As our digital world continues to turn and data relentlessly proves to be one of the most powerful resources at our fingertips, the consistent concern for privacy stakeholders remain entrenched in a single question:
How can data governance be organized so that privacy operations are streamlined and help support compliance requirements?
Ultimately, implementing a mature data governance program can help you move away from one-off, ad-hoc data privacy processes that lack sustainability and move you toward sustainable processes that can help streamline privacy operations.
Upcoming privacy regulations & how they’ll change data privacy
While many privacy stakeholders at large enterprises have had a few years of experience supporting GDPR and CCPA requirements, it is still challenging to manage privacy in a sustainable way.
For enterprises operating in the United States, a number of regulations are on the horizon.
The California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA) will both be enforced on January 1, 2023. The Colorado Privacy Act’s (CPA) enforcement date follows closely behind on July 1, 2023.
With these upcoming regulations in mind, their pending enforcement dates catalyze a two-fold question:
- Do you understand what these data privacy regulations mean in relation to your current data governance practices?
- Further, are your current data governance processes aligning with helping you to become compliant with these new regulations?
Data governance and data privacy: how they intersect
It’s crucial to understand major factors about your data in order to ensure you’re doing things by the book. To ensure compliance with regulations you need to know where your data is, how it’s used, how long you should retain it and where the data goes. Data governance can answer these questions. For example, having a high-quality data catalog of personal information can optimize the data subject rights process.
Three privacy problems stakeholders face in the current data privacy landscape
Being able to quickly and sustainably support compliance with new regulations is going to be dependent on the maturity of your data governance program. But governance processes aren’t just a concern when looking through the lens of new and upcoming regulations.
Overall, ad-hoc fixes and non-repeatable operations can cause a mess of issues that make data governance and compliance unnecessarily burdensome. Without an understanding of the importance of automated, sustainable privacy operations, ungoverned data can end up creating more issues than existed in the first place.
Here are a few common hurdles:
Outdated & unreliable manual processes for data inventory
Large enterprises with well-established governance and privacy teams struggle with manual processes to inventory their data. Though many of them already have implemented a data discovery solution, the next step of data inventory becomes increasingly complicated.
Much of the information available—which is inventoried from different sources—could exist in a spreadsheet where a data steward is manually updating and monitoring that information. This solution might work on a smaller scale, but some enterprises have hundreds of data sources and applications where data is created and later need to be purged.
Manually maintaining data can mean an inventory of stale, inaccurate, and unreliable information and cause problems when it comes to compliance and workflow.
A lack of privacy context when dealing with data
Privacy alignment and regulatory compliance typically require the full context of where, what, who, why, when, and how data is used. In other words, there needs to be context about how long you’ve had data and at what point that data should no longer be retained.
What exactly are the consequences of not providing privacy context for your data?
One consequence of not having the right processes and privacy context in place is that data subject rights fulfillment can be unnecessarily complex and lengthy for the privacy office. They may be unsure of who owns the responsibility of deleting information from certain systems. They may also struggle with understanding the retention period for the data. This will increase the risk of not meeting the 45 day timeline under the CCPA to complete the data subject request.
Manually documented lineage
Technical lineage is a form of data mapping that traces the “path” of a particular data element throughout the organization from its initial origin to its final destination.
Large enterprises with well-established governance and privacy teams struggle to create a comprehensive lineage view of their data. The procedure that is followed to capture lineage is often obtained by focusing on a handful of data elements at a time by manually tracking the group from system to system. This information is collected by meeting with each system individually and scouring the database tables for the priority data elements.
This process is significantly time consuming and provides minimal value. Most of the lineage information is stored in various spreadsheets which are manually maintained and come with increased risk when extract, transform, and load (ETL) procedures are captured. Spreadsheet based lineage does not offer a comprehensive visual diagram and is difficult to utilize when making a decision.
Disconnected processes that do not operationalize data privacy
Without an integrated operating model between Data Governance teams, IT teams and Privacy teams etc…, your people, processes, and technology are likely to be out of sync when it comes to operationalizing data privacy.
While the responsibilities of knowing where data lives, who owns that data, who the data is shared with, and how access is managed typically fall under the data governance team, increasingly the privacy office has had to stand up their own data inventory to gain visibility of sensitive data. This duplication of responsibility means that data inventories do not scale, and it’s representative of a much larger issue, too–being disconnected.
Data visibility and proper data use, sharing and retention is a collaborative effort from every member of your enterprise: from finance and executives to IT and analysts.
How to create sustainable data intelligent privacy practices: why investing in the right technology matters
Privacy stakeholders can collaborate under a single, integrated platform with shared processes and visibility of data through the Collibra Data Intelligence Cloud. The platform tightly integrates data governance, catalog, lineage, and workflows to support privacy use cases from inventorying sensitive data to governing data for data subject requests.
PwC’s Info Governance & Privacy team
Companies are transforming how they navigate everything from customer experience to third-party relationships to regulations to an expanding threat landscape borne of the sheer volume of data. And they must do it all while being innovative, finding new opportunities, delivering value and remaining competitive. Converting data into value, securely and ethically, is the business imperative for the next decade.
PwC’s Information Governance & Privacy team helps clients better unlock the value of data. Our solutions are inspired by the value protection and value creation potential of data and are designed to help organizations establish trust capabilities across the entire data lifecycle. Our team of experienced data engineers and cybersecurity/privacy strategists brings decades of experience to help clients responsibly manage their data lifecycle and tackle privacy compliance.
Getting started: how to begin your best data privacy practices
Sustainable privacy compliance is getting attention, more now than ever, from enterprise leaders. To influence and scale privacy operations across teams, you may want to ask yourself a few key questions:
- Does your current data governance program align with your upcoming needs in the face of new privacy regulations?
- Are you still manually entering and inventorying your data while relying on an overwhelmed team?
- Is it clear in your current system who is accountable for personal information, providing context, and aligning with compliance for new regulations?
- Is it clear in your current system how personal information flows between systems in your architecture ?
- What do you stand to lose if data governance and privacy programs remain disconnected?
Asking these questions can lead to a new data privacy strategy at your company and ensure sustainable privacy compliance across the organization.