In the digital world, data has become almost a form of currency. Just like everything else of value, this also means it needs to be protected. While consumers may accept that privacy is becoming more and more a thing of the past, their expectations of how businesses use or protect data are also rising. As a result, it is no longer just big businesses that need to implement and establish firm policies around how data is used, stored, accessed and disseminated.
WHAT IS DATA GOVERNANCE?
Data governance is a system of policies and procedures that a business implements to help them manage the responsibility of possessing vast storehouses of personal data. As the IoT grows to include more than 20 billion connected devices, vast storehouses of information are being gathered about almost every person on the planet.
Some of that information is deeply personal, including the types of medications or health issues an individual might suffer from, as well as information about reproductive practices or issues. Medical entities are prohibited by law from sharing this kind of information, but the manufacturers and distributors of the smart technology that are gaining increasing access to this kind of information are not. This is why good data governance policies are becoming so important for individual businesses. They need to step up and fill the gaps that the law is not yet covering. It is important for businesses to not only consider these factors carefully, but also to be able to give the consumers entrusting them with their data some level of assurance that their data is in good hands.
BUILDING A STRONG FRAMEWORK
The policies and proceduare that your company implements are generally referred to as a data governance framework. A data governance framework is essentially just a business plan for data. No framework is going to be perfect but simply building one in the first place means you are thinking through a number of issues before they occur. By doing so, you may prevent a number of issues from occurign in the first place. Here are some elements of a strong framework.
WHO: Not everyone in your business needs access to all of the same data. Some of the data you collect will also be of financial value to other businesses, so you also need to determine who you will share data with and what data you will share. In addition, it is never a good idea to give a single individual unfettered access to information or even give them the ability to give access to someone else. While assigning a team or committee to make such decisions may make the process slower, it also makes it more secure.
WHAT: Information should be compartmentalized so that certain information is only available to certain employees at certain times. The more sensitive the data is, the fewer employees that should have access to it.
WHEN: Some information needs to only be shared on a “need to know” basis and who is accessing specific information needs to also be carefully tracked and monitored.
WHERE: Any data that can be accessed off-site is inherently less secure than data that is accessed on-site because you can’t physically see who is accessing the data. When employees need to physically be on-site to access certain data, then you eliminate the possibility of information simply being accessed by stolen login credentials.
HOW: One of the largest and most infamous data breaches in history, the Target data breach, was actually accomplished by breaching an HVAC vendor site that had remote access to Target’s financial databanks. Determining how information can be accessed is every bit as important as regulating when, where and who can access it.
