In order to ensure that you respect data privacy, it is vital that you apply privacy principles across your company. In this video, learn some key actionable ideas.
- [Instructor] Besides regulatory compliance, a key reason behind data governance is to help manage customer data. Once you have your data classified and inventoried, you can create tooling to help manage your data. Let's see what that means. Data rightsizing, for far too long companies have empowered engineers and data scientists to collect data without limits, with the expectation that today's unneeded data could become tomorrow's unforeseen insight. That lack of discipline could lead to internal data misuse, security breaches and inappropriate data sharing. All of these could harm your consumer's privacy and your reputation. Stories over the last few years demonstrate that this is not an abstract possibility anymore. To that end, data rightsizing can be defined as the effort to collect, access, process and share data based on legitimate business needs and customer benefit in line with the commitments you have made to the customer. You will want to staff your privacy team with technical architects and/or program managers who can work with engineering teams to identify areas where sensitive data is collected, without legitimate purposes, duplicated rather than using a central storage system or combined with other data to create outcomes different than what the user consented to. All of this becomes much easier with the classification and inventory in place. You will have already invested in the organizational preparedness and automation to make all this happen. Data deletion. You will need to invest in data deletion tools that will help remove data from your systems after specific periods of time, in line with customer and regulatory commitments. This could include deleting data after you have completed your usage and/or after the customer stops using your service. You will want to confirm these commitments with your legal team. One of my mentors in the privacy domain often compared data deletion to cutting an onion. It is harder than it looks, it gets even harder once you start and often ends in tears. Data deletion is hard because data collection has grown as we have talked about before. Data is often stored in disconnected systems that are harder to access and that makes it even harder to assess the risk of a combined record. As time passes, the growth in volume often makes it hard for any process, manual or automated, to delete data. Which is why as previously stated, you will want to use your data governance framework to rightsize your data collection. That way you can avoid collecting data you don't need so that deletion does not become a tool of last resort. And as you will see next, you also want to create access management tooling so that you can prevent improper use of data collected. A theme that is developing here is that when it comes to data classification, inventory, access management, deletion, these are all parts of a strategy rather than individual pieces that you can just finish and ignore. But back to our slides. Dance like nobody's watching but encrypt like everybody's reading. This was a T-shirt handed out at a conference I attended back in the day. Although somewhat oversimplified, it makes the point that you need to protect your data as if everybody would want to and potentially be able to read it. A key benefit of data governance is that it enables you to get a sense of the what, the who and the why. What is this data? Who needs it? Why do they need it? In order to keep things simple, think of access management as deploying the tools you already built for security but this time for privacy. The same tools that protect you from external hackers could be used to protect your data from privacy related misuse. These could be tools like encryption, tokenized databases, data obfuscation, anonymization, et cetera. These tools will ensure that you can manage access to your data as laws change, risk around the data grows, the profile of your workforce evolves, partnership and data sharing agreements take shape. In practice, you will want to prioritize and simplify consent, usage and retention policies to help your teams get access only to the right data that they legitimately need. Granular access management could also help you with your privacy and security audits and mitigate the impact of insider risk. As I said before, data is like an ocean and you cannot drink your way out of the deep end. You cannot delete your way to trust and compliance. Data governance and access control techniques are like the swimming tools that help you get to shore.
- Privacy, government, the economy, and investors
- A primer on how teams innovate using data
- Building a privacy team
- Embedding privacy into your work culture
- Building a privacy program that is strategic and can execute
- Privacy governance: in data, process, tooling, and guidance
- Managing user data: collection, minimization, and more
- Preparation for privacy audits
- Staffing your program
- Band building cross-functional partnerships
- Adapting your program to change