deepagopi2011 - Fotolia
In the early days of computing, businesses gave little thought to the management of data or to concerns about the privacy of data they collected on individuals. In the last decade, however, the explosion of consumer data captured by enterprises -- for example on cellphone apps -- and many high-profile data breaches have brought issues of data governance and privacy to the forefront. Hardly a week goes by without some company or organization admitting that its customer data has been hacked, frequently in unencrypted form.
According to the security forum Dark Reading, there were 3,676 data breaches in the first nine months of 2018 alone. Some data breaches in recent years have been huge in scale: Yahoo had a billion customer records stolen, while Marriott had data on 500 million customers stolen in 2018. High-profile breaches have affected eBay, Equifax, Target stores, JPMorgan Chase & Co. and many more.
Data breaches not the only concern
What may be more surprising is the perfectly legal way our personal cellphone data is sold by app developers.
A 2019 New York Times investigation legally purchased cellphone ping data from a location data company on 12 million Americans over several months. By cross-checking the data with easily obtainable addresses, they were able to track the exact movements of individuals from celebrities to lawyers to senior government officials with security clearances. Individuals' movements were tracked to sensitive locations such as the Pentagon and specific events, including protest marches. Industry claims that such data is anonymous seem not to stand up to scrutiny.
Data governance and privacy policies on the rise
Governments have been slow to react, but in May 2018 the European Union enacted its GDPR, which sets out detailed responsibilities that companies have for protecting consumer data, with penalties of up to 2% of global annual revenue for serious breaches. British Airways discovered that this was no bluff, with a $225 million fine for a data breach involving half a million of its customers. Google was fined $55 million in France for being unclear on its data consent policy.
The U.S. has a more fragmented approach, with various rules in place in different industries such as finance, healthcare, telecommunications, consumer credit and telemarketing. The California Consumer Privacy Act (CCPA) came into effect on Jan. 1, 2020, and further federal and state legislation is in the pipeline.
More than just an issue with consumers
Even companies that do not deal with consumers have plenty of reason to put strong data governance and privacy practices in place. Large companies have hundreds of different applications containing data about customers, suppliers and partners, much of this duplicated in different transaction systems.
Analyst firm The Information Difference performed a study in 2008 that showed the average company had six competing "master" sources of customer data and nine master sources of product data. The firm repeated the survey in 2013 and found no improvement in this.
Since these surveys, businesses have become more aware of the need to establish a master source of data, though it's not entirely clear whether companies have begun to solve the problem, and it's possible that multiple master data sources have actually increased. Getting different lines of business within a global enterprise to agree on common definitions and classifications of master data such as "customer," "product" and "location" remains a difficult goal.
Establish practices that work
Best practice in data governance includes setting up an internal organization responsible for the various aspects of data with high-level sponsorship, usually including a data governance steering committee, as well as a network of data stewards embedded within business lines, with an additional central data governance organization to coordinate their activities.
Companies with mature data governance policies give regular training in data governance, have processes in place to resolve debates about data ownership and regularly measure the levels of compliance to the processes that they have established, as well as measuring data quality and maintaining a data risk register.
My own experience of working with companies in this area suggests that only a limited subset do a good job of all this. The Information Difference data governance benchmarking database shows that, even among those participating in a detailed data governance survey -- which by definition have a high level of interest -- there is very considerable variation in the maturity levels of companies when it comes to data governance and privacy.
Organizations need to take data governance and privacy very seriously given the worrying frequency of data breaches, which may seriously damage a corporation's brand, as well as incurring government penalties for lax policies and controls. As the amount of data that is collected continues to explode via cellphones, smart meters, car sensors and assorted home automation technologies, the urgency of protecting and managing this information is only going to increase.