Ai Editorial: How robust is your data governance strategy? Apt for GDPR?

First Published on 12th September, 2018

Ai Editorial: Having a resilient and centralized data governance tool that can provide requisite information readily when needed will go a long way to comply with data regulations like GDPR, writes Ai’s Ritesh Gupta

 

It is imperative for businesses today to not only manage, understand and act on data, but also to ensure security and regulatory compliance.

Also, how to respond to strict regulatory environment, for instance, GDPR, where organizations could end up in a situation where they would need to adhere to a request regarding deletion of one’s personal data.

One key aspect pertaining to the whole initiative is data governance.

”Data governance is a key part of a robust and responsible data strategy that modern organizations cannot ignore,” says Kelvin Looi, Global Sales Executive, Unified Governance & Integration, IBM Analytics.

“Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how the same is being processed,” said Looi, who was recently in Phuket for Ai’s 7th Annual ATPS Asia-Pacific.  

Compliance with a regulation like GDPR 

Having a robust and centralized data governance tool that can provide such information readily when needed will go a long way to comply with data regulations, like GDPR, to provide greater transparency of processing to data subjects on how data concerning them is collected, used, consulted and processed, asserted Looi.

Explaining further, he said ,”The `right to be forgotten’ article in GDPR is another requirement that will be difficult to achieve without a robust and centralized data governance tool. Basically, in many cases, data subjects have the right to request the deletion of their data and not to be contacted again. This request is almost impossible to comply with, without a tool to indicate where their data resides, and whether this data can actually be deleted without violating another regulation.

Data governance strategy 

E-commerce companies, including airlines, need to evaluate their data governance strategy to suit their organizational objectives.

“Forming a unit that is responsible for data governance would be a good start if you haven’t got one,” recommended Looi.

IBM has worked on a methodology for the same, and it goes through five phases:

1.     Assess,

2.     Design,

3.     Transform,

4.     Operate, and

5.     Conform

In the first phase, the focus is on conducting an assessment across governance, people, process, data and security. “From this assessment, we develop a target operating model that encompasses technical and organizational roadmaps,” said Looi. “In the second phase (design), we produce standards that cover governance, training, communication, privacy, data management and security management. During the transform phase, we conduct detail data discovery and embed standards, procedures, and tools to enhance existing processes. We also conduct the necessary training to ensure skills transfer.”


“In Operate, we ensure all relevant business processes and security control are executed. In Conform, we monitor, assess, audit, report and evaluate adherence to data governance target operating model,” mentioned Looi.

Managing availability and security 

On data availability and security, Looi recommended that profiling existing data environment and understanding where all the data is a meticulous way to start.

It is important to assess where all the data resides and how the data is connected to each other. Other considerations include what to protect and related accessibility (storing locally or in the cloud, encryption levels for data with different sensitivities, access rights etc.).

“When it comes to customer personal data, a few industries have implemented a customer hub, typically using a master data management solution to provide a “single source of truth” to customer data,” shared Looi. “This typically contains a registry to provide directory services to point to where customer data resides in different systems in a company. Industries like banks, insurance and healthcare are leading in this front. Industries such as airlines are far behind on this. The good news is some have started. Key GDPR requirements, like consent management, can be centrally managed in this customer hub. Companies who have implemented this customer hub will find an easier time to manage customer data availability and security, hand-in-hand with centrally managed customer consents and preferences. Many airlines still try to drive their customer centricity strategy off their loyalty system. But, a big portion of their passengers are not their loyalty club members,” shared Looi.

As for GDPR obligations, Looi, during his presentation referred to 5 areas:

1.     Rights of EU Data Subjects: enhanced rights for data subjects in the EU including notice, access, rectification, erasure, restriction, portability and objection; easier access to personal data with more information on processing available both clearly and understandably.

2.     Security of Personal Data: obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; includes 72-hour breach reporting to regulatory authorities and without undue delay to individuals in high risk scenarios.

3.     Lawfulness and Consent: processing only lawful if one of: consent, necessity, legal obligation, protection, public or legitimate interest or official authority; consent must be freely given, specific, informed, unambiguous and if a special category or certain other scenarios, explicit.

4.     Accountability of Compliance: need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR; include lawfulness, fairness, transparency, purpose/storage limitation, minimisation, accuracy, integrity and confidentiality.

5.     Data Protection By Design and By Default: Data controllers must implement technical and organisational measures demonstrating compliance with GDPR core principles; ensure the rights of data subjects are met and that only data necessary to the specific purpose are processed.

 

Follow Ai on Twitter: @Ai_Connects_Us

 

Editorials

  • Ai Editorial: How agility is playing its part in payment optimization at KLM? +

    Ai Editorial: A tailored payment infrastructure and the structuring of team internally, where multiple teams working in sync within an agile environment, paves way for payment optimization at KLM, writes Read More
  • Ai Editorial: Working out an apt infrastructure for payment optimization +

    First Published on 21st September, 2018 Ai Editorial: Airlines intend to take steps to control their payments strategy holistically. This gives them visibility into  payments in all their sales channels Read More
  • Ai Editorial: Use of app cloners and machine learning rises in mobile commerce fraud +

    First Published on 17th September, 2018 Ai Editorial: Considering the growth of mobile commerce, it is imperative for travel merchants to assess how fraudsters are crafting new techniques and tools Read More
  • 1
  • 2
  • 3
  • 4
  • 5