Click here to learn more about author Tejasvi Addagada.
Most organizations have grown in-organically over the past few years with mergers and acquisitions where planning for data, lacked the focus. Moreover, there is no account on the growing private information that is collected, or was collected from customers, employees and third parties. Most of this personal information is vulnerable to threats and events of malicious theft, accidental disclosure, failure in appropriate usage, non-compliance with regulations. This increasingly is a concern to the regulators and organizations equally. An outcome of the current privacy environment is the General Data Protection Regulation (GDPR) in EU, where individuals would want organizations to respect their privacy. The regulations are evolving and organizations with global operations must adopt globally to the highest regulatory requirements, from a region that can be leveraged as preparedness in other regions.
Protecting an organization’s reputation is the most significant risk management challenge today. Reputational risk is regarded as the greatest threat to a company’s commercial value of business. The potential that negative publicity to an institution will cause a decline in the customer base, reduce revenue and lead to costly litigation.
Most data privacy challenges can be addressed by Data Management and Governance divisions along with risk management functions. Privacy is defined in Generally Accepted Privacy Principles such as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information”. This can be a name, email address, Government identification number, tax return to name a few. Let us look at integrating Data Management and Governance end to end with the ten generally accepted privacy principles –
The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Strategy and Requirements for Data Privacy and Security Management
Data Management Strategy must be developed, updated to include the Data Privacy management aspects. Data Management Strategy and Data Privacy Management must be aligned with Organizational objectives. In addition, describe the target structure and organizational structure for Data Privacy and Security Management.
Formally establish Governance oversight
Further, Roles and responsibilities are defined, communicated and enabled. The data governance division takes the responsibility of drafting policy, having reviews performed, publication and communication to the grassroots of enterprise. Further, Policy and standards are ensured to be reviewed and approved by risk function, senior executive governing bodies and governing councils.
The working groups are commissioned by Data Management to draft and publish the standards to classify data, in view of privacy and confidentiality.
Operational risk planning
Operational Risk Governance Structure and processes are in place and are operational. A risk assessment process is commissioned every year by second line of defense using the Risk Control Self-Assessment procedures, to identify new risks, understand the impact of events, and frequency of occurrence including the risk scores. Information from existing historical loss events are considered for response options. The response options include the procedures to record, assess impact, escalate, notify responsible internal and external parties, commission root cause analysis and changes to control environment. Awareness is taken forth through a communication strategy and learning programs to strengthen the first line of defense in the enterprise. In-Flight risks are recorded by the first line of defense that will be taken through the Risk Governance, Risk Analysis, Response and closure.
The organization provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
The privacy notice describes
- Personal information collected
- The purpose for which it will be used
- Indication of legal requirement, if any for collection
- Consequence of not accepting to provide personal information
- If the information will be disclosed and under what scenarios, to which parties
- The retention, security, quality and monitoring aspects
- The entities, geographies, jurisdictions, types and sources of information.
This will be through the evaluation of the notices provided to customers, employees along with completeness and currency of “dates of consent” from the parties. Escalation and Notification procedures are embraced by the Data Privacy and Security Management division in case of in-complete or in-consistent notices.
Choice and Consent
The organization describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
It is to be ensured that the choices of individuals are captured with accuracy and the same is ensured with consistency wherever the consent, Opt-Ins and Opt-Outs are trickled along the data lifecycle. The data domain and datasets associated with customer preferences, processes or functions for which the customer opted in/out, last updated dates and other data elements must be actively managed.
Data Privacy management ensures that the policy and procedures capture the receival of customer’s consent when Private information is being used for a new purpose.
The organization collects personal information only for the purposes identified in the notice.
The Data Privacy Management must ensure alignment of the privacy policies with regulators across jurisdictions. This would necessitate that Cross-organizational enterprise data governance is aligned with Compliance and Legal functions to ensure registration of the organization with the regulatory bodies.
The collection of data from a customer is related to the Obtain phase of the POSMAD where data is obtained from the customer. The organization might acquire Financial information, tax information and demographic information to quote an example. The data that is obtained, must be well defined in the metadata repositories to remove ambiguity in its application for purpose.
When data is being acquired regarding a customer from third parties, Data Governance function should ensure oversight over procedures for establishing engagement, communication, recording agreements for data quality and data transfer. The data privacy management should ensure that not only the data acquired from the customer but also the data that is derived like the customer purchasing behavior is adequately classified for risk and managed in accordance to policy and guidelines. The division should also record in the metadata repository, the processes or functions that each data element is being acquired in. Further, the systems, people who are acquiring the data must also be recorded. This simplifies the data landscape in scope of Privacy.
Use, Retention and Disposal
The Organization limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent.
The organization retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes such information. The Data privacy and security division should define adequate framework for defining entitlements. The same must be published, communicated across the enterprise through data stewardship and data ownership. A sample is provided below –
The data Governance office ensures that aspects of use, retention and destruction of data are documented in line with legal, regulatory and internal requirements within the policy. For example, financial information of an individual like “Gross Salary before tax” can be used for processing business transactions such as payroll and taxes, or other compensation schemes. In this scenario, the data element “Gross Salary before tax” should be associated with processes such as payroll that apply and update this data element. This kind of mapping should be performed with the systems (payroll) and People (accountant, payroll analyst) who apply and maintain Gross salary before tax.
The data owners must take the responsibility of classifying the data element, defining entitlements, defining data to process/system/people mapping. While the downstream systems, People, process SMEs ensure that the entitlements associated with the data element are being followed and adherence documented.
Accountabilities and responsibilities
Data Owners are accountable while data stewards are responsible to classify the data elements, defining entitlements, any associated distribution rules and defining data to process/system/people mapping. Data Governance must be responsible to ensure that the classifications and entitlements are available for private information in metadata repository. Data Owner must be responsible to review classifications applied to data on a yearly basis or when there is a change to the data element and its context. If any project is looking to leverage this data element, the data steward must be reached where the project will be directed to the right data owner for authorization. This is associated with leveraging the data element that is classified “Direct Client Identifying data”, “Indirect Client Identifying Data” or security classifications “Internal”, “Restricted”, “Highly Restricted”. If this includes obtaining a new consent from the customer, the relevant service will be triggered.
Data Lifecycle Management
Further, Data lifecycle management strategy must be defined and endorsed by relevant stakeholders. Data lifecycle management roadmap must be developed and implemented. Storage governance structure, archival procedures, data transfer and Decay processes and procedures should be operational. Data Stewardship formalizes the accountabilities of the data owners and SMEs in data lifecycle management. For example, the function should commission to erase or destroy records in accordance with the decay and retention policies, regardless of the method of storage (electronic, optical media, or paper based).
The Organization provides individuals with access to their personal information for review and update
When individuals request access to their personal information, the most current and accurate information should be provided on authorization from data owner. Any further requests on maintenance or updation of existing records will be taken through the procedures to update personal information. While the same needs to be updated in golden sources, systems of references wherever the same data element exists. If third parties agree with the organization for accessing the data, the changes should be shared with them. The changes to personal information should be auditable.
The data owners should report on the changes to the personal information to the line of business and the data governance division quarterly. It is a best practice from the data privacy management, to have the latest, most accurate and current information updated for the data elements classified as Private.
Disclosure to Third Parties
The organization discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Any data that is enhanced or transformed outside the organization, will be the responsibility of the organization performing the transformation. The data quality function ensures that data that is transferred to third party is accurate, complete, consistent, relevant and valid. The profile of data must be stored in the metadata repository by the profiling group while the Data Quality rules should be defined by the data owners and SMEs. The Third-party sourcing agreement should clearly define the purpose for which the data will be used.
Security for Privacy
The organization protects personal information against unauthorized access (both physical and logical).
Privacy policies adequately address security measures to safeguard the privacy of personal information whether in electronic, paper, or other forms. Security measures are consistent with the sensitivity of the personal information. The Data Privacy and security function calls for creation of a communication and training program. Further, it must describe the need for an education and training program to ensure stakeholder understanding, buy-in and compliance to the data privacy and security program. Content Governance ensures that data Classifications including Data management characteristics, Data security and privacy classification are established. Stewardship and program governance ensure that privacy by design is embraced. The controls for security for private data, are established at a data service level wherever applicable rather than at an application level. The divisional and governance forums ensure that the guidelines for data controls are placed for new changes or changes to existing capabilities. Once the Privacy Impact Assessments are performed, the gaps are analyzed and a program focusing on establishing a control environment for such data is commissioned in line with the funding model. Any non-adherence to establish controls should be signed off by the governance council with adequate evidence to bypass the controls. Use of encryption is mandated by data owners wherever data is being transmitted. The level of controls includes administrative, technical and physical controls to secure sensitive data.
The data quality function ensures that adequate integrity controls are in place to maintain the data while data privacy and security ensures that modification is being performed by designated roles. The Data governance function must be aligned with information security policy.
The organization must maintain accurate, complete, consistent, timely, and relevant personal information for the purposes identified in the notice
Data Quality operating model and processes must be defined, and made operational. Data is profiled, analyzed and described for Data Quality against the dimensions, in enterprise repositories and golden sources. The data owners should document data quality rules based on the characteristics of the data from profiling. The data stewards along with the council must ensure that data elements are extended and enriched, based on the context. The data delivery services should ensure adequate abstract environment requirements and data transfer requirements are met. The data quality function ensures that adequate integrity controls are in place to maintain the data while data privacy and security ensures that modification of data is performed by designated roles. The data quality assessment and monitoring is performed based on the nature of the data operation and the lifecycle stage. Further, the KCIs are continuously monitored by data stewards and data owners in the Control scorecard. Any errors in the data must be handled by the data remediation function with adequate rootcause analysis documented.
Monitoring and Enforcement
The organization monitors compliance with its privacy policies and procedures and has procedures to address privacy related inquiries, complaints and disputes.
The Governance function enforces authority, formalizes accountability while evaluating, directing and monitoring the data privacy management activities. The KCI scorecards for data quality, metadata, architecture, and security are ensured to be available and monitored continuously for breaks in process. The escalation procedures are established and ensured to be followed by personnel. The evidence of control effectiveness and efficiency must be made available for audit by the governance function.
Establish Program and operational Governance
Once the program Governance is in play, Governance is taken to every change in the organization, where Policy and standards are enforced and auditable. This ensures that every new capability or change to existing process, system or organization structure is assessed for privacy impact. The assessment plan must clearly articulate how the data privacy program will be measured and evaluated. Further, Metrics are put, to track program adherence, progress and outcomes. Data privacy management, ensures that all privately classified data elements are classified and entitlements recorded in the Metadata repositories.
The approach and mechanism to policy self-assessment internally and externally must be established. The self-assessments are conducted on the processes, systems and people based on the culture. Further, the risk scorecards and performance scorecards are updated to showcase the risk profile of the organization and it’s appetite to risk taking. Further, the appetite and tolerance limits are updated yearly by the Governance and risk functions or are cascaded from the group to the data privacy management division. With any external changes like environment changes, market changes the appetite and tolerances must be analyzed for impact.