Several well-known brands have been found guilty of poor data privacy practices during a global health pandemic, with technology firm Clearview AI most recently in the crosshairs of multiple privacy regulators in Australia, Canada, and the UK. Others face continuing judgment in the court of public opinion for alleged non-compliance with laws and regulations. Beyond the multi-million Euro fines, these events highlight the need for robust data management across the entire data lifecycle, from the cradle to the grave, if organisations are to meet privacy obligations. Yet as individual countries attempt to implement COVID-19 vaccination passes have shown, data sets (and data ethics) are becoming more complex and challenging to manage with those running IT platforms and operations seemingly driven to focus on ‘go-live’ dates and worry about ‘other’ in-life requirements later. Anyone who has worked in data compliance or security will recognise this familiar pattern of behaviour.
With the third anniversary of the European Union (EU) General Data Protection Regulation (GDPR), IT departments should now be comfortable mapping data flows supporting a broader data compliance framework. Yet as is so often the case organisational complexity, poor communication, and lack of understanding result in a failure to ensure adequate levels of oversight, resource, and monitoring are put in place to manage data risks, including non-compliance. Both the Board and Leadership must recognise that data compliance is a cost of doing business and not a burden or something that they can ignore.
Privacy laws have long required that organisations define and enforce clear controls for the management of personal information, particularly looking to ensure the early identification of privacy risks during the design phase. However, a lack of discipline around the management of personal information and the associated assets can make fostering a data compliance culture difficult, particularly if commercial interests promote an organisational mindset of “capture as much data as possible now and find a use for it later.”
The rapid ascendance and availability of affordable cloud-based storage combined with a reluctance to delete data may overwhelm an organisation as it struggles to manage the resulting volumes of information. The lack of a holistic enterprise view means a diminishing understanding of the strategic value of data with increasing risk implications around security, e-discovery, retention, and the data rights of access and erasure. These factors alone or together have the potential to create several undesirable outcomes, all of which could result in uncomfortable conversations with various data stakeholders, be they employees, customers, non-governmental organisations (NGOs), media, investors, or regulators.
It is important to note that it is not the responsibility of the Privacy Officer to set the enterprise data strategy and, by implication, the approach to data lifecycle management. Both the Chief Data Officer and dataset owners must embrace proactive management of personal information. A well-designed and monitored data control environment, supported by oversight tools, and reinforced by mandatory training can provide employees with the knowledge and certainty to ensure effective data management.
At Veritas we advise a proactive data management approach that allows you to gain visibility into your data, storage, and backup infrastructure, helping you to take control of your associated data risks. The risk of doing nothing is simply too great. Reducing the need for manual intervention through automated tools that classify data can remove complexity and can help embed data policies and standards enterprise-wide. Therefore, it is in the interests of Privacy Officers to support the adoption of data management tools and practices, particularly those that reduce the possibility of human error, a common root cause that frequently results in non-compliance and regulatory reporting.
Those organisations which emerge from the pandemic understanding the data they hold, including that created because of the evolving working behaviours over the last 18 months, will be able to make better-informed decisions and likely be in a strong position to succeed as the economy recovers, empowering their employees to handle data with confidence and in compliance. Those organisations who surface still questioning what data they store, where it is, and who has access will compete only to become the next negative data headline and major multi-million fine for non-compliance.