Last year was another banner year for security breaches, sad but true. At times it felt like a week did not go by without the announcement of another large corporate security breach (that usually happened sometime in the past) and the personal information of millions of people was potentially at risk. One breach in particular stands out to me. The Equifax breach that occurred last September. Approximately 145 million individuals’ personal information had potentially been acquired by the hackers.
The reason this one stands out is not due to the size, or that is was a company that sells services to protect your personal information (though that is ironic). What makes it stands out was the testimony of the interim CEO, Paulino do Rego Barros. Barros testified that ‘consumers do not have a say in opting in or out of the company’s data collection’.
Whose data is it anyway?
Several senators responded incredulously to that assertion. There was much discussion about the need for more legislation requiring companies to better protect consumer data. This incident and discussion is a great example of the challenges facing us in our new world of constant technology disruption. New uses, devices and the data that is being collected are appearing at breakneck speeds. Sometimes before we even understand the implications and tradeoffs involved.
The European Union is working very hard to get ahead of the curve on the privacy challenges. The rules, called the General Data Protection Regulation (GDPR), is scheduled to go into effect this March. It is considered one of the toughest privacy laws to be implemented to date. At the core, the law will allow Europeans “…to tell companies to stop profiling them, they’ll have much greater control over what happens to their data, and they’ll find it easier to launch complaints about the misuse of their information”. The explosive growth and volume of personal data being collected is going to present challenges for everyone.
With great power comes great responsibility
A while back, I attended a session at a Gartner Symposium entitled ‘Privacy vs the World’ presented by Heidi Wachs, a research director at Gartner. She presented many examples of data privacy concerns. She raised the point that ‘the lines between social culture, corporate culture and regulation are blurred when it comes to privacy’. She asked the attendees ‘How can organizations truly define privacy so that it is appropriately preserved?’ The discussion revolved around the constant struggle and balancing of the business needs, convenience, and addressing privacy and security concerns of the users of the system
As technologists, we have a responsibility to help the business understand the tradeoffs and risks involved in this rapidly changing environment. We as humans, by nature, love to hoard things, and data is no different. We are accumulating large amounts of data as it passes through our systems. If it is in or passes through your system, you have a responsibility for ensuring the rules are followed. What level of privacy is needed/required/desired is fully dependent on the data itself. Not all data is created equal, some requires more privacy than others. Privacy and the security mechanisms needed to implement that privacy is not a once and done kind of thing, its constantly evolving and changing. Heidi asked a challenging question in the session I mentioned above. ‘When a law enforcement agency comes asking for all that data you have been hoarding, what will you do?’ Better to be proactive and plan ahead than reactive when the situation occurs.
Data Governance is critical to success
To be able to proactive and develop those plans, it is imperative that an organization understand their data, and where it resides. A key process critical to that understanding is an established data governance process. Data governance is concerned with the integrity, availability, usability and security of the data employed in an enterprise to ensure data can be trusted for decision-making. According to the Data Governance Institute, additional benefits include better data security, as well as reducing risks to of regulatory fines (The EU’s GDRP for example has significant penalties for non-compliance).
One of the useful artifacts from the data governance process that contributes to the planning process is the data catalog. A data catalog contains a list of all data assets and capabilities in an organization. Information contained in the catalog include:
- High level descriptions
- Governance Information
Having this information maintained and available allows an organization to respond quickly to regulatory requirements around the handling and locating of data when required. Using GDPR as an example, one of the requirements is known as the ‘right to be forgotten’ rule. If an individual requests their information be removed, a company must comply. In order to do this, one must know all locations a persons information is located. A quality data governance process and data catalog facilitates that capability.
Accepting the challenge and striking the balance
In this fast paced, rapidly changing technology environment we live in today, we are providing and collecting huge amounts of data from an ever increasing number of potential sources, whether they be mobiles, wearables, our vehicles, or any other of a myriad of sources we haven’t even thought about. This data is traveling through the nebulous cloud environment we all love to talk about, and traveling through the ether to its final destination. Our challenge as technologists, is to understand the implications, challenges, and tradeoffs involved in that world, and be able to articulate those to the business so that the proper balance between business needs, data privacy, convenience, et al can be achieved.