Operational controls to protect personal information and sensitive data 

 

What is Data Governance? 

Data governance is the foundation for the stewardship of data and a robust privacy program.  

We view data governance as a comprehensive approach to collecting, using, storing, retaining and disposing of data that results in the organisation being responsible data stewards. Data governance is an enterprise-wide function considering all data related activities and the people involved. It provides the controls and processes to ensure data, including personal information is managed in a responsible way compliant with laws relating to the jurisdiction of the data subject and business operation.  
 
Data Governance: Cross-organisational capability 

Privacy is one lens though which to view data governance. Its focus is on personal information (PI) , but strong data governance is broader than just personal information. It should cover all data, how it’s used (analytics) and how it's protected (cyber security). Here's a summary of each area:  

• Analytics: Extracting business value from data requires responsible data management practices. Data governance ensures the data used for analysis is accurate, complete, and current. 

• Cybersecurity/Protection: Safeguarding systems and data from unauthorized access is crucial. Data governance helps identify and prioritize sensitive data, allowing for targeted security measures. 

• Privacy: Managing the collection, use, storage, protection, and disposal of PI is a legal and ethical requirement. Data governance empowers organizations to comply with relevant regulations and build customer trust. 

An effective data governance program considers and addresses all three perspectives when managing data. 
 
Data Governance and Data Breaches 

Data breaches often target PI. Effective data governance is a critical step in identifying then protecting this information to reduce the risk of a data breach. It provides an inventory of the data (including PI) you hold, where it's stored, how it’s used, how long its retained, how it’s kept up to date and how it's protected. By clearly understanding your personal information landscape, you can take action to reduce your data risk by removing ROT data and addressing access issue or security vulnerabilities before a breach occurs. This will reduce both the likelihood and impact of a data breach if (when) it occurs.

 

Building strong Data Governance 

Here's a starting point for building your data governance program: 

• Understand Your Data: You can't manage what you don't know. Many organizations don’t fully understand their PI holdings, including storage location, protection measures, and retention needs. An automated data discovery exercise is an excellent first step. This will help you create a comprehensive inventory of your data including personal information. 

• Establish a Data Governance Forum: Create a cross-organisational forum that brings together representatives who handle PI and sensitive data. This forum can discuss data collection & management practices, monitor processes, and oversee tools and assurance controls. IT, legal, compliance, and marketing representatives should all be involved to ensure a holistic approach. 

• Define Roles and Responsibilities: Clearly define data management roles within the organization, creating a chain of accountability. Who is responsible for data security? Who owns data quality? Who is accountable for personal information? Assigning clear roles ensures everyone understands their part in protecting data. 

• Develop Data Policies: Establish clear policies for data collection, use, retention, sharing, and handling. These policies should consider relevant regulations and be communicated, enforced, and automated where possible.  For example, a data retention policy can outline how long different data types can be stored before being securely disposed of. 
   

Taking Action: Reducing the immediate data breach risk through technology 

Technologies in this space are evolving rapidly and being grouped under the banner 'Data Security Posture Management' (DSPM). This is change from more traditional security solutions which focus on protecting the enterprise or the systems rather than the data. DSPM focusses on data and ensuring its protected appropriately for its level of sensitivity. 

 

Here are some simple steps technology solutions can immediately enable organisations to strengthen their data governance program: 

• Data Discovery: Use automated tools to identify all PI and create a complete inventory of your PI and sensitive data across structured (e.g., databases), semi-structured (e.g., emails, free text fields), and unstructured formats (e.g., file stores, images, PDFs). 

• Data Classification Labelling: Identify, categorise and label sensitive data based on data classification guidelines. This provides a clear understanding at all times of your data, its level of sensitivity data to prioritise retention, access control and protection measures based on the sensitivity of the data. 

• Existing Data ‘Clean up’: Identify PI that you don’t need to (or shouldn’t) be holding and delete it. A PI data scan can identify all your PI holdings including ID documents and other highly sensitive PI so you can take immediate action to reduce your risk. In addition, creating data collection, retention and disposal policies that can be automated will ensure the data holdings remain ‘clean’.  

• Assurance: Establish assurance processes to ensure your policies and controls are applied to all PI and sensitive data, both currently held, and data collected in the future. Assurance activities such as alerts for (or automatic) deletion of data once it passes retention periods will improve your privacy posture. Regular audits and reviews of the assurance processes can help identify gaps in your data governance program. 

 
Next Steps 
Implementing automated data governance tools can strengthen your privacy program, reduce the risk of a data breach and improve your level of compliance. This will protect your organization and your customers from data breaches while reducing the risk regulatory fines and enhancing customer trust.  

​​

Contact us today for further guidance on implementing these steps and to explore relevant technologies that can streamline your data governance processes