August 27, 2021

Data Governance Can Ease PII Regulation Compliance

Written by

We spoke with three different data experts on the role of data governance within the regulations of GDPR, CCPA, and local regulations. These experts say that data governance is critical to regulatory compliance, but that a well-implemented data management tool can be instrumental in ensuring that compliance.

Data governance can help your company understand its data landscape

Emily Washington, Senior Vice President of Product Management at Precisely says that data governance helps companies visualize how data should flow throughout the company including who should sign off on data sharing and how the data usage complies with regulations. But the coverage of a data governance policy doesn’t stop at the plan and collection of data.

Washington says, “Too many organizations assume that the front line is all the protection they need, which leaves PII data in the backfield exposed and vulnerable to significant compliance and intrusion risk. Tools alone cannot solve this problem. The pitfalls often extend to lack of understanding of the importance of data governance, employee training, and cross-functional collaboration when implementing data governance policies and data management tools.”

Regulatory compliance is everyone’s responsibility

Data governance is a full-company issue that can’t rely on only IT or business intelligence departments to implement policy and hold employees to the standards they set. Today’s companies rely on consistent data across departments and for everyone at the company to buy into the policies to avoid back channel data collection or the intrusion of unregulated data via shadow IT.

Compliance with personal data regulations requires strict adherence to data retrieval and deletion requirements. For example, GDPR and CCPA dictate that a company produces all personal data for an individual consumer within 30 or 45 days, respectively. To comply with the right to be forgotten clause in these tools, a company with dispersed and shadow customer data is in danger of non-compliance, which will result in huge fees.

Katie Horvath, Chief Marketing Officer at Aunalytics says, “These goals can be met with the right data governance technology and processes including a data management system that integrates all data sources across the company, tracks where the data comes from, which other systems are accessing or using it, where it goes (analytics, warehouses, dashboards, other systems), and includes an audit trail of all changes made to the data and all movement of the data over time.”

Horvath recommends that companies use a data management tool to organize their PII by data field rather than individual records. The variability of record types, forms, and formats of data across all of a company’s individual systems would make searching for an individual record impossible within the request compliance window. She says, “Without this type of governance in place, an organization is left to run from system to system to try to figure out whether each data silo and application has information about a particular consumer.” A data management system that includes built-in governance can ensure that the company knows “in minutes where the data lives such that compliance is possible.”

Adam Kohnke, Information security manager at Infosec Institute, agrees, “Like any policy, a data management policy helps everyone understand what the requirements are, gathers all [the data], collects it, and condenses it in one place. That makes it easier for internal personnel to understand the requirements as they apply to their company. Having a data governance policy shows regulators as well that we’re taking the laws seriously, and we’ve thought about our game plan.”

But Kohnke warns that just putting the policy into place and using it when someone requests their data isn’t enough. “The policy should guide how we collect, classify, store, and process data, and what labels in the system would lead to confidential, PII/HIPAA, or other protected data.”

Compliance requires constant vigilance

Once you’ve built the data governance policy and implemented it across the company, you have to follow up, revisit the policy and tools, and ensure that there’s an accurate count of the applications and current customers. Failure to onboard or offload applications can lead to data leaks, and failure to onboard or offload customers can cause regulatory violations.

Kohnke says, “To avoid privacy pitfalls, companies can implement a master data management system and employ data audits. Large organizations should have someone consistently working on this to ensure that proper oversight is given. This person should be familiar with the regulations and policies, as GDPR and others lay out good governance roles for data owners, data stewards, custodians run the day to day management.”

Data governance is only going to become more important as more countries release their own versions of GDPR. While companies can incur fines due to failure to comply, the bad press can be just as damaging. While many people don’t fully understand the full repercussions of a data breach or the right to forget clauses, they do react emotionally to bad news about privacy violations. Data governance is a full-company issue, not solely that of the IT department.