Over the past several years, we have seen a tremendous amount of pressure from consumers (and now regulators) regarding how organizations manage content, especially when that content contains information about employees, consumers, and any number of other individuals whose data has made its way into enterprise data stores. Although the enactment of the EU’s General Data Protection Regulation (GDPR) in May 2018 seemed to monopolize public discussion, we have seen a multitude of other newsworthy moments since then.
In fact, during 2018, we started to see organizations targeted for inappropriately managing personal data. According to CNET, on the first day that GDPR went into effect, as anticipated, the likes of Google and Facebook (and its subsidiaries) were hit with a number of claims that could yield $9.3 billion in fines. Regulators around the globe are taking data privacy seriously, as evidenced by the vast array of new privacy requirements.
In the past year:
- California joined the privacy conversation with its proposed California Consumer Privacy Act (CCPA), due to take effect January of 2020. (Don’t forget the look back provisions!)
- India initiated its efforts with its Personal Data Protection Bill 2018.
- Japan furthered its efforts with regard to privacy and negotiated terms with the EU regarding cross-border data transfers.
- On August 14, 2018, Brazil executed its General Data Protection Law and although it largely follows GDPR it won’t go into effect until early 2020.
- Canada amended its Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000 in November 2018 to include mandatory data breach notification and record-keeping laws.
- China implemented the final version of The Standardization Administration of China’s privacy bill in January 2018 which went into effect in May 2018 and is widely regarded as more rigid than GDPR.
- The U.S. Congress submitted proposed bills which put a Federal Privacy Policy on our radar for 2019.
The bottom line is this: People everywhere are getting on board with increased privacy measures. We cannot continue to manage data with the “same old, same old” mentality. Far too many times, I’ve heard middle management comment that GDPR doesn’t apply to them or that they just won’t land on the regulators’ priority list. While that argument has its points, privacy regulation has expanded well beyond the scope of GDPR. California, home of the new CCPA, is the world’s fifth largest economy, and the number of countries with their own specific and unavoidable regulations is constantly growing. One of the myriad of privacy regulations is going to apply to you, so that argument no longer passes muster. In fact, it is time to understand what your organization is doing with data stored in your environment, where it came from, and why you have it.
The Growing Data Universe
As we look at our crystal ball and consider what 2019 might bring to this topic, one can only wonder if this ever-increasing deluge of data will stop to let us get a handle on what we already have. For better or worse, it probably won’t. With the size of the digital universe projected to double every 2 years, it is imperative that we gain control of these mounting volumes of data immediately, or else they will continue to grow unmanaged and increasingly create greater risk to organizations.
This daunting task can only be effectively accomplished by implementing processes, policies, and technologies that manage data at the point of creation and regardless of where it is stored. Unfortunately, focusing on data on a “go-forward” basis alone won’t be enough. In order to achieve efficient data management at scale, one must understand the various available technologies’ ability to scale to meet specific needs. This means assessing the various offerings’ ability to manage and ingest new data as it is created while simultaneously ingesting and classifying the content that has lived in data stores for potentially years. It further dictates a process by which expired data may be defensibly disposed from both data stores.
The Hidden Value of Data Management
While data management initiatives doubtlessly have regulatory relevance, they can also provide a tangible ROI through improving the enterprise’s data analytics capabilities. Organizations seeking competitive advantage believe that there is “gold in them hills” and are looking at ways to leverage their data beyond compliance, management, and disposition. By applying modern technologies and thoughtful processes, it’s possible to mine your organization’s content—structured and unstructured—and repurpose it to gain real business value.
It has become common knowledge that our loyal and long-term baby boomer employees are retiring at breakneck speeds while their positions are being replaced by millennials. Evidence has shown that millennials are prone to rotate jobs every year or so, thus, creating business content, participating on teams that are creating products, and attending any number of meetings, then leaving your employment. This is one area where responsible data management can help your organization.
The days of bellowing down the hall to ask a long-term employee who worked on a specific initiative for their thoughts or recollections are over. Millennials may move on to the next employer before their seat even begins to get warm. If you do not take control over your data, you are limiting the ability to identify work product not only created by your baby boomers but also by various millennials that worked for you, including the meetings they attended, and the data they created or came in contact with. As we look into the crystal ball, I speculate that if we fail to implement the requisite processes and technology, we will find it is relatively impossible to reasonably defend or prosecute an IP claim, or defend a regulatory or civil investigation, especially where the alleged acts are from a millennial that has moved on to another employer.
Data Management Comes First
Numerous organizational initiatives are always jockeying for a limited budget—that will never change. But as of 2019, priorities have changed, and data management is now topping the list. Arguing that there is no budget to implement a data management initiative will fall on deaf ears when executives are faced with the very real risk of being hauled before regulators or international courts to explain why sound data management practices were not implemented. Members of the executive team can no longer relegate such important decisions to middle management while at the same time invoking budget restrictions, thus tying their hands from implementing strong policies and practices.
The only way to resolve this issue is to truly evaluate your organization’s data: What data do you maintain in your existing data stores? How is it collected? What legitimate business purpose is this information being stored for? What business value could be mined from it? What disposition policies should exist? And, most importantly, how are you going to actually carry everything out?
As many organizations run statistical models to define their risk, others merely flip a coin as they attempt to define the likelihood that they might get hit with a regulatory investigation—but at what cost to the organization? It isn’t just about calculating a hard financial ROI on the risk of getting caught, many other factors must be calculated into the equation. There are other penalties for improperly managing data, for example: loss of consumer confidence, ineffective business decisions, lost productivity as employees waste time looking for work product that was previously created, and lost access to the institutional knowledge that was created by employees long gone.
The bottom line is this: The clock is ticking. Will you find a way to leverage your institutional knowledge, or will you continue to allow it to sit in storage facilities that are nothing more than black holes?
For more articles like this, check out the Cyber Security Sourcebook here.