Optimizing Privacy Management through Data Governance – Part I: Understanding Personal Data
Organizations are struggling to excel with both privacy management and data governance. And the struggles intensify when the initiatives are executed independent of each other. If we look closely at robust and successful programs in these areas, we see substantial overlaps. These overlaps need to be understood and optimized to eliminate redundant or even conflicting effort. This five-part series dives into data governance and privacy management best practices to help you efficiently manage personal information now and in the future as data and privacy requirements evolve.
- Part 1: Understanding personal data, privacy management, and data governance
- Part 2: Aligning for success
- Part 3: Maintaining awareness
- Part 4: Supporting with technology
- Part 5: Monitoring and measuring (Scheduled for March 2021)
Part 1: Understanding personal data, privacy management, and data governance
The concept of personal information has become more broadly understood since the European Union implemented the General Data Protection Regulations (GDPR) in 2016; however, geographical and cultural differences still exist in how personal information is defined. For our purposes, personal information is any digital or hard copy data that can be directly or indirectly related to a “natural person.” It is important to understand that we mean more than just personally identifiable information (PII). The scope of privacy management can include transactional information that does not contain PII. If the transactions could be combined with other information that connects the data to a specific individual, we must protect it. For example, if I share personal information with you including that a person has six fingers on their right hand, you probably will not be able to identify that person; however, if you discover through alternate sources that the person I mentioned lives in Watch Hill, Rhode Island, with a population of 154, you would be able to identify that person with minimal effort.
Sensitive personal information can be anything that could be used to harm an individual or their reputation through bias, social shaming, or other methods. The most common examples are medical history; criminal records; and religious, political, or union affiliations. Sexual preference is also considered sensitive personal information. It is very important that we understand the risks involved and take the appropriate steps to protect the information on behalf of the individuals. A privacy management program helps make sure we are taking the right steps.
Privacy management is primarily a risk management program to prevent the collection, processing, and sharing of personal information from negatively impacting the individual for whom the data relates. As individuals, we have the right to know who is collecting data about us, how it is being used, and how we will be impacted. These basic rights are central to privacy management. The term “data privacy” is often used for privacy management and is ultimately a key goal; however, a robust privacy program extends beyond data and information systems to regulatory awareness, education, building security, physical records management, public relations, and contract management.
The U.S. National Institute of Standards and Technology (NIST) released its data privacy framework in 2020. The framework breaks down the key activities necessary to support privacy management.
- Identify. Catalog personal information collection and processing. Gather information required to manage privacy risk, such as regulatory requirements, customer/public expectations, and accountability.
- Govern. Align and engage the stakeholders in overseeing processing activities and privacy risk.
- Control. Take appropriate steps to reduce privacy risk and protect the individuals on whom we hold data.
- Communicate. Provide clear and transparent flow of relevant information to help monitor processing activities and inform the individuals.
- Protect. Implement appropriate safeguards to avoid, detect, and respond to privacy breaches.
Similar to privacy management, data governance has a significant risk management component. The goal of data governance is to ensure data is managed appropriately to minimize risk and optimize data value and internal processes. Ideally, data governance efforts and outcomes are aligned to the organization’s strategic plan. Key activities for data governance include the following:
- Identify and catalog data assets, owners, stewards, consumption, issues, and risks.
- Assess data value and risk (probability and impact).
- Oversee metadata and taxonomy to support data discovery and literacy.
- Oversee the data through its lifecycle with guidelines, standards, policies, stewardship, and control plans.
- Master/reference data management
- Quality management
- Acquisition and integration
- Architecture
- Access and consumption
- Storage and operations
- Retention and destruction
- Monitor data risk, value, compliance, data collection and processing, and data cataloging.
Ultimately, data governance can be leveraged to enable privacy management and facilitate the goal of privacy by design.
The activities listed in the NIST framework are necessary to support data governance; however, the scope of data governance includes non-personal information. An effective data governance program must include the inventory, classification, and cataloging of data assets including personal data.
Figure 1: Segregation of activities
Data governance is responsible for ensuring data assets are of sufficient quality, and that access is managed appropriately to reduce the risk of misuse, theft, or loss. Data governance is also responsible for defining guidelines, policies, and standards for data acquisition, architecture, operations, and retention among other design topics. In the next blog post, we will discuss further the segregation of duties shown in figure 1; however, at this point, it is important to note that modern data governance programs need to take a holistic view to guide the organization to bake quality and privacy controls into the design of products and services.
Privacy by design is an important concept to understand and a requirement of modern privacy regulations. At the simplest level, it means that processes and products that collect and or process personal information must be architected and managed in a way that provides appropriate protection so that individuals are not harmed by the processing of their information nor by a privacy breach.
Malice is not present in all privacy breaches. Organizations have experienced breaches related to how they managed physical records containing personal information because the staff was not trained to properly handle the information. Scenarios include incorrect disposal of records or even leaving boxes or records unsecured during a move or renovations where they could be easily accessed, stolen, or copied. The use of personal external drives to transfer large files containing personal information and unsecure home offices are common problem for many companies that can be addressed through internal privacy policies and training.
Detecting and responding to a data breach requires strong organizational alignment, communication, and collaboration. Having data management resources aligned to support privacy management through data governance can improve our ability to know when a breach has happened and respond appropriately without delay. Insufficient alignment will result in undetected breaches, confused response plans, and delays.
Our next article will discuss the challenges of aligning your organization to better support both privacy and data governance, with suggestions for eliminating redundancy and optimizing functional touchpoints.