Data Governance Vs. Data Privacy Vs. Data Security
As our SmartData Governance service continues to gain momentum, there’s often a common discussion point with customers around the difference between Data Governance, Privacy and Security/Protection.
The terminology seems to cause confusion over what each of these terms is or isn’t, but the reality is they’re all critical to your overall data strategy, so I thought I’d provide a short(ish) insight into each aspect and why they matter.
Data Governance – The Foundation
In my opinion, Data Governance is the foundation for everything else that follows. If you don’t have the right governance in place for your critical data assets then when it comes to applying privacy and security controls you’re unlikely to get that right.
So what is Data Governance?
The Data Governance Institute defines it as “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”
In more simplistic terms, it’s a system for defining who within an organisation has authority and control over data assets and how those data assets may be used. The goal is to establish the methods, set of responsibilities, and processes to standardise, integrate, protect, and store corporate data, with the aim to:
– Minimise risks
– Establish internal rules for data use
– Implement compliance requirements
– Improve internal and external communication
– Increase the value of data
Most companies already have some form of governance for individual applications, business units, or functions, even if the processes and responsibilities are informal, but establishing that practice systematically/formally is key to scaling these controls.
This is the second part of the puzzle. Let’s assume that we’ve put a suitable governance process in place, the next step is to apply privacy controls that map against that.
Why is Data Privacy important? The answer to this question normally comes down to two aspects:
- Business Asset Management: Data is possibly the most important asset a business owns. We live in a data economy where companies find enormous value in collecting, sharing and using data about customers or users. Transparency in how businesses request consent to keep personal data, abide by their privacy policies, and manage the data that they’ve collected, is vital to building trust with customers who naturally expect privacy as a human right. If your customers can’t rely on that privacy, they’re unlikely to trust your business.
- Regulatory Compliance: Managing data to ensure regulatory compliance is arguably even more important. A business may have to meet legal responsibilities about how they collect, store, and process personal data, and non-compliance could lead to huge fines under regulations such as GDPR or CCPA. If the business becomes the victim of a hack or ransomware, the consequences in terms of lost revenue and lost customer trust could be even worse.
Data Protection and Security
The first thing to say here is that Data Privacy is not data security/protection.
Businesses can often mistakenly believe that keeping personal and sensitive data secure from hackers means that they are automatically compliant with data privacy regulations.
This isn’t the case.
Data security/protection is about protecting data from compromise by external attackers and malicious insiders whereas data privacy governs how the data is collected, shared and used. The term data protection or data security deals with the technical framework of keeping data secure and available.
If we look at the foundation of most standards the NIST – Cyber Security Framework provides an internationally recognised measurement tool.
This methodology is broken down into five key areas:
- Identify – Understand what systems and services you have, assets, data, people, data flows, etc. to identify potential attack points for hackers or breaches etc.
- Protect – Each system or service needs to be protected, but not necessarily equally. Based on the system and the criticality/sensitivity of the data it contains the right level of protection needs to be put in place.
- Detect – Protecting a system or service does not guarantee that they will remain safe. It’s important to know when problems or attacks take place. Therefore, when implementing protection, it is just as important to implement monitoring and alerting.
- Respond – Consideration must now be focused on if an attack or breach took place, what actions should be taken, in what order, by whom? Who needs to be legally informed?
- Recover – If the worst did happen, how can the systems or services be brought back into operation, and in which order.
Why is Understanding the Difference Important?
It sounds like a lot to consider, but that’s because it is.
With all the legislation in place to protect a consumer’s privacy and data, it’s critical that your business understands the implications of not understanding or addressing these areas.
As a business, it is your responsibility to keep your data secure and not doing so can come at a high price, in a recent survey from Varonis about 60% of hacked small and medium-sized businesses go out of business after 6 months.
All three of these areas need to form part of your overall strategy, but it all starts with the discovery and classification of your data and the risks it’s exposed to.
I hope that gives some insight into the differences between these three critical components, and there will be a follow on article where we look at some of the challenges associated with delivering this kind of strategy, but in the meantime, if you’d like to see how we’re addressing this for our customers, you can check out some of our online resources