Priority #3: Lowering Risks and Saving Costs to Operationalize Privacy

With clear privacy policies in place, a catalogue of metadata to drive insights, and a subject registry in place to understand connectivity to data owners and uses, the real magic can then happen—applying metadata-driven intelligence for guided privacy decision making. A mature privacy program will be able to:

• Apply risk analytics to prioritize data protection plans. Privacy analytics and data profiling to understand risks enable prioritizing data protection plans so that data stewards can make investments based on risk impact. Being able to simulate the results of data protection, such as value against liability, can help drive budgetary spending to be more effective, addressing topmost risks.
• Remediate risks to unleash value, safely. Enforcing data protection plans based on intelligent insights can require a number of approaches. This can be proactive such as protecting data with masking or encryption (e.g., anonymization), and minimizing data we don’t need with encrypted backups or deletion. Or it can be reactive, such as responding to data subject rights and consent, or reporting on privacy violations.
• Measure and communicate status to improve operations. A one-stop privacy dashboard driven by automated analytics can help track privacy program status—such as volumes of protected data, risk heatmaps, and DSAR response time. This is not only critical for reporting up to the board of directors and C-level data stewards but impacts audit readiness and potentially can reduce privacy compliance fines through best efforts to control risk exposure.

With privacy regulations only expected to increase, and the volume of data and risks growing, data privacy governance through metadata-driven intelligence and automation is the key to scaling out privacy operations and putting risks in the rear-view mirror.

‍