The State of Privacy - Q4 2022
This is a comment, a one side "chat" if you will, on the State of Privacy around Q4 2022.
It's just a personal opinion, that I'm sharing with the community, on the spirit that we really ought to consider these things. But the communities I'm sharing it with are all the communities I also belong to: Data, AI, Data Governance, Data Products, Privacy and Data Leadership. Because...this affects us all, in different aspects of our work.
It's meant for folks with interest in the privacy world, from experts, to just about anyone in a corporate leadership position with data management and/or oversight responsibilities.
Until some tough conversations begin pretty much everywhere, and we shift from having data protection/privacy teams made almost entirely out of legal resources; companies will continue to have to invest (bleed...) ever larger amounts into data compliance.
This, is just a heads up. You might wanna stop that, because...with time, the "drag" or pull effect from this (that "thing" you've been feeling for the past years) is only going to grow, exponentially.
The drag on your capacity to deliver, at scale, your data and digital business.
It's not only a drag in terms of investment, but it will never provide the ROI your company so desperately needs. This is a bit about the state of play, but also about culture, and where do we go from here.
By now... many boards, C level, from CIO's to CDO's, from CISO's to CTO's and Compliance Officers "across the land"... will have felt that warming fuzzy feeling in our bellies, telling us that a shift is happening, and that we can no longer look at this area as predominantly legal driven.
As professionals with data management and/or oversight responsibilities...We know that they're not. It's just an indisputable technical truth.
And...please...please... dont tell me, that "your security" is managing it, that your data teams are managing it...because...I've been there. I've managed those teams myself. I know their day to day business. I reported to you, I managed them, many, over years and years. And oh boy, was I managed too. We're all covered in battle scars. Good! Moving on...
We all know we've barely scratch the surface at data governance (there's always some shinning beacons...) and that on the security side, those teams are good for controls, IAM, Red/Blue, etc...BUT that they are an important part of privacy, by supplying the "ground level" organisation of defence by information level controls.
BUT...privacy is both an information management problem, a depth of controls problem, and a depth of "from policy to code to ux, with data, AI, and data products sitting at the middle". Or, as we know, a lack thereof, a disconnect.
It's just circles, upon circles, upon circles of disconnected tissue. That's why it's so hard, and interesting!
There's simply NO WAY any Security Team is going to provide that, or greater depth. It's not their job, and we all know it.
At best...at the Chief Data Officer level...sure, there's plenty of work to be done there, and maybe that's a solid home for ceiling level privacy controls...personalised ones. Maybe. Time will tell, and different companies with different data challenges and complexity composition will certainly be on the forefront of making this work in practice.
Now...at CDO Governance level, a lot of work is to be done, and can be exceptionally critical in the disentanglement of controls complexity...in the route to build automated data consumption models...bear with me...reliant on metadata management driven approaches....we're...for the most part, NOT THERE YET.
And worst...we know it. At the highest levels, we all know it.
...the maturity level of most orgs in terms of both data governance, data controls management, overal data use as an asset, AND full lifecycle data products (I'm not gonna even add here the far end of the spectrum: "entity management+contracts" vs... "ecosystems" or "data marketplaces". Did anyone mentioned "Cloud"?
....
....
....
We're not there yet. We're still cracking it. We're still doing it.
I mean... What ecosystems? What data marketplaces? We're joking right? I'm not sure what the "business guys" are expecting, but I'll be very blunt: there's no ecosystems, there's no AI feedback loop, there's no marketplaces...there's NOTHING without Trust.
Compliant Trust...not "made up" Trust, "just because".
But...we can't have "0 Trust Models" on the Security side, and "All Trust" made-up on the other side, can we?
And...there's no Trust...without Privacy, at depth. That can't exist...without Data Governance.
Are we coming "full circle" yet, or...?
Let's face it, the hard truth we all know.
We need to get the basics done, before we..."complicate". Otherwise...well... we're just wasting money....in amassing the largest pile of technical debt and entanglement ever amassed in the whole history of computing.
That's it, really.
Maybe it only really "popped" with Joe (Uber former CISO), maybe it was the Chief Data Officer team starting to implement that new data mesh or fabric "thing" onto unsuspecting business owners (hint: data compliance is coming your way like a loaded freight train); maybe it was when your data teams filled with data scientists started to process petabyte scale data in multiple jurisdictions and CoEs (centers of excellence) all across the globe; maybe it was when your product folks got that data and pack it in nice little "data products"...now also being distributed globally and changing by "sprint" mode... maybe it was when the org finally understood what DevOps was all about, or some Exec finally understood what "SDCL" was... and how challenging it was to add pure lawyers to deeply engineering processes and teams.... but deep down.... we all knew something was wrong with this picture, for a really... long... very long time.
Maybe we had our plates full. Maybe the estate was burning, and we had just arrived. Maybe the budget wasn't there, or really we just didnt want to go there. Maybe "visibility" and data mapping...would bring more bad than good. At least immediately...
领英推荐
I understand. I've been there myself.
Whatever it was, we just did like before, a little bit of this, a little bit of that, a nice little "spread it" and pronto!
Believe me, I understand, and emphasise deeply with the many challenges you face.
So...please hear me out...I'm trying to help YOU.
The real problem, as we know, is that privacy is in fact a mostly data and engineering function, that should have as an adviser/helper…legal, but... really needs to be treated as a data and engineering function, primarily.
Because... treating privacy as an engineering function would fundamentally kill at the root most of the work (the stupid, repetitive work) privacy teams currently do...so they can actually focus on work that matters. While we transition risk management from a deeply legal discipline that requires a legion of lawyers... to measurable data we can use as part of a process to manage the many existing options with...
But that's efficiency!
....
....
....
Nop. So, "here" lies where we might fundamentally disagree.
The “big” problem there, as I think you'll agree is: most companies have preferred taking this legalistic approach to privacy... almost exclusively to maintain their data compliance in a state of "gerbil like" activity…“as is”…”BAU”… "travelling without moving" because it also allows to fundamentally hide the disconnect btw the "data"…and the "privacy" part of data management operations.
But it's "data privacy". It's not "legal privacy". And, for the matter that we're discussing, it's not even in the word, is it? For what we're discussing... it's what connects databases, with everything else, back and forward. As we know, obviously.
Let's go back to: data compliance is fundamentally a technical data and engineering function. We agree on that, for the most part, I'm sure.
So...actually, what is happening, is that we ended up "talking around" and... ended up investing more money into “saving” the pile of data (non-compliant one, let’s say it!) we had from before...so we can have something to build "today" and "tomorrow" processing, so... we delay.
Ok... I undertand.
Deep down, we all know that... It’s "the" choice, the balance, btw maintaining old revenue streams… and changing, adapting and developing new, compliant ones.?
Sure, fair enougth....we've all been there. Too many debt. Too many underinvestment, for years and years. Who cares about a last mile layer?
But that's the thing. It's not last mile. It's foundational.
It becomes foundation, once you wanna move forward, in a scalable way.
Without it...I'll give you 100 billion to invest in your engineering (yes, it's true!)....but...bear with me please.... end of the day... you'll still end up like Facebook, or Twitter, etc.
"I dont know where all my data is, or what's being used for". "It's probably not possible to implement these changes without tearing up the whole estate" and my personal favourite..."data is like ink on water on Facebook...it goes everywhere, and there's no way to stop it". I mean...poetic stuff, really! Dante's Data Inferno.
BUT..."Joe"... was just the start, of a large, and very painful reckoning, coming our way.
100 Billion, a Trillion. Who cares? You'll end up with a mammoth data estate, that, sure, might be able to deliver "some" value...but will also mean someone will end up in jail, sooner or later. That, is a truth we can't escape from, not anymore.
The problem, like everything in compliance, is time and maturity.
We've... just run out of...runway.
Time has seriously run out for us, and we know we're not going to be able to maintain this status quo much longer, because for the past 4y, others have started to build scalable, digital compliance factory like, data compliance operations.?Regulators have started moving, and demanding API based relationships for their oversight functions. Maturity has changed.
Public perception has changed. The stock market has changed. We've changed.
Now, that everything is about?data, and governance, and the visibility brought in by data governance is starting to shine a light into every room and every choice...
Now is still a good time to use some technology to make sure we tame the beast.
It's only professional data management. Enjoy it, because by the end of it, you'll have developed your data compliance skills, and...these are becoming quite critical, by the day.
The top of the mountain is harder to get to...but it's rewarding to be the best you can be. Don't settle for Data Inferno's. It's possible to build a Data Nirvana, as a Team.