The term compliance is most often associated with control. It evokes visions of restrictions, regulations and security protecting something which is to remain private. The term open is most often associated with access, and it evokes visions of an absence of restrictions, regulations and security – making something available which is to remain public.
Based on these concepts, it would seem safe to assume you could not be open and compliant at the same time. Let’s examine that assumption in relation to compliance within data management, governance and – specifically – privacy.
In this context, compliance is a combination of personal privacy and industry compliance. For example, I want access to my personal health information to be restricted, regulated and secured. In the United States, HIPPA regulations enforce this for the health care industry. Similar regulations exist in other countries and industries to protect sensitive data and personally identifiable information (PII). One example is the soon-to-be-implemented European General Data Protection Regulation (GDPR).
Industry compliance, therefore, forces organizations to protect personal privacy. While a lack of compliance may be most immediately felt in the cost of regulatory penalties, it can also lead to a damaged business reputation and an increase in customer attrition – because customers want to do business with organizations they trust will keep their sensitive information secure.
Being both open and compliant
While greater visibility and actionability are often-cited goals of an open environment, its flip side is the possibility of public exposure of sensitive data, or the revelation of noncompliance with regulations. But it is possible to be open and compliant at the same time.
For example, you can make users aware of the existence of sensitive information (e.g., health records) while still restricting access to it. You can also clearly communicate the security protocols that need to be followed to access sensitive information. So, open doesn’t mean an all-access pass to all available data. Instead, open is about revealing what data is available while controlling access, and level of access, to data.
Another word for open is transparency. E-commerce, online support and self-service portals have given rise to an increase in transparency since these environments require making more data available, revealing whether or not this data is accurate and if it's being kept secure (e.g., sensitive data should be masked). These open environments can actually improve compliance by granting customers the right to review and update data the organization has that describes them, while also granting or revoking the organization’s permission to use the data for specific uses.
As David Loshin explained, this will establish:
“...an agreement between the customer and the organization that basically says the organization will protect the customer’s data and only use it in ways the customer has authorized – in return for the customer ensuring the data’s accuracy and specifying preferences for its use. This model empowers customers to take ownership of their data and assume responsibility for its quality. Clearly articulating each party’s responsibilities for data stewardship benefits both the organization and the customer by ensuring that customer data is high-quality and properly maintained.”
This approach would openly demonstrate compliance with industry regulations and personal privacy requirements, enabling your enterprise to be open and compliant at the same time.
Learn how SAS can help identify, govern and protect personal data
