Harder Data Governance
Data Governance: Harder, Better, Faster, Stronger — Part II
Data Governance is at a cross road: high demand of trustworthy data, data privacy regulations and individuals asking for ethical, secured, transparent, and lawfulness data processes, combined with increasing volumes and use. Data is big, demand is big, opportunities, good or bad, are big and so are risks. Sounds like a very good cocktail for change, a revolution, or a crisis. Having tried to break the injustified esoterism towards “Data Governance” in the first part of this article, let’s summarize these challenges in two main groups, which are interlaced:
· The rise of the data democracy
· The pressure from regulatory compliance
The rise of the data democracy
Data does not stop to get bigger. Big data today is small data yesterday, according to Forbes, 2.5 quintillion bytes of data are created each day at our current pace. It is there and everywhere, immediately accessible. Companies have quickly accrued massive amounts of data, adopted big data environments to store it and now looking at how to drive their digital transformation. However, the emerging and explosion of Hadoop and cloud platforms and new processing engines: in database, in-Hadoop, in-motion, in-containers combined with the power of analytics solutions are hiding the complexity and the disorder. This widespread data disorder is the most significant obstacle preventing organizations from realizing the full potential of their data assets today. Digital transformation cannot be successful without an emphasis on how data is collected, processed, controlled, and secured. While insights might be buried within all that raw data; if no one knows where it came from, how to find it, what it means or if they can trust it, it will remain untapped and untouched.
Margaret Rouse from Techtarget.com gives the following definition: “Data democratization is the ability for information in a digital format to be accessible to the average end user. The goal of data democratization is to allow non-specialists to be able to gather and analyze data without requiring outside help.” True that computer sciences are no longer IT people only skills. New generations of workers, raised with computers, are entering the market with good and even advanced BI and analytics knowledge, and expectations as they cannot imagine being successful at their job without the access and the consumption of data they need. According to Laura Hellis in her article, “Building Data Democracy”, “therefore data has become the new language of business management […] to truly excel at your job you need to dig into the “Why” behind the “What” questions.”.
Unfortunately, most organizations do data governance in an ad hoc or firefighting manner across different parts of the business and most of the time only within IT. In the worst cases there is no governance program in place or only at a project-based level. In the best scenarios’ governance has been enforced thanks to compliance with regulations involving data management best practices, but again not all business processes, departments and geographies will be equally supported. Enterprise Data Governance is still a sweet dream for many organizations.
What do business users ask? To get the power, access to trustworthy data and to have more control over their analytics work. The challenge is about how to set up the infrastructure, the architecture and the functional organization that will facilitate and serve data analysis, through simple tools, simple presentation of data, high and verifiable quality data, in other words “Data Governance”. However, quoting a famous commercial, “Power is nothing without control” and the democratization of data also comes with watchdogs and standards.
Regulatory compliance Pressure
Over last years, many regulations like Solvency 2, SOX, CIA, BCBS239, MiFID, CCAR, Transparency Act, IDMP, HPAA, EU GDPR and recently CCPA called for better data management, either by the production of specific reports, or by directly requiring dedicated actions. Regulators require organizations to control what data they use to make business decisions, to pro-actively prevent and detect data breaches or fraud, and to manage financial risks.
For example, BCBS 239, Basel Committee on Banking Supervision’s standard number 239, was one of the first regulation including principles describing how a bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance.
More recently, the EU General Data Protection Regulation has been a massive game changer in Europe and other countries impacted as well. For the first time, one regulation is impacting all industries as 99% of them do process personal data.
EU GDPR requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. It avoids building a use case for launching a Data Governance program.
The aim of data protection regulations such as EU GDPR is to change behaviors and mindsets. Taking that perspective, the accountability principle (in Article 5 of the EU GDPR) makes the data controller to be the one responsible for demonstrating compliance with these EU GDPR principles:
· Lawfulness, fairness, and transparency must exist in processes that manage personal data.
· Limitation of purpose. Personal data must be collected for specified, explicit, and legitimate purposes.
· Data minimization. There should be no reason to use more data than necessary for the defined purpose.
· Accuracy. Data quality must be ensured, and personal data be kept up-to-date.
· Storage limitation. Personal data must be processed for no longer than is necessary.
· Integrity and confidentiality. Appropriate security measures must be taken.
The main action to be taken for demonstrating “Accountability” is to document internally all your processing activities, and to make this documentation available to supervisory authorities upon request. This “record of processing activities” is required by EU GDPR Article 30 and will facilitate the compliance with the other principles. It implies to assess which type of data elements are used, what for, where there are stored and for how long.
Data retention is a big and complex issue for companies. Determining retention strategy and policies, how to implement those policies, and how to create automated processes with rules that depend on what country you’re doing business with is a tedious work. The rules are different depending on what country you’re doing business in and the type of data being process and the purpose of the processing. It’s a very complex area of data management and governance.
Companies could have also to carry out data protection impact assessments (DPIAs) when data processes could represent a high risk to individuals’ rights and freedoms, particularly when new technologies are involved. The DPIA is required by Article 35 of the EU GDPR and contains information about how a new or modified application might affect the privacy of personal information processed by or stored within the application.
Considering the first challenge related to data volumes and data democratization we described earlier, organization having hundreds of systems, data assets, and processing activities, and thousands of personal data types to review daily, weekly, or monthly, describing these items is a significant effort but maintaining an up-to-date view of them is even more time-consuming and is prone to errors. In terms of Data Governance, the typical manual or semi-automatic steps no longer stand a chance when facing EU GDPR requirements.
