Renne’ Devasia, Chief Compliance Officer, InCountry Inc.
Over the past decade, rapidly evolving regulatory environment and customer expectations regarding data protection, data residency, privacy and cybersecurity, compliance have evolved into a key business enabler from having always been perceived as a business tax. Product and service development and business strategy are increasingly dependent on large amounts of data, much of which is informed by both aggregated and individualized personal data in addition to usage and related metadata important to growing businesses. Continuing revelations of increased data mismanagement by some organizations places organizations under greater scrutiny of their overall data collection, management, protection, and usage practices. Governments’ reaction to these breaches is increasingly stringent data protection and data residency regulations, leading to mounting urgency for comprehensive and cohesive governance not only of the products and services dependent on such data but of the specific aspects of the data including its ultimate processing and storage location.
Preparation and re-engineering to support and comply with data protection regulations including GDPR have generated tools useful to data protection and privacy. These include data privacy impact assessments, data flow diagrams, data maps, data dictionaries, and data discovery tools, among many others. These tools help organizations identify data and its core uses across products and solutions, but play a limited role in achieving the ultimate goal of maintaining transparency and customer trust regarding how personal data is being used, with whom it is shared and how it is being protected - in addition to giving control of personal data back to the individual in support of their rights to data privacy.
Continuing revelations of increased data mismanagement by some organizations places organizations under greater scrutiny of their overall data collection, management, protection and usage practices
In order to achieve this goal and evolve the collection and processing of data to support innovative business models and to comply with new regulatory regimes, organizations must transform their data tools and assessments into comprehensive and complete data governance programs which constitute a new way of enabling data subject control over personal data while extracting valuable information and analyses that drive compelling business products and services. So how do organizations evolve from current ways of collecting, mapping and leveraging data in their products and services to a world where country-specific data residency laws are considered from inception to deployment and data protection and compliance are at the center of the solution? Governance, not just compliance, is the solution.
If data is at the core of the business solution, then the solution has to be built with data governance as a foundational element. Effective, compliant data governance starts by looking at regulatory requirements from the location of the data subject – and building the data pyramid up to the pinnacle, region by region, and distilling the product or service into its core elements such that they can be delivered globally but sourced locally where the data subject resides. Only in this way can data be effectively controlled by the data subject in a way that abstracts the product or service from the user, making the product more globally compliant.
In the past, organizations have built their products and services and then searched for customers to acquire them. This resulted in a product development process where the product was envisioned and built, then systems, supply chains and other distribution mechanisms were developed and modified to enable customer acquisition country by country, state by state, to comply with regulatory requirements. Given the realities of the cloud and global product development with local distribution, organizations must reconfigure their development processes leveraging a governance model that starts with a process which envisions the product, the data which is needed and involved in building it, where the product is to be sold, and the data protection regulations in those locations. With governance at the core of the development process, the organization can then determine whether the delivery location does or should change the way it delivers the product in order to ensure data subjects’ control over their personal data is maintained and regulatory compliance requirements are met.
The art and evolution of governance in data protection is ultimately going to be determined by how well organizations can leverage the compliance tools of GDPR to re-engineer their product and service development processes to put data subjects’ control over personal data directly at their fingertips. Enabling local management of the data to reduce the risk of non-compliance and increase the confidence of regulators that their citizens’ data is respected and protected is going to be the new key business enabler in a world where personal data is at the center of your innovative new business offerings.