In today’s digital world, data is the most valuable asset – one that must be protected. While concerns about the proliferation of data and its impact on data privacy are not new, they are growing in importance and consumer consciousness. Ultimately, transparency and integrity is paramount. After all, the data your organization has is less important than how you use it.
Leveraging the Sensitive Data Challenge into a Governance Opportunity
For many clients, we typically see the identification and remediation of sensitive data being managed by data security and data infrastructure teams, with input from legal counsel. This effort has become increasingly difficult due to the growth of new data, unstructured data, cloud data, and new laws and directives requiring stringent privacy controls. Due to this increased complexity, data governance teams are now being asked to work with (often siloed) data infrastructure and data security teams to help manage and govern sensitive data at scale.
While this orchestration can present a daunting challenge, it can also be a pivotal opportunity to enforce policies at scale and efficiently leverage data-rich applications to improve data transparency, decision-making, understanding and literacy. With an effective approach anchored by data governance as the key inter-disciplinary foundation to scale enterprise collaboration, the possibilities are endless. Without it, potential risk skyrockets.
To prepare for current and future regulations and to maintain consumer trust, your organization needs to know what sensitive data you have, where it resides, why you have it and how to control access to it. Ultimately, data classification and at-scale governance of processes, people, data and technology are at the heart of meeting sensitive data and privacy challenges now and for the future.
Orchestrate Around (Agile) Data Governance
Data governance programs are at varying stages of maturity across different industries and enterprise sizes. While some organizations prescribe to the traditional view of data governance being a defensive structure to control information, others have embraced a more agile approach to address greater demands for flexibility and output.
We’re seeing more organizations and clients shift toward agile data governance. First San Francisco Partners views modern, agile data governance as bottom-up-driven governance that unlocks the value of data for end users — empowering them to solve business problems, take advantage of self-service analytics and do their jobs better and more efficiently.
Agile governance leverages new and improved technologies that monitor and enforce governance practices, while supporting the enterprise-wide demands of different data users and the increasing complexity of data-related concerns. Agile data governance also supports data usage and management across the organization (closest to the point of usage and consumption) but makes everyone responsible for contributing to the understanding of data. This “social contract” of empowerment with responsibility is seen in other aspects of agile data governance, too.
Scale Governance to Manage Sensitive Data
While supporting data users through improved data understanding and trust, data governance can also help orchestrate the use of multiple technology platforms and align data infrastructure and security teams in a synchronized process. This can increase the opportunity to gain value from the data while simultaneously protecting sensitive information.
Best practices for scaling governance to manage sensitive data/data privacy include:
- Establish an ethos of compliance to engender a feeling of confidence
- Leverage a risk-based approach to prioritize your security and privacy requirements
- Create and maintain an active consumer data inventory
- Strengthen metadata management and data lineage capabilities
- Be able to show consumer consent for data collection and processing and be poised to respond to consumer data requests when needed
- Ensure internal privacy and access controls are understood, accessible and effective
- Incorporate vendors, suppliers and other partners in your data privacy practice
Data governance is critical for managing sensitive data at scale in order to minimize risk and reduce operational costs.
It is a balance: while security will be increased, it should not be at the expense of data usability and analytics effectiveness. Utilizing a data governance capability with cross-functional representation not only enables better decision-making, it also ensures the business is continually supported – not stalled.
Automate Access Control
Another important piece of the sensitive data puzzle is access control. Access control is a process that gives the right people access to appropriate data for the correct, permitted use. Data governance teams set policies, define classifications and manage a platform of record that organizes which people have specific access rights and why. These access rights could be driven by regulatory guidelines, internal sensitivity or even contractual obligations. As the data becomes more voluminous, complex and critical to operational processes, the classifications and access rights need to become more specific and at a level of greater granularity.
Access rights, permissions and policies can no longer be at the system level, the database level, or even the table level. They need to be at the attribute level. When combined with role-based access privileges, attribute-based access control can provide maximum usage and protection.
To further protect the data, security teams can put in place software that ensures there is no impersonation. This creates protection against external data breaches and ensures appropriate internal access (including access removal once employment has ended).
The at scale collaboration between data governance, security and infrastructure teams has the potential to dramatically improve the quality of sensitive data protection. Like governance, an adaptive approach to securing data access and sensitive data classification works best for a constantly evolving organization.
Historically, it has been the case that organizations felt forced to choose between effective governance and business agility. Our partner, Okera, the secure data access company, was founded on the belief that this is a false dichotomy. Their software enables central IT to delegate the task of permissions management back to individual business units. Okera also ensures that complex attribute-based and fine-grained access control policies are applied consistently across all analytics tools, with a unified audit log to answer important questions surrounding data access. With their newly launched Collibra Connector, organizations can leverage the time and energy already spent documenting, curating and classifying data in the data catalog to enforce data access policies at the source – improving compliance while increasing business efficiency.
Understanding your data is critical to being able to secure and leverage it. Metadata and data lineage are critical foundational capabilities that will help you govern and manage sensitive data and emerging privacy regulations. The challenge to orchestrate this into an enterprise-wide effort — with data governance at the center — ensures your scalable response is embedded into an ongoing program that delivers business-critical value, not just a single compliance initiative.
Want to learn more about sensitive data classification and best practices for enterprise governance of processes, people, data, and technology? Don’t miss our joint webinar with Okera on October 15, 2020, Best Practices to Accelerate Enterprise Data Governance with Data Access and Protection.