Blog

First Step of Data Privacy Compliance: Understanding Your Data

By Antonia Dumas, an Associate at XPAN Law Group.

If you have been following our blog, we hope you know (and agree) that that data privacy is a priority. The next question is: what can you do for your company? You have recognized the importance of addressing data privacy issues and having been introduced to some of the current regulations, you may be wondering where to start? Maybe you have discussed a need for data management or maybe you have heard murmurs of a need for a data governance plan. But, what does this all mean and how can you take action? The first step, and most important, understand your data.

First Things First, What Data Do You Have?

I came across an article in Forbes asking “Do You Need AI To Map And Understand Your Data?” This is a real question that companies are asking while they are trying to scramble and figure out how to approach data management and governance. Depending on the size of your company and the complexity of the data you receive, store and process, turning to an artificial intelligence (“AI”) solution may be advantageous.

However, I disagree that we should entirely rely on AI and that “we cannot rely on individual human minds to understand what data we have on hand for any particular purpose.” Yes, it is true that we may not be able to solely rely on individuals to accurately determine the data they have and what happens with that data while it is in the their hands. But we cannot expect AI to provide a full and accurate picture of data management (or lack thereof) all on its own. It is essential to sit down key stakeholders of the various departments of your company to determine what data you receive, store and process. Then you can use tools, such as AI, to determine where data resides, categorizing data and clarifying what happens to data while it is in the company’s hands.

It is also true that the process of understanding your data is time consuming and may seem like a daunting task. Some analysts say that companies spend 80% of the their time just finding and evaluating data and 20% of their time analyzing those results. (See Analyst on the Essence of Data Catalogs). However, data cataloging can flip this ratio and allow more time to analyze and maximize that data. Data catalogs are strategically important to Chief Data Officers and Chief Analytics Officers but they should be carefully evaluated when chosen. (See Choosing a Data Catalog). Nonetheless, taking the time to understand and catalog data, although time consuming, will be well worth it in the long run.

So, the first key step is understanding your data so that a proper data management structure can be established and a strong data governance plan can be implemented. Data drives so much of the risk-based analysis that is at the heart of creating a privacy-oriented approach.

Establishing A Data Management Structure

When creating data management structures, companies have moved from traditional databases to data warehouses. Data warehouses aggregate structured data (i.e. data which has been organized) from multiple sources allowing companies to compare and analyze the data. For example, the data warehouse provided by Amazon Web Services (AWS) has three levels: a database server (where data is loaded and stored), an analytics engine (used to access and analyze the data) and front-end access (reporting, analysis, and data mining tools). (For more information about the AWS data warehouse, go here. For more information about Google’s cloud data warehouse, go here). Most commonly, companies use data warehouses to correlate business data with performance and uncover future value. In general, data warehouses allow a company to gather their data, put it into common categories, and make it accessible to everyone in the company so that they understand the data and can use it.

Data cataloging has been a common tool used to unmask large volumes of data on local servers and in the cloud. (See a recent article, Data Cataloging Comes of Age). Most discussions regarding data cataloging are from the perspective of analytics and recognizing value of data to a company, but it is important to understand your data from a privacy perspective and data governance.

There are a variety of data catalog options depending on whether you are aa smaller organization or a larger organization with voluminous amounts of data. However, since data warehouses are crafted by individuals and can be very time consuming, some companies are looking for AI solutions to make the process more automated. Companies that provide AI tools, such as Io-Tahoe and Tamr, emphasize a need to automate the process of profiling and finding relationships in your data. Io-Tahoe’s product points to key elements including data cataloging, relationship discovery, data flow, impact analysis, sensitive data discovery and redundant data analysis. In the July edition of MIT Sloan Management Review it highlighted the fact that a high percentage of organizations were investing in AI (as high as 93% in one recent survey) but few companies that were willing to provide successful use cases. In a Tamr blog post, they noted that this disconnect may be due to organizations “lacking the clean, organized, data required to fuel successful AI deployments.” This reiterates the importance of understanding your data before you can integrate any tools, including AI.

Once you understand what data you have and what the collecting, processing and storing activities are within your company, then you can create an appropriate management structure. From a legal perspective, you may have to reassess your data collection and storage practices as well as your breach notification procedures in order to be compliant with various legal requirements. Moreover, creating a system in which you can meet requirements of transparency is a non negotiator. Companies can no longer bury their heads in the sand and hope to escape the threat of fines. (Regarding threats of fines under the GDPR, see our prior blog, Lessons from the first GDPR Enforcement Notice).

Implementing Data Governance and Compliance

In an evolving landscape of data privacy regulations, companies have recognized the importance of addressing data privacy in their business management. A data governance program helps a company establish a corporate philosophy of data processing, storing and overall management. Having a clear data governance plan is crucial for companies to attempt to meet the wide array of obligations under the various data privacy regulations.

In recent years companies have shifted how they look at and think about their data in light of the numerous headlines of high profile data breaches. But, it has been the infamous GDPR, CCPA and other regulations in the pipeline that have moved data privacy compliance to the top of the priority list. Companies must create comprehensive information governance programs that have a clear privacy strategy and emphasize implementation of internal and external policies, procedures and guidelines related to privacy. Further, in light of globalization, effective cross-border data management policies and practices are essential for companies both large and small. (See our previous blog about cross-border management and cybersecurity).

The takeaway is – know your data and approach data privacy compliance wholistically. The key is understanding the technological, administrative and legal implications of data protection regulations. That way you are incorporating these elements in the creation of a data management approach and implementation of a data governance plan from the start. But, in order to connect the dots between your legal responsibilities and obligations to your data, you need to understand it. There is just no way around it, no shortcuts.

*****

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.