Click to learn more about author Kyle McNabb.
Let’s level-set: Data privacy regulations like the GDPR and CCPA are the tip of the iceberg, and enterprises need to start addressing privacy compliance and its related challenges immediately. Wait – don’t click away from this article. I promise it won’t be beating the dead horse of regulatory compliance.
Admittedly, the privacy regulation conversation can feel like a dead horse when it is so frequently discussed. It’s a constant reminder that organizations have a lot of work to do: They need to know where personal and sensitive data lives within the enterprise, they need to know whose data it is, and they must ensure its collection and use is compliant. And there are real reasons these objectives must be achieved. Compliance will not only ensure organizations avoid hefty fines, it will also help them to optimize Data Management. In a 2020 survey, 39 percent of IT leaders said data regulations help their teams use data more effectively.
Again, this is not to beat a dead horse – it’s to remind IT leaders that they haven’t even been talking about the full horse. Because while many organizations have started to address privacy compliance for their structured data residing in databases and data lakes, most have neglected to account for unstructured data and content. With the explosive growth of records and the widespread remote workforce, there is a vast volume of unstructured data living in documents and records (e.g., Microsoft Word documents, reports, spreadsheets, and emails) that continues to grow. According to a 2020 AIIM study, the amount of information coming into organizations will increase up to 4.5 times in the next 18 to 24 months – and 60 percent of that data will be unstructured.
Clearly the data privacy regulation horse is alive and kicking, and in desperate need of a saddle – but if organizations can get their arms around it, that compliant data will be working for them. Knowing this, IT leaders need to revisit and reprioritize how they find, classify, and manage personal information, especially content. If organizations continue to leave unstructured data out of privacy efforts, organizations will not only fail to comply, but also struggle to thrive – even survive – in the post-pandemic, digital world. For IT leaders looking to harness the horsepower of compliant data, taking a path to privacy-aware governance is a great place to start.
The Need for Privacy-Aware Governance
First, it’s important for IT leaders to assess how the pandemic has impacted their organizations’ usage of content. With the advent of the mass remote workforce, workers use shared/network drives, Slack, SharePoint, and Microsoft 365 more than ever. As a result, IT leaders need to be concerned that ungoverned, user-managed documents and content puts the organization at risk.
Organizations’ IT environments continue to change, adding complexity to governance. Companies accelerated moving their applications and workloads to the cloud, driven by the pandemic and economic fallout, either to reduce in-person work at data centers or because the cloud offers more flexibility as business demands fluctuated. Now that IT leaders need to manage on-premises systems, public cloud, and hybrid-cloud IT environments, they face several compliance and Data Governance challenges with their content:
- They don’t know where privacy information resides within documents/records
- They are unable to associate privacy information within records to a specific customer
- They have no audit record of who has accessed/viewed the privacy information
- They are not currently able to redact privacy information
- They are maintaining customer information for longer than required by law
Knowing that content will only continue to grow, and the remote workforce isn’t going away, it is no longer enough for organizations to simply manage information. They must prioritize privacy and regulatory compliance in their governance strategies.
How to Prioritize Privacy-Aware Governance
To start, organizations need to gain visibility and transparency into where sensitive and personal information resides within their content, documents, and records. Without the ability to identify where that information exists within content located on file shares, SharePoint, and other repositories, or the ability to associate personal information within records to a specific person, organizations leave themselves exposed to compliance fines as well as brand and reputational risks. Last year alone, the GDPR levied over $470 million in fines to organizations. H&M Germany was fined more than $40 million this October for failing to manage and govern personal information about employees on network drives. California enacted CCPA in January 2020 and authorized their Attorney General to enforce CCPA as of July.
Compliance leaders, internal auditors, and boards of directors want to know what privacy compliance risks they face. These leaders need help quantifying the privacy compliance risks they face and what actions they can take to mitigate them. IT leaders can help with a privacy-aware governance approach for unstructured and structured data focused on:
- Helping leaders make the case. Scanning and discovering where sensitive information resides in file shares, network drives, SharePoint, Microsoft 365, email, and more helps leaders understand and size potential risks to the organization. Technology such as OCR and other scanning tools exist today to help discover information putting you at risk quickly and cost effectively.
- Demonstrating how you can manage and govern what puts your organization at risk. Organizations can scale their usage of content management platforms to manage the lifecycle of this information, including its removal. Today, federation capabilities also enable organizations to apply governance policies to information across repositories and shared drives. These policies can include redacting sensitive information, on the fly, to ensure personal information is used correctly, consistently.
- Funding through rationalizing content sprawl. Organizations can achieve immediate savings and value by rationalizing and consolidating content repositories and systems putting them at risk. This rationalization and consolidation can also take advantage of private-cloud, hybrid-cloud, and SaaS-ready options to further reduce infrastructure spend.
In today’s remote, regulatory world, information governance can’t be a passive practice. Content can’t be ignored. Organizations must prioritize compliance and execute privacy-aware information governance strategies. The pandemic has already proven that regulations, which once felt like pains, forced organizations to get their data houses in order so they could be more agile in the face of disruption. Even for those companies that established data intelligence and managed their structured data for compliance, it’s time to saddle up and finish the job with content.