Changing Regulations Lead to Refined Data Management Practices
New data privacy laws and standards are changing how organizations process and store data.
By Kristin Lewotsky06/30/2020
The role of personally identifiable information (PII) in the enterprise and the rules governing its use are changing. PII began as a byproduct of customer interactions, later evolving into a valuable asset in its own right. Today, its role is evolving yet again, courtesy of a rapidly proliferating collection of data privacy regulations.
The organizations that capture, store and process PII data are evolving from data owners into data custodians as well. That in turn requires changes to their data governance and data management policies. The road to regulatory compliance can be somewhat challenging. The good news is that the changes in data management bring benefits to the enterprise that extend beyond meeting standards.
What is Data Management?
Data management is the process of capturing, validating, storing, maintaining and securing data to provide it to internal and external users. The initial focus was to serve the needs of the enterprise by ensuring the quality, security and accessibility of the data. Forward-looking enterprises went a step farther, developing data governance frameworks to establish clear corporate policies for data management. These initiatives were driven from within the enterprise, with the objectives of the enterprise in mind. That state of affairs changed with the release of data privacy regulations such as HIPAA and General Data Protection Regulation (GDPR).
With the new focus on data privacy, data governance and data management are no longer purely internally focused and driven. Organizations have to review their operations and take steps to achieve and maintain compliance. By changing their approaches to data management, organizations can position themselves to more effectively respond to new data privacy regulations, not to mention benefit the business as a whole.
GDPR as a Template
Each of the data privacy regulations is unique, but GDPR provides a good jumping off point for this discussion. Currently among the most stringent and penalty intensive of the regulations, GDPR assigns eight rights to the data subject, including:
- The right to be informed
- The right to access the data captured
- The right to restrict processing
- The right to rectification
- The right of data portability
- The right to be forgotten
Fulfilling many of these rights requires effective data management to be able to find, retrieve and package the data for export, as well as to erase data as requested by the data subject. Discussion of data privacy regulations frequently focuses on the rights of data subjects to the exclusion of all else. Broader concepts are involved, however.
GDPR defines seven guiding principles that, taken together, can establish a culture of data protection and privacy across the enterprise. They are lawfulness, fairness and transparency; purpose limitation; data minimization, accuracy, storage limitation, integrity and confidentiality (security); and accountability.
Some of these concepts, such as transparency, purpose limitation and data minimization, are the province of data governance more than data management. Others, such as accuracy, storage limitation and data integrity and confidentiality can only be addressed with proper data management.
The principle of accountability, for example, dictates that organizations take responsibility for the data they’re acquiring, what they’re doing with it and how they’re managing it. They’re accountable not only for their own staff and processing that takes place on their assets but also for their partners, third-party processors and even the software packages they use.
“Accountability requires organizations to demonstrate appropriate oversight and have an adequate understanding of what data they have, where it’s stored, who has access to the data, whether they’re internal personnel or third parties and more,” says Sam Goldstein, a consultant with Project Consulting Group. “It can be extremely difficult to practice accountability over your data processing activities without effective data management.”
“Very few companies actually want to restrict their access to data. It just means that there is a greater need to put more structure and intention around the data that they’re collecting.”
Data Integrity and Data Minimization
Data of great integrity, that which can be trusted, delivers the greatest business value. Ensuring data integrity has always been part of data management best practices. That said, execution has often lagged aspiration. “Many companies, especially small and mid-sized companies, have not afforded it the attention it deserves, and therefore struggle with data quality and integrity,” says Goldstein.
The issue is that if the PII collected on users is inaccurate, then it may no longer serve its intended business purpose. The principles of data integrity and minimization hold that companies should now delete or correct that inaccurate data. “Not only is data quality considered a best practice, it’s become a fundamental component of compliance strategy,” says Goldstein. “That’s translating to data management practices.”
The issue of data quality feeds into the data owners’ right to rectification. Putting data quality policies in place ultimately reduces the number of data rectification requests and operations. Those requests and operations also can be reduced by executing on another of the core principles: data minimization.
Back when data acquisition was considered a company-internal mandate, the philosophy was to acquire data based on the chance that it might provide future value. Data privacy regulations such as GDPR require a change from “gather everything and store always,” to “gather only what is necessary and store it for only as long as it serves a specific business purpose.”
“GDPR inverts the previous tendency to scrape as much information as possible without a data management strategy in place,” says Goldstein.
Change begins with data governance to establish what right action looks like in the context of acquiring and applying PII. It propagates out to data storage architectures and, ultimately, data management. Ironically, the more effective the data management execution, the greater the amount of data that can be captured while still meeting both the letter and the intent of the regulation.
“Very few companies actually want to restrict their access to data,” Goldstein notes. “It just means that there is a greater need to put more structure and intention around the data that they’re collecting.”
Support of data confidentiality, accountability and even data minimization can be furthered with a pair of increasingly popular data management techniques: anonymization and pseudonymization. Anonymized data has been scrubbed of all PII (e.g., name, address, phone number, birth date, picture, etc.). The data might still be useful for business analytics but is no longer subject to data regulations.
The process needs to be carefully managed. The greater the number of values in a data set, the greater the likelihood that they could be combined to enable identification of a data subject in the absence of PII entries. Some regulations (e.g., HIPAA) explicitly describe the alterations required to anonymized data. Others, such as GDPR, describe the result without detailing the specifics. Data scientists may also be able to run algorithms against the metadata to generate a probability that an individual could be re-identified using the anonymized data.
Pseudonymizing involves stripping out the PII data fields, but conducting the process in such a way that using a software key, the data can be matched up again with individuals. Pseudonymization enables data to be mined for business value while protecting the data subjects and maintaining compliance. A hotel, for example, could pseudonymize the customer file before releasing it to the analytics team to analyze occupancy trends for budgeting and staffing purposes. At the same time, the reservations and accounting departments could use the key to access the record of a given guest for customer service purposes. Goldstein explains that anonymization and pseudonymization represent an evolution in how companies balance data with privacy.
“Now we're seeing these authorization management practices being implemented at a greater scale. Even if it just involves general personal data, and not what we would consider sensitive personal data, more and more companies are clamping down internally on their data.”
Authorization Management Practices
Protecting data by restricting access to only those with a legitimate need is a well-established data management and security technique. This sort of role-based permissioning is just part of a larger data management approach known as authorization management. Authorization management practices are undeniably effective. However, a tradeoff between data protection and convenience has always existed. Many organizations have leaned toward the side of convenience, particularly small- and medium-sized companies that often grant access to a large swath of the staff. When data governance and data management were internally driven, that approach wasn’t a problem. In the new regulatory landscape, however, the journey to compliance, coupled with the prospect of heavy fines for violations, is causing organizations to rethink their policies.
“Now we’re seeing these authorization management practices being implemented at a greater scale,” says Goldstein. “Even if it just involves general personal data, and not what we would consider sensitive personal data, more and more companies are clamping down internally on their data.”
This brings us to a key point, which is that the same data management techniques that are used to demonstrate regulatory compliance often benefit the business as a whole. “What’s very common is that we see companies making strategic business decisions to pursue a posture of GDPR compliance across the organization, regardless of where their data originates,” says Goldstein. “At the end of the day, these are regulatory and compliance matters, but they also have a strategic business impact.”
Organizations shouldn’t view compliance as an onerous task, but as an opportunity. “Embrace the journey,” says Goldstein. “The immediate goal for most organizations is to meet compliance standards and mitigate the risk inherent in data processing, both to the data subjects and the organization. As consumers become more educated in these matters, more and more companies will see increased value in maintaining focus on incremental improvements in data protection and privacy over time.”
Kristin Lewotsky is a freelance technology writer based in Amherst, NH.