GDPR has already sent shudders through the data management world, said Lewis. “Most large organizations have had to take a risk-management approach to this regulation, meaning that they have done their best to address the greatest risk with the lowest cost, if they’ve addressed it at all. I don’t think it would take much digging to find violations. With so many publicized breaches and the proliferation of personal information, it’s inevitable that companies will need to respond.”
INTERNAL DEMANDS
There are numerous demands for better governance of data from an internal perspective as well, industry observers agree. “The exponential growth of content, increasing inclusion of IoT and mobile devices, and increasing internet commerce makes targets more visible and accessible to external threat actors and a broader audience when organizations are victims, which in turn damages their reputations,” said Imamura. “Disruptive technologies and the demand to keep pace with competitive offerings have pressed many businesses to reduce spending and investment in quality assurance, potentially opening security holes in IoT and mobile devices making incursions into the business.”
“Having a firm understanding of the definition of PII is extremely important,” said Mitch Kavalsky, director of security governance and risk, Sungard Availability Services. “While there are a list of known datapoints, there are still gray areas. For example, there are multiple datapoints that when used together qualify as PII, but when used individually are not considered PII. In addition, being able to isolate a specific user’s data and remove it without impacting the system is a consideration that was previously not a priority. Organizations are keeping up with these requirements as best they can. The fines levied against Google show that the European nations are taking GDPR seriously and other companies are taking notice. While Google may debate the validity of the fines, other companies are doing everything they can to make sure they don’t get hit with fines as well.”
Any organization working with data is likely now to have an international reach and needs to prepare accordingly for the bevy of privacy mandates, industry observers agree. Companies with a global reach need to develop well-focused enterprise strategies for all data coming in and moving out of their organizations. This includes understanding how to approach and implement policy for these scenarios with a repeatable model due to worldwide impact, said Nathan Turajski, security operations and data security lead at Micro Focus. For example, they need to consider what requirements apply to the EU (GDPR), California (CCPA), and other regions for consistency of approach to the most stringent baseline requirements. “Organizations won’t be ready to protect data if they haven’t fully discovered and classified it across the organization as a prerequisite. Those are imperative considerations, as well as understanding your own organizational maturity, when developing data governance strategies.”
THE DATA-SAVVY ORGANIZATION
As awareness of the requirements for data cohesiveness, as well as the need to meet legal requirements, gets baked into corporate data cultures, it is becoming necessary to manage accordingly, industry observers state. “Organizations get savvier with each passing year,” said Fabiszak. “But more work needs to be done to ensure that people are comfortable working with data. It cannot just be the domain and discipline of data stewards or database administrators any longer.” Instead, “organizations need to be data-centric and educate employees on the expectation that data is a critical part of their everyday jobs.”
A challenge encountered by many organizations “is keeping data governance on the agenda,” said René Bentvel, global data protection officer for Unit4. “Every organization struggles with this and it’s a case of aligning data governance strategies with day-to-day business objectives. Regularly discussing incidents, ongoing awareness initiatives, and training are crucial to keeping up. Although many companies have already adopted privacy processes and procedures consistent with GDPR, the directive contains a number of new protections for EU data subjects that affect international companies, as well as European companies.”