The pace and complexity of regulatory requirements continues to grow globally, with no sign of slowing.
The California Consumer Privacy Act, (CCPA) took hold Jan. 1, giving millions of consumers new privacy rights regarding their data. The CCPA follows the European Union’s General Data Protection Regulation (GDPR). It affects 740 million people and took hold in 2018. Look for more and expanded privacy laws down the line. Already in the U.S., at least 29 states have passed laws related to data privacy, the Internet Association says.
Meanwhile, other regulations continue to amass. By 2021, financial services firms alone will face 374 “legislative initiatives,” and the number will continue to grow beyond that time horizon, regulatory change management expert JWG says.
For businesses, the challenges are not just that new regulations are being put into place. It’s also that new activities, processes and functions are being audited, up to and including the very act of decision making itself. Indeed, it’s no longer just the “what” that is being regulated. It is also the “how” as regulatory policy shifts from a narrow focus on data points to a more holistic, system-wide view, JWG asserts.
Holistic regulation, holistic response
In the past, it was enough for businesses to obtain broad consent from individuals to hold their personal data.
With CCPA and GDPR, businesses must now respond to consumer requests that are not only more specific but also include requests for customer data be forgotten. The companies need to understand how and where they got the data. To be in true compliance, they’ll need data policies that sit with and follow the data. That way, consumers can share some data with some companies but not with others, or some data for some purposes but not others.
To execute this holistic management of data, companies must link and centralize data relating to individuals. Additionally, businesses will have to know where they maintain personal information so that they will be able to carry out a request for deletion. And, they must make it possible for consumers to submit requests and have ways to verify that the request is valid.
What’s more, companies need to respond to consumer requests within specific timeframes and designate and train employees to handle such requests. At every step of the way, the potential exists for regulators to check for compliance.
All of this underscores a move toward digitally-empowered regulators, some of whom are aiming toward “quantitative regulation” in which machine-readable regulation is applied to firms in an automated manner, JWG notes.
This is truly the new era of digital regulation, and it will spread across industries as regulations have always spread, probably starting in highly regulated industries such as healthcare and financial services and then moving into others. The broad scope of consumer privacy—covered by the CCPA and GDPR—makes digital regulation a reality for all companies that collect or interact with any consumer data.
Responding to the challenge
The expanding field of digital and consumer data regulation makes the rationalization of legacy architectures and the formation of an enterprise-level data strategy top priorities for business. Organizations need to assess their readiness for these regulations—and others that will no doubt follow—and then create a strategic view of their data across systems.
Next generation technology based on artificial intelligence, machine learning, natural language processing and distributed ledgers will support automation objectives. To implement them effectively, however, companies will need solid foundations for data, data governance, data privacy and data security practices.
One of the first steps for any company regarding new data regulation is to assess how they view data. Do they see it as regulatory burden and liability to be managed? Or, do they view data as an asset to be mined?
By viewing data as an asset—and regulation as part of the optimal use of that asset—companies will be best positioned to seize opportunities from data, to make it accessible for analytics to drive strategic business decisions, and to create personalized offerings for consumers. Such an approach to digital transformation is essential for companies to survive and thrive in today’s increasingly complex regulatory environment.
Companies that try to address these challenges with legacy database technologies will struggle to enable the use of data as an asset because those technologies were created or designed decades ago for the data opportunities and challenges of yesterday. Next generation database technologies, designed for the data challenges of today and tomorrow, allow companies to get specific with data, via use of:
Metadata. Metadata is the data about the data. When metadata sits with the data, versus in a central repository of data rules, companies can get down to the granular level that the new regulations require in terms of consumer consent.
Centralized data. Data that is not shared outside of a department can remain it its own silo. However, data that is combined with other departments’ data and shared for multiple purposes must be centralized. And these days, the need to share data across silos is increasingly becoming the status quo. With data in a central location—versus the myriad of silos still common in many companies—business leaders have a 360-degree view of data. With that view, they’ll more easily see business trends, and be able to meet regulatory compliance. For example, if data includes an email address, companies with metadata management capabilities will readily see what consent has been given for its use. If it’s consented for billing but not for marketing, the central data hub would make it available only for billing and not for marketing. If such data remains spread out in silos, it’s much harder, if not impossible, for rapidly changing data consent rules to be enforced.
It is for these and other reasons that organizations are moving towards a data hub architecture, where data across silos are safely and securely curated and harmonized on an as-needed basis, while capturing critical metadata along the way.
Lean-in to data integration
A data hub can also scale beyond the limitations of existing systems, ingest data as-is from all sources, clean the data, provide secure multi-tenancy, and provide an audit trail across private and public clouds.
The move toward quantitative regulation will put a premium on internal and external data integration. A data hub will effectively handle complex multi-model data integration and automate interactions with regulatory systems of record. The result? A fully-automated digital interface between regulator and company.
No doubt, companies face a new data privacy landscape. Embracing it will enable them to gain a competitive advantage. They’ll do more with data and deliver better personalization to customers.