Data is the ‘oil’ of today’s economy. If it is compromised or stolen, it can be exploited by attackers for financial gain or, and if the headlines littered with news about breaches the past few years have taught us anything, it’s that the reputational damage from a major breach can impact an organisation's revenues for years.
With this in mind, the last few years have seen important new privacy laws implemented in various countries across the globe, such as the Protection of Personal Information Act (POPIA) in South Africa, and most notably the General Data Protection Regulation (GDPR) in the European Union. These regulations have seen businesses of every size and in every industry scramble to prepare, or risk severe fines for any violations.
Gartner analysts predict that by 2023, some 65% of the world’s citizens will have their personal information covered under modern privacy regulations, a massive leap from the 10% estimated last year.
However, although the regulatory environment is growing increasingly stringent, the basic foundation for protecting individuals’ personal data and privacy remains constant. A solid data governance program is needed, as these principles are key to building a data protection program that supports a company’s legal, regulatory and business requirements, lowers the chances of a breach or other security incident, and helps the company grow it's brand as one recognized for protecting it’s customers' data.
Over and above protecting privacy, good data governance can help lower costs, streamline processes and operations, as well as assist with faster and better decision making.
But protecting the privacy of customer and employee data cannot happen without training, procedures and the appropriate technical and measures in place. So where to begin? It's all about the data. The most fundamental step for managing information and privacy risks is understanding the types of data your business creates, receives and collects as part of its operations. Once you understand what data you have, only then will you be able to determine the legal and regulatory requirements with which you must comply. Privacy in particular, is impossible to manage if you don't know what kind of personal data you are collecting and from whom.
Now you know where your data is, what next?
Knowing what you have is useless unless you know where it is. If you can’t instantly locate personal data you have no hope of demonstrating compliance with privacy regulations. Proper controls must be implemented to protect data within your business, in motion and when transferring data to third parties or to other locations that might have data sovereignty concerns.
Also, as companies are under increasing pressure to limit their use of personal data, many are revisiting they need to rethink their retention policies to align business requirements with public expectations. Similarly, they need to implement processes and technology to get rid of data that no longer has value to the business and has exceeded retention requirements. This enables them to lessen privacy risks and control costs.
Yes, compliance is more challenging than ever before, which is why data governance has moved to the top of the agenda. Businesses without effective data management policies, processes and technologies, will find themselves navigating murky seas, and risk falling foul of regulators.