Enterprises are dealing with a barrage of upcoming regulations concerning data privacy and data protection, not only at the state and federal level in the US, but also in a dizzying number of jurisdictions around the world.
Kicked off several years ago by the groundbreaking introduction of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the regulation and compliance trend is only going to intensify. In August the Federal Trade Commission (FTC) released an Advance Notice of Proposed Rulemaking (ANPRM) titled Commercial Surveillance and Data Security that encompasses a wide range of data protection and privacy issues, including data monetization models, discrimination and algorithmic biases and data security, to name a few.
As these types ANPRMs continue to be released and regulation swiftly catches up to innovation, a recent Gartner survey predicts that 75% of the world’s population will have its personal data covered under modern privacy regulations by the end of 2024.
At IBM’s recent Chief Data and Technology Officer Summit on data privacy, I spoke with some of the world’s top data leaders about the two-pronged challenge they’re now facing: ensuring that data policies and practices meet regulatory demands, while also continuing to innovate with new technologies.
We agreed there is a way to navigate this complicated landscape and maintain a competitive advantage that delivers business value. The journey starts with having a multimodal data governance framework that is underpinned by a robust data architecture like data fabric. This framework can create a standard approach for meeting regulatory compliance while allowing for customization to address local regulations and being proactive when handling new regulations.
Adopting a privacy-centric approach built around a data fabric
A data fabric is an architectural approach that simplifies data consumption across a diverse and distributed landscape, while adhering to data privacy requirements. Think of a data fabric as a single pane of glass that creates visibility across an enterprise. By doing so, it greatly reduces the complexity of managing disparate regulations worldwide. What’s more, a data fabric can automate data governance and security by creating a governance layer across the lifecycle.
To understand how a data fabric helps maintain compliance to privacy regulations, it’s helpful to look at some essential elements of that single pane of glass.
Build a foundation using a common catalog and metadata
Building a data fabric starts with creating visibility using a data catalog, which is an inventory of an organization’s information assets. It lets appropriate parties, such as the company’s chief data analyst, know what the data is and where it resides. Without a data catalog, data can remain hidden or unused and become impossible to manage.
A proper data catalog has a common taxonomy that helps everyone communicate more effectively and solves a common challenge of data integration—different data sets describing the same terms differently. This is important for data privacy: If the wrong term is used, data that should be limited in access might accidentally be made available to the whole business.
Similarly, active metadata — data about data — is at the heart of how a data fabric delivers on privacy for the same reason as a common data catalog. If you don’t know the details about your data, how can you truly say who is meant to see it or how you can use it? In the context of a data fabric, think of metadata as an augmented knowledge graph displaying the network of data across an entire enterprise, along with the conditions that apply to these sets of data.
Operationalize data privacy through automation
Once metadata has been created, it can be tagged, signifying which data is sensitive, limiting who has access to it and so forth. Then intelligent automation begins.
Automated metadata generation is particularly important for access and privacy. Consider, for example, an enterprise that wants to bring in a new data set containing transaction information such as item descriptions, quantity purchased, name, address and credit card number. When this data set is ingested, automated tagging labels the item descriptions and quantity as general transaction data, the name and address as personal data, and the credit card number as financial data. This tagging allows policy enforcement at the point of access. If business users access the data set, they can see the general transaction data, but the personal and financial data is automatically made anonymous.
Govern data and allow self-service consumption
While many of the regulations coming down the pike will be similar or even identical, how they are enacted will look very different across countries and regions. The challenge lies with demonstrating compliance to regulators while providing business users with a way to easily access the information. Otherwise, compliance creates a speed bump for innovation. That’s where the self-service element plays a critical role.
While self-service suggests a lot of freedom, the data fabric must include multimodal governance, allowing only certain people to access that data. Again, that single pane of glass will bring together the privacy and the security aspects at a single access point, while offering users an easier way to serve the data they want accessible to others. The ability to conduct real-time monitoring and audits helps secure the systems and comply with regulations, but it also helps the business mitigate data loss through breaches and keep models accurate.
Find your holistic data privacy and security solution by getting started with a data fabric strategy.
To hear more from data leaders around privacy, watch the replay of our CDO/CTO Summit series and attend our upcoming in-person CDO Summit.
Learn how IBM can help you turn compliance into competitive advantage