Chief Privacy Officers (CPOs) have what’s arguably the toughest job in the enterprise. They’re tasked with ensuring that organizations possess the appropriate procedures and documentation to comply with the increasing number of data privacy regulations. CPOs are also the central authority for making privacy-based decisions and protecting the interests of a company’s customers.
The need for formal privacy initiatives have been growing steadily since the age of “data as a commodity” began, but it has expanded exponentially in the last several years due to the sheer number of privacy regulations and mandates like GDPR, CCPA, LGPD, and PCI. Complicating matters further, is the fact that regulations are both horizontal and industry-specific; the latter of which abound in sectors like financial services or healthcare with HIPAA, for example. There are also smaller statewide regulations like the California Consumer Privacy Act. Regardless of its origin or reach, CPOs must interpret all these mandates to implement proper privacy programs for compliance.
The complexity of this chore is significantly increased by growing cloud adoption rates. CPOs contend with numerous cloud types including public, private, hybrids of these two, and on-premises. The resulting distribution of data and end user platforms makes it hard to audit for – or comply with – regulations via centralized governance mechanism, because central IT teams are neither data nor regulatory specialists. As a result, relying on a decentralized method – i.e. one that gives the business too much liberty in tool choice and policy implementation – makes the job of ensuring privacy even harder.
Combining these approaches with the delegated governance model based on a centralized platform with decentralized policy implementation overcomes these difficulties. It automates data discovery and workflows with central reporting and auditing capabilities while data stewards, who are versed in regulations and business requirements, adapt centralized policies and processes for individual business lines. This approach enables CPOs to spread awareness about adherence while managing, auditing, and complying with regulations across hybrid and multi-cloud settings.
Ensuring compliance: Workflow automation
The delegated data governance paradigm hinges on a central platform with built-in workflows for complying with privacy regulations. Organizations can automate these workflows to minimize manual processing and make them more repeatable, sustainable, and scalable than piecemeal attempts. The crux of this approach involves data stewards, in respective business lines, configuring centralized policies for individual business units. This synthesizes the best of both worlds with top-down policies locally tailored to the use cases of end users in sales, for example, creating consistency across tools, settings, clouds, and physical premises.
Without this methodology, if a customer wants to exercise his/her right to be forgotten as provisioned by GDPR, organizations will have to manually search for their data across business units, data platforms, clouds, and more. However, the governance solution underpinning the delegated model supports an orderly workflow for inputting such requests in a dedicated repository, finding the customer’s data, and applying access policies to quarantine or expunge the relevant information. There are similar workflows for protecting personally identifiable information (PII) data and restricting or enabling governed access based on roles or data attributes. These capabilities are automatically administered in source systems in pre-architected workflows so there’s no middlemen or ad-hoc, manual fumbling.
Demonstrating compliance: Central visibility
The centralized platform behind the delegated governance approach is designed for oversight into how privacy regulation policies are configured, acted on, and carried out. It illustrates what data contains sensitive information – like credit card numbers, for example – and where in sources across environments they reside. This visibility enables CPOs and IT teams to monitor business processes for quality assurance, so compliance measures are actually followed. There are also data lineage capabilities for tracking data’s movement throughout the enterprise and even propagating classifications (for PII, for instance) between clouds or tools.
This fine-grained visibility into sensitive data and traceability is optimal for auditing and reporting for regulatory adherence. The previously mentioned automated workflows are all auditable which allows organizations to easily repeat these steps to see what happened to a customer’s address. In the right to be forgotten use case, compliance officers can actually demonstrate to auditors a workflow’s particulars including when such requests were made, where they went, and what actions were subsequently taken to fulfill them. The various phases of an audit are supported by reporting capabilities to further demonstrate regulatory compliance on demand – either for formal regulatory requests or to satisfy a CPO’s curiosity that organizations are actually complying with established procedures.
Meeting privacy regulations
The centralized and decentralized characteristics of the delegated model approach, in which a central data governance platform helps data stewards tailor top-down policies for decentralized cloud and on-premise applications, is perfect for complying with data privacy regulations. Once CPOs interpret these mandates and detail what’s required to comply with them, they can ensure and demonstrate regulatory compliance.
The underlying governance platform’s automated workflows make sure steps for compliance are completed while the central visibility, auditing, and reporting capabilities can prove this fact to any interested party. In this regard, the delegated governance model solves all the problems of compliance officers and CPOs at enterprise scale so organizations can avoid paying costly non-compliance penalties and avoid any potential . damage to brand reputation. Equally important, these professionals are able to empower analytics teams while simultaneously fostering data privacy and regulatory adherence.
