In the past couple of months, I've been approached by a number of clients asking about the role of the chief data officer (CDO) in instituting appropriate data governance processes and procedures to address regulatory compliance. This is motivated in part by the the European Union’s General Data Protection Regulation (GDPR) that went into effect in May 2018, demanding some level of data management accountability for protecting personal data. But my impression is that we're at a tipping point in terms of awareness of the connections between external pressures for data protection and effective, internally defined data protection policies.
Consider that the GDPR is only the tip of the iceberg; the full impact of compliance won't be determined until we begin to see which organizations are alerted to their noncompliance, and penalties are assessed. A number of US states are developing legislation and passing laws about data privacy that are similar in tone to GDPR. In particular, California has passed the California Consumer Privacy Act (CCPA) mandating protection of “personal data” (that is in quotes for a reason – stay tuned).
Not only that, there is growing recognition of the risks of exposing individuals’ personal and private information corresponding to emerging indignation over corporations using and selling what is believed to be personal or private information. Couple that with the increasing number, volume and breadth of data breaches, and it leads to yet more interest in governmental intervention and protection. The directives for protecting “personal” information are raising awareness of general concepts of protection for any kind of “sensitive” data. Finally, once we start thinking about data governance for data protection (for the sake of regulatory compliance), it becomes critical to consider other aspects of governance that are required for regulatory compliance.
Three key points for chief data officers
All things considered, I believe there are three key points for the CDO to consider when looking at data governance for regulatory compliance and data protection:
- Regulatory compliance implies the need for data protection.
- The scope of regulatory compliance covers more than just protecting data.
- The scope of data protection extends beyond regulatory compliance.
Let’s break these points apart by doing a close reading of an example regulation, CCPA. First, I think it's interesting that the text of the assembly bill I found online has the phrase “personal information” in it 204 times. But the phrase is used 142 times before it's defined. That being said, their definition of “personal information” is:
(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
To give the California state government credit, this definition is both detailed and relatively broad. It provides insight into the types of personal information individuals are concerned about and want to have some control over. But CCPA (as well as GDPR) are not alone in their directives for data protection. Other US (and global) regulations that direct aspects of data protection include Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Act (COPPA), China’s Ministry of Industry and Information Technology’s (MIIT) Personal Information Security Specification, Singapore’s Personal Data Protection Act, and New York State’s Stop Hacks and Improve Electronic Data Security Act (SHIELD). All these laws define rules about individuals’ personal or private data as well as mandates for transparency so that individuals can know what data is captured and how it is used.
Aside from layering on the demands for enforcing compliance with data protection rules, there is a deeper implication here. These same collections of individual data are going to be subject to a growing set of regulations. And each regulation will have its own definition of “personal” or “private” data, its own set of specifications of individual rights associated with organizational management of that data, its own set of directives for compliance, and its own set of expectations for compliance reporting and auditing.
Now turn this around and consider it from the perspective of an arbitrary data asset. For each data asset, there will be a need to determine whether it contains information covered under any of the regulations, which regulations, which directives associated with each regulation, the methods by which compliance is observed, any methods for validating and reporting on compliance, and so forth (you get the idea). At least when it comes to personal data protection, this creates a requirement for data asset classification, categorization and documentation. I’ll look into this topic in my next post.Learn how to overcome common data governance failure points: Download The SAS Data Governance Framework