Security, privacy, and risk does not have to be scary… but with GDPR, CCPA, and organizations moving to a risk-based approach to security rather than focusing on only compliance, it has become a daunting challenge. What is typically at the heart of organizations? Data and information. The common denominator that makes security, privacy and risk more effective and dare I say, easier?….data governance.
What is data governance?
Data governance is the capability within an organization to help provide for and protect for high quality data throughout the lifecycle of that data. This includes data integrity, data security, availability, and consistency. Data governance includes people, processes, and technology that help enable appropriate handling of the data across the organization. Data governance program policies include:
- Delineating accountability for those responsible for data and data assets
- Assigning responsibility to appropriate levels in the organization for managing and protecting the data
- Determining who can take what actions, with what data, under what circumstances, using what methods (see Data Governance Institute for details.)
- Identifying safeguards to protect data
- Providing integrity controls to provide for the quality and accuracy of data
How does data governance help with privacy management?
You have to know what data you have, where it is, how it is used, and who it is shared with to comply with applicable privacy regulations, and have the processes to obtain appropriate consents, access and delete it. Privacy regulations are basically a business case for data governance. Imagine if organizations had already done extensive data mapping exercises prior to GDPR? Imagine if they knew where, why, what, and how about the data prior to GDPR being passed? The transition to GDPR would have been far less painful.
How does data governance help cybersecurity?
In order to protect against threats, organizations need to know what data to protect and how to help keep it protected.. Information protection is at the core of security, but how can you protect it if you do not know what data you have, where your data is, how it is used, who it is shared with (and how it is shared)? Businesses can no longer have perimeter protections in place and call it a day….the perimeter has expanded to suppliers, cloud vendors, partners, and so on. So managing your data in a structured, responsible, and law-abiding way will make it more efficient for security professionals to protect it.
How does data governance help an organization manage information risk?
You need to know the most sensitive and critical data to your organization – your most valuable information - so that you can allocate more resources to protecting that data. No organization will be 100% secure and very few organizations have unlimited resources – people and financial – to implement, operate, and improve cybersecurity measures. Therefore, businesses must take a risk-based approach and focus on the most sensitive data assets.
Times are changing. Is it easy to design and implement a data governance program? No, or organizations would have them in place today. However, given the privacy regulations, the evolving threat landscape, the age of digitization, and the expanding organizational boundaries, data governance is no longer a choice for organizations that need quality data, protected from cybercriminals, and in compliance with data protection laws.