By Amandeep Khurana
It has been more than a year since the General Data Protection Regulation went into effect in Europe, and financial institutions are already preparing for the 2020 start of the California Consumer Protection Act (CCPA). However, this is far from the end of the process. New privacy regulations are coming both in the U.S. and around the world. Financial institutions that look at satisfying each new regulation as a separate project requiring incremental changes across their increasingly complex and global data infrastructures will struggle to meet compliance deadlines and ensure accuracy.
Instead, financial firms must develop a comprehensive, dynamic governance strategy that will enable them to easily implement any new regulatory requirements that come along. Dynamic governance will also help these institutions protect sensitive information and their brands more effectively and ensure continued consumer confidence — all while being able to progress with their big data and digital transformation initiatives.
The challenge of privacy regulation compliance
Large fines for the misuse of personal data are now a reality. The U.K. Information Commissioner’s Office has levied a $230 million fine on British Airways and a $123 million fine on Marriott Group. The U.S. Federal Trade Commission just announced a $5 billion settlement with Facebook over the company’s loss of control of personal data and mishandled communications with users. Individual executives may even start facing fines for privacy violations. And more regulations are on the way. In addition to the CCPA, several other U.S. states are evolving their regulations, and even cities are getting involved. A federal privacy regulation is also gaining momentum. Beyond fines, it’s now clear that privacy violations can damage a brand, and consumers trust brands that they believe will protect their information.
At the same time, companies struggling to become data-driven organizations can be impacted by the fear of privacy violations. A recent survey found that 69 percent of companies reported they had yet to create a data-driven organization, and 52 percent admitted they weren’t treating data as a business asset. Some companies are even intentionally limiting their digital transformation, big data, AI and machine learning initiatives because they can’t ensure they will remain compliant with the evolving regulations.
So how can financial institutions do both? How can they confidently optimize the use of their data assets while building the capability to comply with evolving regulations? The answer is dynamic governance.
Dynamic governance can be defined as the ability to govern data in a dynamic manner, so the enterprise can more easily adjust to the evolving requirements coming from new regulations and such. Dynamic governance is built atop three foundational capabilities:
- Comprehensive discovery, cataloging and understanding of the sensitivity level of all data under the financial institution’s control – This should include private customer data, private employee data and intellectual property. The institution should also be able to discover, catalog and understand the private data it shares with and receives from any third parties — whether the data is purchased, sold or shared as part of connected business processes. The ability to discover, catalog and tag data should be flexible and extensible such that it can adapt over time.
- Automatic enforcement of access control policies and usage rights based on the attributes of the data – The attributes should include source, location, department, object type, sensitivity level, etc. It is essential to be able to enforce access policies based on a variety of parameters, taking into account the type of consent provided by consumers (e.g. consent to use for fraud detection but not for marketing). The ability to enforce controls based on the attributes of the data elements and the consent provided by consumers in a flexible manner will enable enterprises to easily adapt as the regulatory requirements evolve.
- Full visibility and auditability of what employees are doing with specific data – Being able to observe user activity and how data is being used is critical to solving for regulations. There are two reasons behind this: First, visibility allows an organization to detect malicious activity and insider threats, and also determine whether or not the access control policies are effective. Second, if an external audit request comes in, it is essential to be able to respond in detail. Having the ability to generate detailed and clear reports about user and data access activity is a critical aspect of dynamic governance.
Key requirements to make dynamic governance a reality
Implementing these dynamic governance capabilities will require most organizations to make some degree of people, process and technology changes.
- People – Ensuring the success of a dynamic governance initiative requires creating a culture of responsibility. This top-down effort, led by the active participation of the executive team and supported by increased encouragement and investment, must make privacy and governance core elements of the organization’s mission. Use the new regulatory environment as a trigger to make this happen in your organization.
- Processes – With the right people in place, you can now take a truly collaborative approach to governance. Every department must be involved: legal, records, security, finance, HR, marketing, IT. At a more granular level, a key process change to consider is a shift from centralized to federated data stewardship. In this model, instead of IT attempting to govern a single, centralized data-store (where it knows little about the actual data), each line of business governs the data it touches. This puts those who know the most about the data in charge of governance, which is key to success.
- Technology – New technology may be required to create a dynamic, data-centric architecture that will enable financial institutions to break down data silos, enable visibility across all data and implement federated stewardship and other automated processes. As you think about new technology investments, be sure the solutions are built from the ground up with privacy at the core.
The business benefits
It’s vital to keep in mind that the investment in dynamic governance will pay rich dividends beyond regulatory risk mitigation. It will enable banks and other financial institutions to protect their brand value and uphold consumer confidence by maintaining a high bar for protecting their data as it goes into analytics projects associated with digital transformation, big data, AI and ML initiatives.
Amandeep Khurana is co-founder and chief technology officer of Okera. Amandeep founded Okera in 2016 with his co-founder Nong Li. While supporting customer initiatives at Cloudera and involved in product development at AWS, Amandeep witnessed first-hand the challenges companies faced in adopting big data and cloud technologies. This experience, along with the goal to empower people and businesses through easy data access, led him to start Okera. Amandeep is also the co-author of HBase in Action, a book on building applications on HBase. He is passionate about distributed systems, big data, and helping customers get value out of new technology.