By Matthew Bernstein, Bernstein Data
External Data Increases Information Governance Risks
Companies are more and more reliant on finding value in their data, while the public, regulators, and politicians are increasing their scrutiny of how companies use consumers’ data.
Massive amounts of available data, commoditized IT infrastructure (e.g., storage and compute), and presumed value to be extracted create incentives to keep, store, and process everything. At the same time, data privacy regulations are burgeoning, data protection and retention rules are expanding, and consumer rights and expectations are increasing. In 2023 we’ve already seen significant regulatory enforcement actions, and four new state consumer privacy laws become effective this year.
Meeting the increased Information Governance, or “IG”, challenges that come from the intersection of these developments is made more difficult by the prevalence of “externalized” data in every company’s operations. In this article we examine some of these increasing IG obligations, highlight some of the risks posed by externalizing critical information resources, and identify good IG practices to address the situation.
Data Privacy Adds to Information Governance Risks
In the U.S., industry-sector regulation has been the rule in the data privacy arena. Some of the industries subject to sector-specific data privacy rules includes consumer credit, education, telecommunications, advertising, and health care. But the profile and span of U.S. privacy concerns are growing as evidenced by California’s Consumer Privacy Act (CCPA), draft U.S. federal legislation, large FTC settlement fines, and public focus on the use of data. This is on top of existing IG risks and obligations, such as records management, information security, and eDiscovery.
Where Are the Risks?
The increasing trend of ‘externalization’ and outsourcing of data management poses a challenge to firms, given the diversity of systems and applications used by many companies. Identifying third-party risks is challenging because almost every widely used communication, processing, and storage platform (including cloud services, collaboration and messaging tools, and SaaS applications) operate outside the four walls of the company.
Companies are likely to use tools like Box, Slack, LinkedIn, and Twitter to communicate both internally and externally. Enterprise Management solutions like Salesforce and Workday, and cloud providers like AWS, Microsoft Azure, and Google Cloud are the platforms of choice for fast-developing companies. But, from the regulator’s perspective, responsibility for the management of this data remains with the business user, although the data is external. Awareness of, and responsibility for, these data privacy risks cannot be outsourced.
More concerning, service providers are typically NOT acting on their own to develop and implement data privacy policies. Solutions and services may provide safeguards and make functionality available, but it is up to the user firm to determine the rules it is subject to, identify its data subject to those rules, instruct the system or service provider to act on those rules, and assure adherence.
What To Do Now
To address the risks in external data, firms should establish a Data Privacy Risk framework, based on foundational capabilities for effective Information Governance.
- Legal Requirements and Regulatory Obligations
Identify Information Governance and Records Management requirements (laws, regulations, and standards) that apply to an organization’s information, driving retention and disposal timeframes and efforts across all mediums and locations (structured data, unstructured data, physical storage facilities, etc.). - Information Lifecycle Management
Govern data and information throughout its lifecycle, with policies, authorities, and procedures, such as records management, preservation and legal holds, metadata standards, and disposal procedures. - Data Identification, Classification, and Retrieval
Identify data subject to IG policies and data response requirements, including courts, regulators, and consumers exercising their Data Subject rights. - Information Technology Governance
Assure that the development and use of technology, to store, retrieve, transmit, and manipulate data or information, is governed and managed to meet its Information Governance risk and compliance needs. - IG Risk Management, Controls, and Monitoring
Monitor and substantiate that Information Governance requirements are taken seriously by the organization and third-party vendors, are complied with, and are incorporated into enterprise risk management frameworks, such as operational, regulatory, and third-party risk management.
Resources can be scaled appropriately to the size and scope of the firm and need not entail large enterprise IT solutions. Firms that take an informed approach and employ robust compliance measures will mitigate the risks of regulatory enforcement action. Those that do not may find themselves in the crosshairs of the new data protection regimes.