In the early days of computing, businesses gave little thought to the governance of data or to concerns about the privacy of the data they collected on individuals. In the last decade, however, the explosion of consumer data captured by enterprises -- for example, on cellphone apps -- and the combination of high-profile data breaches and new government regulations have brought data governance and privacy issues to the forefront.
Hardly a week goes by without some company or organization admitting that its customer data has been hacked, frequently in unencrypted form. According to the security forum Dark Reading, there were 3,676 data breaches in the first nine months of 2018 alone. Some data breaches in recent years have been huge in scale: Yahoo had records on all 3 billion of its users stolen in 2013, while data on nearly 400 million Marriott customers was stolen between 2014 and 2018. High-profile breaches have affected eBay, Equifax, Target stores, JPMorgan Chase & Co. and many more.
Data breaches not the only concern
What may be more surprising is the perfectly legal way our personal cellphone data is sold by app developers.
As part of a 2019 investigation, reporters from The New York Times legally purchased cellphone ping data from a location data company on 12 million Americans over several months. By cross-checking the data with easily obtainable addresses, they were able to track the exact movements of individuals from celebrities to lawyers to senior government officials with security clearances. People's movements were tracked to sensitive locations such as the Pentagon and specific events, including protest marches. Based on these findings, industry claims that such data is anonymous seem not to stand up to scrutiny.
Data governance and privacy policies on the rise
Governments have been slow to react, but in May 2018 the European Union put into effect GDPR, which sets out detailed responsibilities for protecting personal data, with penalties of up to 2% of global annual revenue for serious breaches. British Airways discovered that this was no bluff -- it faces a potential $235 million fine for a data breach involving half a million of its customers. Google was fined $57 million in France for being unclear on its data consent policy.
The U.S. has a more fragmented approach, with various rules in place in different industries such as finance, healthcare, telecommunications, consumer credit and telemarketing. But the California Consumer Privacy Act (CCPA) took effect on Jan. 1, 2020, creating a law with some parallels to GDPR, and further federal and state legislation is in the pipeline.
More than just an issue with consumers
Even companies that don't deal with consumers have plenty of reason to put strong data governance and privacy practices in place. Large companies have hundreds of different applications containing data about customers, suppliers and partners, much of this duplicated in different transaction systems.
The Information Difference, my analyst firm, performed a study in 2008 that showed the average company had six competing master sources of customer data and nine master sources of product data. The survey was repeated in 2013 and found no improvement in this.
Since these surveys, businesses have become more aware of the need to establish master data, though it's not entirely clear whether they've begun to solve the problem -- it's possible that the number of multiple master data sources has actually increased. Getting different lines of business within a global enterprise to agree on common data definitions and classifications of master data in domains such as customer, product and location remains a difficult goal.
Establish governance practices that work
Best practices in data governance include setting up an internal organization responsible for the various aspects of data with high-level sponsorship, usually including a data governance steering committee, as well as a network of data stewards embedded within business lines, with an additional central data governance organization to coordinate their activities.
Companies with mature data governance policies give regular training in data governance, have processes in place to resolve debates about data ownership and regularly measure the levels of compliance with the processes that they've established. They also measure data quality and maintain a data risk register as part of their governance programs.
My own experience of working with companies in this area suggests that only a limited subset do a good job of all this. The Information Difference data governance benchmarking database shows that even among those organizations participating in a detailed data governance survey -- which by definition have a high level of interest in the topic -- there is considerable variation in the maturity levels of companies when it comes to data governance and privacy.
Organizations need to take data governance and privacy very seriously given the worrying frequency of data breaches, which may damage a corporation's brand and incur government penalties for lax data policies and controls. As the amount of data that's collected continues to explode via cellphones, smart meters, car sensors and assorted home automation technologies, the urgency of protecting and managing this information is only going to increase.