There’s No Way Around It – Data Privacy is Data Governance
December 18, 2023
Data privacy rules and regulations are constantly evolving – states are adding new laws while others are adding new measures to existing laws. So, it really is a matter of when, not if, you’re going to have to address data privacy.
We talked with the data privacy pros (DPPs) here at Prolifics and learned that there’s a bigger picture to data privacy that we all need to consider.
Q: Okay, so I’m a company coming in to see you all one day and I say, “Hey, I just realized I have a California Consumer Privacy Act (CCPA) problem, and I need some data privacy answers. But I only want the minimum viable for California, that’s the only thing I want to address.” Does that happen and how do you respond?
DPPs: Yes, it does. We see this with a lot of customers, and they do just that. “We only want the bare minimum. We don’t want a big investment here.” The problem is the bare minimum is still holistic. You have to consider all your data anyway because you’re on the hook for it. It’s everything or nothing. You can’t have half of your data being CCPA compliant and half of it not. You can’t have your structured data being CCPA compliant and your unstructured data not. It just doesn’t work that way under the law. You’re still leaving yourself wide open for fines and penalties. And that’s not just CCPA – all privacy laws follow similar logic. So, there’s no real fundamental difference between CCPA compliance and larger, overall data governance.
Q: If I need to consider all my data, are you saying privacy laws are in a way forcing data governance on me?
DPPs: The data privacy campaign or policy that’s put into place is data governance. Without the rigors of governance, meaning if you’re not following some core tenants, which is collect the data, scan the data for PII (personally identifiable information) and then catalog the data, you’re not complying with the privacy law. Those three things – scanning, identifying, and cataloging – are part of governance. Governance means you know where your data is, you know who’s using your data, internal or external, who’s accessing it and when. Companies should already have governance related to privacy issues. For example, “Hey, that individual’s name is not encrypted on this site. It’s related to a database over here where you can get access to a social security number. I need to prevent that from happening.”
Q: How do you get people to look at the larger data governance point of view?
DPPs: So, there’s no real fundamental difference between CCPA compliance and data governance. It’s all the same. You might have one policy for CCPA. Most likely you’ll have about 10 to 15, but for governance, you might have 1,000. Many healthcare organizations, like payers, have tens of thousands of policies for their governance, because they have that much data and that much information to collect and to be compliant on. So, when we’re getting into it, we’ll point out that you already have architecture, you already have hardware, you already have the information in there. Let’s broaden the scope more – beyond California, beyond whatever state will enact privacy legislation next. Let’s get a holistic data governance solution in place.
Q: Does that resonate well with clients?
DPPs: Yes, it does, because the benefit of data quality then becomes apparent. Everyone will agree that the key driver for data governance is data quality. Most companies have so much data collected, they just don’t know what they have. So, when they try to use the data in a specific way, for example marketing wants a “know your customer” (KYC) initiative, they realize they have disparate systems all over the place with different and competing data about the same customers. Then we hear the grumblings about the bad data quality they have. It’s the same bad data that makes data privacy compliance so difficult. At Prolifics we say that data is the most important asset a company has. A holistic data governance approach treats data like the valuable asset it is.
Learn more about data at Prolifics here.