Today organisations store multiple data types in a range of on-premise, in-cloud and SaaS locations. This makes data compliance complex and costly. Organisations are increasingly required to comply with government, regulatory, and internal policies.
Good data governance helps avoid potential violation fines and penalties. Just as important is achieving a modern governance model that protects the data while making it accessible to the people who need it to drive the business forward says Michael Queenan, CEO and co-founder of Nephos Technologies.
However, key to achieving that modern governance model is to understand the difference between its three core tenets: data governance, data privacy and data security. These terms are not interchangeable only when all three solutions are deployed will an organisation’s data be compliant and secure.
Let’s take a look at the three tenets one by one:
- It all starts with Data governance
Data governance is the foundation of a modern data strategy and gives assurance that data is being handled correctly throughout the organisation. It defines what data can be used by who, in what way and under what circumstances. As a result, it ensures that the data you hold and use is secure and of high quality.
Whilst most businesses now have an implemented data governance strategy of some shape or form, it is often informal or not uniform across all operations. In order to ensure compliance, minimise risks and have logical policies, formal processes should be established to create a strong and reliable data governance strategy.
- Data privacy is next
Assuming a suitable governance process is in place, the next step is to apply privacy controls that map against that. In our increasingly digitised world, businesses hold and generate more data than ever before and, as a result, global data creation is forecast to increase by 180% by 2025 to more than 180 zettabytes.
With consumers constantly being asked for their personally identifiable information (PII), it has never been so important for businesses to take data privacy seriously. Being transparent, following privacy policies and requesting consent to hold and use personal data will reassure customers that their private information will remain just that private.
Businesses have to meet the necessary regulations laid out by data protection laws such as GDPR and CCPA. These laws are there to give consumers more control over what data businesses collect about them and force businesses to implement strong data privacy policies. After all, if a business were to fall victim to a hack or ransomware attack, the loss of customer trust and revenue could be worse than the loss of data.
When it comes to data privacy, there are two key elements to address. The first is around asset management. This isn’t a point in time exercise. It concerns the entire lifecycle of all data held by an organisation. Key questions to address include what data is held, where is it stored, who can access it, how can it be used? The second relates to regulatory compliance, an organisation’s adherence to laws, guidelines and regulations. This is important for business, ethical and legal reasons.
- Data security tops it off
Data privacy and data security are often confused. Whilst data privacy refers to the collection and usage of data, security involves protecting data from theft, corruption or unauthorised access that could occur from possible ransomware attacks or data breaches. Data security keeps all data secure, from physical hardware to virtual access controls and cloud data storage.
The US Commerce Department’s National Institute of Standards and Technology (NIST) released an internationally recognised framework of cybersecurity standards which outlines the following five areas:
- Identify your weak points – know all of your systems and services so you can identify any potential points for unauthorised access.
- Protect your systems – put the right security measures in place to protect your services and know which systems need the most protection.
- Detect any hacks – a monitoring system should be in place so any authorised access can be detected and stopped as quickly as possible.
- Respond quickly to a breach – a crisis response plan should be worked out beforehand so as soon as an attack is detected, everyone knows what to do.
- Recover – if a breach or attack does occur, systems and services must be able to be revived as quickly as possible to limit downtime.
The sum of the parts is stronger
It is the responsibility of every business to keep data secure. With all the work it takes to implement effective data security, why would you not take the time to implement correct data governance and privacy to ensure the best protection? Many businesses focus only on data security and fail to understand that the three factors work best together data is not secure or protected without effective data governance and privacy.
The author is Michael Queenan, CEO and co-founder of Nephos Technologies
Follow us and Comment on Twitter @TheEE_io