Building a Blueprint for Global Data Compliance
By Varun Mehta, VP Legal & Compliance Solutions, Clutch Group
And it’s not just how Big Data can get that the C-Suite needs to worry about; it’s how far it can travel. Data in the Cloud is subject to global regulatory regimes and companies don’t have the tools and systems to adequately monitor all of this data in real time. The Cloud is amorphous. Data travels from one jurisdiction to another at a whim, regardless of silo-ed data governance programs. When one piece of data can essentially be scrutinized and claimed by many different regulators, a global approach to data governance is the only way forward.
There’s no easy answer here, and the challenges are enormous. But there are a couple of things CIOs, CTOs, and CCOs can work together to achieve—here’s a look:
Getting Serious about Information Management
The first step in creating or strengthening your data management program is to map out your entire data environment. Where does your data get created? What types of data exist within your business? How is it used? By whom? What does the entire lifecycle of your data look like?
Having done this, it’s critical to then work with key business stakeholders to understand and assign a risk profile to all forms of data, placing a special emphasis on understanding not only how different data streams flow within your organization but also the full implications of something adverse happening to them. Key questions to think about when embarking upon your risk classification plan:
• Does this data consist of information that is proprietary to your business, or have intellectual property?
• Does this data have key personnel information? If so, what are your obligations to your employees both from a HR and regulatory standpoint?
• Does this data have key customer information? If so, what are your legal and regulatory obligations for preservation and security around this data?
"We live in a fast-paced, data-charged economy that requires us to conduct business in a virtual world"
• In which jurisdiction does this data sit? Are there any unique data requirements for this jurisdiction?
• Does this data need to be preserved? If so, for how long?
Think of this entire process as creating a blueprint for your corporate data infrastructure—it should help create a stratified approach to information and data management and help you meet business needs while ensuring full compliance with both regulatory and internal requirements. It is also an essential tool for developing effective response plans to emergencies, which should be audited and analyzed on a regular basis.
Adopting New Tools and Technology
Big data, BYOD, and the Cloud have caused a big headache for have a choice when it comes to using these technologies. We live in a fast-paced, data-charged economy that requires us to conduct business in a virtual world. CIOs and CCOs of today need to be able to keep up with and understand all available tools and need to consider something that most wouldn’t have to think about when integrating a new platform, or adopting a new technology or tool: is there a chance that it could violate any of the tens of thousands of policies and requirements that govern your business? CIOs, CTOs and CCOs need to be able to come together to do the following:
• Discuss business challenges that exist where new technology, tools, platforms or infrastructure will alleviate issues or business requirements
• Understand the core usage of the new tools that they are evaluating and what practical effects the tools will have on your organization. Things to think about: Where does the data sit? Where does it go? Will it have personnel or customer information? Could it be requested as part of a regulatory or legal issue? If so, how do you ensure its integrity and preservation and how do you extract it?
As a part of this exercise, CIOs and CCOs should set up a regular task force with key stakeholders whose mandate is to analyze, map out and approve technology, bridging the gap between ensuring compliance and meeting business needs.
As regulators attempt to direct the flow of this data, making comprehensive demands and imposing massive fines, companies are scrambling to develop and implement new data management programs to ensure compliance. But it looks like the flow of data may be too strong and unpredictable to immediately control. It’s also expensive: CCOs and CROs in the financial services industry, for example, have collectively spent $50 billion on compliance mandates alone.
Simply put, regulators and corporations live on two separate clouds. While regulators have mandated how data should be stored, shouting across the gulf of space, companies are only now beginning to hear their calls.
We need to get to a point where we’re not afraid, or overwhelmed, by data; where we view it not as a liability, but as an asset. Figuring out the right way to build a proper data governance framework will allow us to remain compliant in other areas. Take the beleaguered financial industry, for example, plagued by fines and bad press. Six major banks—Bank of America, Citibank, Commerzbank, JPMorgan, SocieteGenerale and Standard Chartered—recently announced that they are working to jointly establish a registry of shared customer data to facilitate due diligence and compliance. This network will allow a secure flow of customer information from one bank to another, promoting knowledge sharing and allowing each to bolster their own compliance programs and clarity into their data through collaboration.
The future resides in the safe and efficient sharing of data. It’s time to bridge the gap between the clouds—to get to a point where we can share and expand with a clear mind and a clear conscience.