Ai Editorial: How robust is your data governance strategy? Apt for GDPR?
First Published on 12th September, 2018
Ai Editorial: Having a resilient and centralized data governance tool that can provide requisite information readily when needed will go a long way to comply with data regulations like GDPR, writes Ai’s Ritesh Gupta
It is imperative for businesses today to not only manage, understand and act on data, but also to ensure security and regulatory compliance.
Also, how to respond to strict regulatory environment, for instance, GDPR, where organizations could end up in a situation where they would need to adhere to a request regarding deletion of one’s personal data.
One key aspect pertaining to the whole initiative is data governance.
”Data governance is a key part of a robust and responsible data strategy that modern organizations cannot ignore,” says Kelvin Looi, Global Sales Executive, Unified Governance & Integration, IBM Analytics.
“Profiling each data to answer who, what, where, when and how, and to make this metadata available is fundamental. Basically, for each data, you need to understand what is the data all about, who owns it, where did it originates, where is it kept, when did it get there, and how the same is being processed,” said Looi, who was recently in Phuket for Ai’s 7th Annual ATPS Asia-Pacific.
Compliance with a regulation like GDPR
Having a robust and centralized data governance tool that can provide such information readily when needed will go a long way to comply with data regulations, like GDPR, to provide greater transparency of processing to data subjects on how data concerning them is collected, used, consulted and processed, asserted Looi.
Explaining further, he said ,”The `right to be forgotten’ article in GDPR is another requirement that will be difficult to achieve without a robust and centralized data governance tool. Basically, in many cases, data subjects have the right to request the deletion of their data and not to be contacted again. This request is almost impossible to comply with, without a tool to indicate where their data resides, and whether this data can actually be deleted without violating another regulation.
Data governance strategy
E-commerce companies, including airlines, need to evaluate their data governance strategy to suit their organizational objectives.
“Forming a unit that is responsible for data governance would be a good start if you haven’t got one,” recommended Looi.
IBM has worked on a methodology for the same, and it goes through five phases:
1. Assess,
2. Design,
3. Transform,
4. Operate, and
5. Conform
In the first phase, the focus is on conducting an assessment across governance, people, process, data and security. “From this assessment, we develop a target operating model that encompasses technical and organizational roadmaps,” said Looi. “In the second phase (design), we produce standards that cover governance, training, communication, privacy, data management and security management. During the transform phase, we conduct detail data discovery and embed standards, procedures, and tools to enhance existing processes. We also conduct the necessary training to ensure skills transfer.”
“In Operate, we ensure all relevant business processes and security control are executed. In Conform, we monitor, assess, audit, report and evaluate adherence to data governance target operating model,” mentioned Looi.
Managing availability and security
On data availability and security, Looi recommended that profiling existing data environment and understanding where all the data is a meticulous way to start.
It is important to assess where all the data resides and how the data is connected to each other. Other considerations include what to protect and related accessibility (storing locally or in the cloud, encryption levels for data with different sensitivities, access rights etc.).
“When it comes to customer personal data, a few industries have implemented a customer hub, typically using a master data management solution to provide a “single source of truth” to customer data,” shared Looi. “This typically contains a registry to provide directory services to point to where customer data resides in different systems in a company. Industries like banks, insurance and healthcare are leading in this front. Industries such as airlines are far behind on this. The good news is some have started. Key GDPR requirements, like consent management, can be centrally managed in this customer hub. Companies who have implemented this customer hub will find an easier time to manage customer data availability and security, hand-in-hand with centrally managed customer consents and preferences. Many airlines still try to drive their customer centricity strategy off their loyalty system. But, a big portion of their passengers are not their loyalty club members,” shared Looi.
As for GDPR obligations, Looi, during his presentation referred to 5 areas:
1. Rights of EU Data Subjects: enhanced rights for data subjects in the EU including notice, access, rectification, erasure, restriction, portability and objection; easier access to personal data with more information on processing available both clearly and understandably.
2. Security of Personal Data: obligation to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk; includes 72-hour breach reporting to regulatory authorities and without undue delay to individuals in high risk scenarios.
3. Lawfulness and Consent: processing only lawful if one of: consent, necessity, legal obligation, protection, public or legitimate interest or official authority; consent must be freely given, specific, informed, unambiguous and if a special category or certain other scenarios, explicit.
4. Accountability of Compliance: need to demonstrate compliance with the principles relating to personal data processing pervades throughout the GDPR; include lawfulness, fairness, transparency, purpose/storage limitation, minimisation, accuracy, integrity and confidentiality.
5. Data Protection By Design and By Default: Data controllers must implement technical and organisational measures demonstrating compliance with GDPR core principles; ensure the rights of data subjects are met and that only data necessary to the specific purpose are processed.
Follow Ai on Twitter: @Ai_Connects_Us
