Are you tired of the GDPR discussion yet? I hope not. GDPR represents a tremendous opportunity to discuss risk management in a much wider context. GDPR – being all about personal data – is the opening you need to discuss how data is fueling your organization.
Why is Data Governance so important?
Data is so widely distributed in organizations today and the power of end users is tremendous. Just a simple download of Personal Data from a central, controlled system into a spreadsheet by a marketing person for a one-time use is a risk. So not only do you need to understand where the managed systems are that contain Personal Data, but also the possible outputs from those systems.
Processing activities can be extremely complex. This is where engaging those process owners is so important. First, you need to educate them on the risks and second, get their help in working out the data flows. Third parties are also a major challenge in this area. Many companies are leveraging cloud service providers or external vendors for many types of data processing. You must be able to identify these vendors, and then understand if they access or process personal data.
Shadow IT or functional groups working directly outside the scope of IT with external vendors are a major challenge. Policies, education and better options have to come into play. You may not be able to eliminate all of the instances where a functional group works with an outside firm – but you can certainly ensure policies and training are in place to educate those groups on the potential risks.
While the discussion with your business may start with personal data, it isn’t a long shot to talk about other elements of data, the importance of data governance and the controls needed to secure all types of data. Once you cross that chasm of discussing data, the opportunity to talk about internal and external threats is open.