Understanding data access in a complex world
What is keeping executives up at night in this rapidly changing world that is affected by big data, digitization, Internet of Things data and so on? Do you think it’s risk, regulation, and compliance? We are certainly worried about these areas, even if we don’t think we are. Everything in our life has some level of risk associated with what we do and how we do it. That level depends on some rules, either rules in the workplace or rules around us.
What are the challenges that contribute to risk factors? When we talk about information management today, we need to be worried that our data can be compromised, the access can be given to the wrong people or the wrong people can gain access to it. Users do require greater access to and control over information. The practices we continue to use are those of the past. They have not yet evolved to take advantage of the capabilities and advancements available now, and they cannot handle the exploding volumes and complexities of the information that exists today. They also do not support needed information-sharing and collaboration in many workplaces. Implementing cloud technology is helping to resolve some of the problems, but many enterprises are still not willing to shift into the cloud environment because of privacy and data protection.
Unquenchable thirst for data
The idea of big data has been around for a while given the mass of information collected from sensors; generated from logs; and created by 3D and 4D tools, business emails, data stored in electronic and paper formats, and transactional data in vertical applications. These legacy data sources still exist even after the data has been collected, cleansed, converted and migrated—just in case the data may be needed again one day.
Consider as well how the mobile Internet became one of the most important trends in our society. Media and Internet connectivity based on mobile devices such as smartphones and tablets reflect the growing demand sparked by the Internet generation for access to information anywhere around the globe at any time. And consumers want more such as a personal assistant with voice recognition to notify when the best opportunity is available for grocery special sales around the corner, for example, or alerts and notifications of important calendar events and so on. A growing number of devices are designed to be networked to help improve customer engagement, despite the rise in security and privacy threats that potentially exists with every new connection.
Companies such as platform providers, content providers and device manufacturers have an interest in gathering data on users and their behavior, including personal data that can be used to recommend content to users or to better target advertising. Such demand is creating an ever-growing amount of personal data remotely in the cloud and services that are designed to access this data.
Increasing risks are associated with more advanced technology as well, and they can lead to data privacy violations and security breaches. To address these risks, data privacy needs to be made a top priority in overall information governance strategies.
Several countries are increasingly adopting new data protection rules, especially by increasing the number of and changing rules involving cross-border transfers of personal data. The idea of privacy increasing the complexity of regulatory compliance may seem odd to the users in the US. Privacy laws and regulations are quite different in the US compared with the European Union and most of the rest of the world.
The US conception of privacy is derived from the historical roots of the US Constitution: the right to live, speak and worship without governmental constraint. The EU concept is based on sensibilities of dignity and the right to associate freely within the society. Privacy law and identifications of sensitive data vary from country to country, but privacy laws that require companies to hold sensitive data only while it is needed and for the purpose for which it is specified is common for all.
What happens if we do not follow the rules and leave the sensitive information around? In the event of data breach, the impact of noncompliance with privacy laws can result in penalties and negative publicity. Today, when the information continues to grow and organizations continue to keep it, asking who owns and manages the information is important. Other questions to ask need to be what are the policies for email, and how do we protect personally identifiable information (PII) and protected health information (PHI)? If we cannot answer these questions—and we often cannot—risk increases.
The information governance requirement
Without an information governance model, information sharing is limited within growing volumes of information, which can result in a negative impact on an organization where managing the information becomes increasingly challenging over time. The complex nature of business processes that cross geographic boundaries and challenge organizations both internally and externally, current management practices and system design practices force businesses to shift toward enterprise ecosystems of collaborative thinking. With the new systems of engagements, we need to recognize that privacy and security are essential components of information governance. We need to establish new governance policies to protect individual privacy laws, where rules may be defined in this manner:
- Personal data needs to be masked when copied into an unsecured data store.
- Terms such as personal data and unsecured data store are values in the classification schemes for data confidentiality and data-store type.
- Policies and associated rules can be defined to support internal corporate policy, legislations and regulations that apply in a specific country or industry or in particular information management best practices.
- The policy description should go on to describe what privacy means and the type of data to guard against. Links to related legislation or internal policy documents can be included.
Data confidentiality needs to be preserved with appropriate policies to determine the level of confidentiality of data and the requirements for handling and disclosure of data to ensure that the appropriate controls and accesses are in place and continuously monitored. And helping ensure protection of the information in such collaborative, integrated environments becomes extremely important, particularly where access to information with the ability to control or deny that access is key.