Mind the Data Compliance Gap

by Dan Wu &?Sonia?Cheng (Managing Director within FTI's Technology Consulting practice)

Weak data strategy led to another victim in the fight against Covid-19: Public Health England. The use of older Excel file formats led to an underreporting of an estimated 16,000 coronavirus cases. Data quality issues like the above are not the only outcome of weak data strategies. Strategic gaps?between compliance and data operations have led to data privacy incidents like those at Facebook & Google.?

In our work with Fortune 500 companies, governments, and startups, we see 3 common traps to bridging the gap between policy and implementation.?

Trap 1: Complex regulations may be hard to harmonize and operationalize at scale

The policies themselves are very complex because there is a raft of various data regulations, with different obligations and definitions of sensitive data. For a taste of these regulations, consider the EU's General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Prote??o de Dados (LGPD), India’s Data Protection Act, and NYDFS Cybersecurity Regulation.?

Each of these regulations have slightly different obligations for protection, retention, use, disclosure, destruction, and even the definition of personal data.?

For instance, many regulations cover “any” information — including combinations of data — related to an identifiable natural person, unless it is reasonably impossible to uncover the identity of the person (through “anonymized” data). Be aware, however, that if combinations of anonymized and unprotected data have risks of re-identification, that data is still likely covered by regulations. The EU, India, APEC, China, and Brazil fall under this regime.

Some definitions of PII are trending even broader. California’s definition includes any information related to not just individuals, but also households, provided that it can be reasonably tied to an individual. Similarly, the FTC’s definition applies to not just individuals but also devices, as it states in its 2012 Privacy Report.

This complexity might mean your compliance and legal teams get lost in a sea of technical or legal jargon, resulting in an inability to harmonize business, data, and information technology teams. This may undermine the organization’s ability to implement effective controls balancing business objectives.?

Start with two basic questions:?Why are we processing this personal data? How does this connect with our mission and purpose?

Compliance and privacy cannot just be treated as a checklist. Instead, these obligations require an understanding of how key stakeholders, such as the C-suite and the business’ end users, can benefit from these changes. Think about the company’s mission and purpose and connect obligation with values. For example, an EU based insurer began their GDPR journey in 2015 and while their data governance and compliance efforts were in the nascent stages, they recognized early on that in order for the firm to be successful, they needed to take a people first approach. They recognized their purpose was to protect their millions of customers’ property against risk. Data was an extension of that protection. They got in front of the program early by campaigning to the board and executives, contextualizing the GDPR as a core part of their business strategy. A key part of their success was understanding that they needed buy-in from across the company, not just the few people focused on the problem.

Ethical data strategy is another approach to improve customer loyalty, obtain higher quality data, and build more resilient businesses. Recently, Apple and Microsoft have begun to distinguish their brands through privacy. Some surveys report that more consumers now trust Apple to steward their data than many of its rivals, such as Google. Other brands like Facebook have struggled with the blowback from the Cambridge Analytica scandal, after which trust in the company reportedly dropped by 66%.?

The C-suite, ultimately, has an opportunity to redefine their purpose in this new data-first world, sharpen their business enablers, and differentiate themselves against the competition.?

Trap 2: Complex policies create friction and hinder compliance.?

Even if you are able to help key stakeholders take advantage of this regulatory opportunity, new responsibilities require changes to pre-existing workflows. These changes may slow down the speed of key business units, resulting in the temptation to simply ignore or evade them. It’s no wonder that lawyers and compliance are often consulted at the end of a project, when the pressure to approve is overwhelming.?

For instance, assume that regulations mandate that more data is now considered personal data. As a result, it will be harder for internal data analysts to access data it normally was able to access without constraints. Now, their use of sensitive data must be used for legitimate purposes, requiring a series of requests, impact assessments, and approvals to access data and use data. These additional workflows mean access to data, while standardized and better controlled and tracked, is slowed for many weeks, frustrating business executives with product launches or data scientists who just want to analyze data.?

As a result, you must also have a process & change management strategy to help gain stakeholder buy-in and build better products and services by design.?

It’s key that companies don’t come up with compliance policies in an ivory tower, meaning, they don’t just develop policies without actively engaging with the business and operational stakeholders that need to effectuate rules. Instead, the policies, and its operationalization into processes, should be tightly woven into the business, actively working through privacy and regulatory requirements on the ground, and helping to shape solutions that balance compliance and business needs.?

In practice, this means organizations might consider building a cross-functional data council including not just legal, compliance, but also business and technology stakeholders. This council can provide organizational alignment in a few key areas.

First, it assumes a proactive position. Instead of reacting to new projects on a case-by-case basis, it builds a global process that proactively contemplates and addresses a number of relevant projects throughout the company. Similarly, this process also proactively looks at new data regulations on the horizon that may affect where its business goes. Instead of responding to these regulations last minute, the council identifies commonalities across all of these regulations, and fine tunes its process to the specifics of new laws, as one of the author recommends to do here. With foresight comes speed.

Second, this process is sensitive to the specific needs of stakeholders. As it develops a response to a wide variety of projects, it obtains feedback from end users that will be subject to them. By doing so, concerns are addressed earlier on, and buy-in and trust internally increases.?

Finally, it advocates for roles that increase the accountability of data from end to end, expanding upon traditional data stewardship roles. By doing so, data protection becomes a core design principle of its products and services — not something simply addressed as a checklist at the very end near approval.?

Trap 3: Policies may not capture complex data flows, opening up companies and consumers to unconsidered risk

Beyond that, most companies do not have a great grasp on where their data is and how it flows throughout the organization in a variety of forms. This means that policies and processes — even if proactive and well-designed — are not adequately protecting data subjects from harm and opening the company to increased risk, for instance, during a data breach.?

Take one example of this: dark data. This is data collected through regular business activities, but is generally not used to derive insights. Such data include log files, prior employee data, email correspondence, and customer service logs — all of which is stored because it is seemingly innocent. But, in fact, these may contain highly sensitive data, opening up companies to more risk than benefit in the case of a breach. Furthermore, much dark data is collected without a specific purpose in mind, violating the principle of minimization under the GDPR. What makes dark data scary is that, like “dark matter” — it is not easily observed, hidden in the background.?

As a result, you must also align your technology strategy to govern and draw insights from data produced through regular business activities.?

Two technology tools are worth considering.?

First, automated data discovery tools use artificial intelligence to identify sensitive data throughout your enterprise, including your dark data. While most companies identify this sensitive data manually by painstakingly searching databases individually, these tools search your disparate databases for you and identify sensitive data that need to be protected.

Most companies will be overwhelmed by the number of data sources, supply chains, and projects. Tools like this can drastically help organizations prioritize certain high-risk datasets, given the sea of potential data it may need to sort through.?

Second, new unified data architectures to control and access data from one platform may help.?Using tools like data virtualization, organizations can create connections to lots of disparate databases, without creating copies, which would expose organizations to more risks. Much like the one used by one health tech startup here, these architectures allow companies to start with small experiments to control data, such as dark data. When it proves those policies out, the company might add more complex policies with few cross-functional resources.

In conclusion, the gap between compliance policies and operational reality, at times, seems too tremendous to traverse.?

Yet by thinking about people, processes, and tools, these gaps can narrow — and so can those between the governance, business, and technical teams.?

To summarize, this involves:

• Identifying the purpose of processing this data and how does it connect to our mission and purpose?
• Building a process & change management strategy to help gain stakeholder buy-in and build better products and services by design
• Aligning your technology strategy to govern and draw insights from data produced through regular business activities

With these missions in mind, your governance, business, and technical teams can work together to build more ethical and responsible data-first companies.?

**********

?? Hi! I'm Dan Wu, lead innovation advisor at Joyful Ventures, where I help social impact executives create financially-sustainable ventures.?

?? Want tips on innovation strategy for community impact? See my innovation advisor field notes: https://www.heyjoyful.com