Data Privacy: 3 Best Practices to Enact Now
A new survey found that less than a quarter of respondents feel their enterprise has sufficiently addressed data management and privacy needs. What’s behind this pessimism and what actions can your enterprise take now?
- By James E. Powell
- December 12, 2018
Data management company ZL Technologies recently published results of a new survey revealing that information management professionals aren’t confident in their organization’s approach to privacy. These findings are especially concerning because privacy rulings are being introduced at an accelerated rate and it’s only a matter of time before consequences begin to set in.
Upside recently sat down with Callum Corr, data analytics specialist at ZL Technologies, to dig into the meaning behind these survey results. At ZL Technologies, Corr is responsible for ensuring clients around the world are safeguarding their own data as well as the data of consumers they handle on a daily basis.
Upside: Why do you think only 22 percent feel their organizations sufficiently address information management and privacy needs?
Callum Corr: I believe there are two issues at play here. The first is a cultural issue, not just the private versus public sector, but realistically the United States society as a whole. When it comes to privacy, the U.S. has always lagged behind Europe. The EU is taking a tough and progressive stance on privacy and we aren’t seeing similar action in the U.S. The CCPA may get the ball rolling, but it’s just a start.
The U.S. was built on the foundation of entrepreneurship and achieving the American Dream, regulations and compliance have always fallen secondary to this drive for success. It’s human nature to focus on what is going to drive you forward individually, but it takes foresight to realize that regulation might actually aid your future growth. We see this across the technology industry around the world, but particularly in the US, it is no coincidence that this industry is often referred to as The Wild West, where anything goes.
Second, many of these organizations haven’t had to deal with strict regulation yet. Tackling a law as encompassing as the GDPR in a siloed, segregated manner is absolutely terrifying from an infrastructure standpoint. As we have watched data evolve, organizations have struggled to keep up with the expectations that came with this evolution. Whether that was handling electronic records in lieu of file cabinets or being able to provide a tamper-proof audit trail from litigation, demands were constantly changing. This led organizations to purchase various technologies to handle each individual demand.
However, full-fledged information management and privacy asked for something entirely different. The solution here is consistent management across the enterprise which is a new way of thinking. Rather than have the specific working group handle the problem with a certain technology, we now need to consider a solution that remains consistent across the entire enterprise. Whether it is the GDPR or a U.S. federal privacy law, companies need to manage their data in a way that has been resisted for almost two decades. This clearly won’t be a quick fix and requires the engagement of all business groups, which is no small task. This may begin to explain the low statistic my company received in our survey.
What do you believe are their biggest concerns or doubts, based on the survey results? Do you think those concerns are justified?
I think the biggest doubts are that companies simply don’t know how to tackle legislation that asks for a companywide response. They are two issues at play here -- the first being cost. If we are going to introduce a solution across all global offices and global employees, then how much is that going to cost us? Realistically, if we are considering the GDPR, the ICO and other governing bodies are notoriously soft, for lack of a better phrase, when it comes to enforcing fines, so is it really worth the investment?
Second, so many organizations now have thousands of applications managing data on a daily basis, making the idea of taking inventory of all of these applications to find an overarching solution can be intimidating.
In terms of the validity of these concerns, I think it is important to change the narrative around data privacy. These regulations, whether European or homegrown, are written to enhance the rights of the consumer while providing an opportunity for organizations to improve internal efficiency and functionality. Doubts that U.S. organizations are lagging in regard to privacy programs is not something new, but if we begin to see the positive sides of these regulations, I think change is on the horizon. Organizations should only handle the information they need and delete it as soon as it’s no longer required. These practices are something an efficient information governance program should have been involved with for years.
If enterprises aren’t at fault, who do you think is? What’s driving this pessimism?
Culturally there needs to be a shift. Mainstream media attention to breaches and misuse of data is only going to help with this. Previously, we have long held the notion that if life is made easier by these organizations, then consumers don’t mind what they are doing with personal data. Once it becomes apparent that this misuse can reshape our everyday actions and even political beliefs, things quickly begin to change.
Regulators also need to be held accountable. If we are going to take data privacy seriously in the US, then there needs to be an incentive to comply and a real deterrent for doing nothing. It’s been easier to hide behind a U.S. shield with a European law, but that will be difficult with a homegrown piece of legislation. Not only does the legislation need to be fair and consistent, but it needs to actually be enforced.
What are three best practices enterprises can adopt to address these issues?
Organizations need a review and overhaul of their information governance programs. Data privacy demands consistency across all business functions. The beauty of data is that it flows and is not hindered by geographical or physical boundaries, meaning a solution has to be fluid across the entire organization. That can be a daunting task, so it is important for companies large and small to break down these projects into small wins that can keep the project moving in the right direction.
- Forming an information governance or a data privacy committee that includes stakeholders from all business groups such as records, legal, IT, risk, compliance and the C-suite is a good start. For this to work, you need buy-in across the board and an understanding of all business units.
- Take inventory of your data. How many applications are managing data and where is the data flowing? Determine a road map of vulnerable areas to target before moving your business to less-vulnerable areas. Once you have analyzed data sources, you are in an informed position to make an educated decision for you and your organization.
- Change policy and implement a solution that will ensure this policy is actually carried out. Many organizations have changed their policies to deal with privacy regulation and that’s a great first step, but if we can’t actually enforce the policy, then there was really no point in writing it in the first place. This is often seen as a records management task for most organizations. You must start with data you already hold but understand that new data will be generated daily; you need a plan of action to avoid continuous clean up.