In the last ten years, the amount of available enterprise data has grown exponentially, and so has customer expectations about how businesses handle personal information. Everywhere you visit online, companies are collecting data about you, regardless of whether you are aware of it and whether you choose to share it. As a result of enterprises holding mass amounts of consumer data, breaches have become more frequent. Since 2010, there have been dozens of Fortune 500 companies from which customer data has been leaked to hackers and unwelcomed third parties. These data breaches have eroded customer trust in online business as a whole.
Prior to 2016, protecting the privacy and confidentiality of customer data was just a good business practice. However, the creation of regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) has transformed this practice into a legal obligation for businesses of all sizes (we are going to focus on enterprises in this piece). Since its implementation, GDPR has already generated $126 million in fines, with the biggest penalty of 50 million euros imposed on Google (Source). While these regulations are independent of one another with different scopes, definitions, and requirements, they both protect the rights of consumers.
GDPR
In May 2018, the EU enacted the GDPR, and the digital world was never the same. The GDPR created strict regulations about the usage and storage of consumers’ personal data, requiring firms to use extra safeguards (such as encryption) to protect it. Enterprises that do not comply with these requirements face penalties of up to four percent of their global annual revenue, or €20 million, whichever is greater.
According to the EU, enterprises must follow the seven accountability and protection principles to meet GDPR compliance:
While the GDPR is a European regulation, enterprises around the world must comply if they do business in the EU, have customers in the EU, or their products and services are accessible from the EU. For example, if a US-based business uses a web-service to track EU visitors to their site, they must be GDPR-compliant. According to PriceWaterHouseCoopers (PwC), 92 percent of multinationals view GDPR compliance as a top priority (Source). Due to the likelihood of high fines and penalties, most businesses have adopted GDPR as their data privacy and protection standard, regardless of their dealings in the EU.
CCPA
Mirrored after the GDPR, the State of California passed CCPA in 2019 to protect consumers’ privacy online. The legislation forces every business that operates within the state or collects information from residents of the state to disclose what information it obtains about its consumers, the reasons for gathering sensitive information, and any third-parties who receive their data. Penalties can range from $7500 per violation or $150-$750 per consumer per incident.
According to the State of California Department of Justice, CCPA provides the following rights to California consumers:
Both the GDPR and CCPA force firms to dedicate significant time and resources to data privacy, confidentiality, and compliance. These businesses are now investing into various tools, such as effective data governance and data management solutions, to comply with these regulations.
While enterprises were given fair warning to comply with the GDPR and CCPA requirements, it appears that many are still struggling due to a variety of challenges.
Inability to Track All Versions of Data, Metadata, and Business Rules
Regulators expect enterprises to be able to track all versions of their data, metadata, and business rules in a fine-grained permissioned manner. Specifically, enterprises must provide the lineage of all data—where it was created and how it got to its current state. If a data breach occurs or consumers file any complaints, enterprises must be able to provide regulators with proof and documentation of the events or rules that led up to the breach or complaint.
Let’s consider specific requirements from GDPR and CCPA. GDPR mandates that enterprises must keep personal data up to date. This would be easy if all personal data pertaining to an individual conducting business with the firm is stored in a single repository, where changes can be versioned and tracked, ensuring data is up to date. But in reality, personal data may be distributed across multiple sources – e.g. a CRM system may contain data captured from the point where the individual was a lead to the point where the individual signed up to be a customer. Once the individual became a customer, further information may have been collected and stored as part of the customer’s account. The customer may have multiple accounts that may not be linked together. Ensuring that all changes to personal data is tracked across sources, while maintaining a complete version history is a major challenge.
Additionally, both the GDPR and CCPA mandate that enterprises store personally identifying data for as long as necessary for the specified purpose. If the consumer decides they no longer want an enterprise to store their personal data, the enterprise is required to permanently delete it. The enterprise is responsible for deleting all instances and versions of personal information from all it’s sources, a task that is difficult without the ability to identify all the sources that contain the relevant personal data (as well as the business rules that create, modify and enrich the personal data).
Lack of End-to-End Visibility
Enterprise data is acquired from multiple sources and is often extremely fragmented. It is difficult for a business to track down all of their customer data when it is scattered across siloed systems, applications, and workflows. Despite these complexities, regulators hold firms accountable. Regulators require them to efficiently add, move, or remove pieces of customer data when required. Without a unified view or end-to-end visibility, firms cannot confidently guarantee data quality or quickly perform root cause analysis. This lack of end-to-end visibility makes it very difficult to ensure that data fields and attributes governed by the GDPR or CCPA are appropriately managed.
Static Approach to Data Governance
Most enterprises have traditional data governance frameworks that do not adequately support the demands of regulators, outside parties, or internal senior management. Data dictionaries, glossaries, catalogs, and rule repositories are the foundation of data governance. Most firms deploy a passive data governance model, which requires constant manual creation of these fundamental components. When underlying data or rules change, data stewards must perform manual updates to maintain consistency. This extra step can be expensive and can result in stale or inaccurate data. In the case of GDPR and CCPA, it is important that any metadata collected about customers must be completely removed if requested. This means that the right attributes associated with GDPR or CCPA regulations are present in data dictionaries, glossaries, and catalogs, and will need to be deleted without affecting the rest of the enterprise’s workflow.
Ongoing Data Quality Challenges
Since data is the key ingredient in GDPR and CCPA compliance, ensuring it is complete, consistent, correct, and timely is crucial. Article 16 of the GDPR requires companies to correct inaccurate and incomplete personal data without delay. Governance teams must establish controls to address any data quality issues in a timely fashion. With most firms having very complex operating models that traverse many systems, jurisdictions, and service models (“captive” vs. “vendor”), it is challenging to ensure the quality of data on request. Enterprises must deliver trustworthy data to regulators to avoid fines and uphold customer trust.
Data governance and regulatory compliance ultimately go hand in hand. As the amount of consumer data increases, lawmakers expect organizations to have proper tools in place when obtaining, using, and sharing it. Before any of that can happen, enterprises must understand their data. Enter: data governance.
Data governance provides a framework for managing standards and policies, while setting best practices around data protection and sharing. Enterprises that are worried about complying with these regulations—that they will be painful and costly—can be assured that adopting the right data governance tool early-on alleviates much of the stress. By implementing effective data governance, enterprises can obtain, monitor, use, and govern its data assets across the entire enterprise securely. A solid model can prepare, cleanse, and create a unified view of consumer data for quick access, modification, or deletion (if needed). Data governance not only protects data, but also the individuals or groups who could be affected by the data. These parties include those who create the data, use the data, benefit from the data, and create rules and requirements about the data.
As previously mentioned, not all data governance models are created equal. Effective data governance ensures continuous data quality—correctness, consistency, completeness, and timeliness. It not only tracks the current state of data, but its entire lineage throughout the ecosystem. Any transformations or events that occur and affect the data are documented and proven.
An effective data governance framework implements policies and rules that protect customers’ privacy, while allowing secure data-sharing that meets GDPR and CCPA compliance.
PeerNova’s Cuneiform Platform provides active data governance platform that enables end-to-end (E2E) trust and transparency of data and business flows. The solution tackles key challenges enterprises face in both GDPR and CCPA compliance.
The Cuneiform Platform is uniquely positioned to provide firms with a solution that supports the quantum of data being produced, the quality of the data being maintained, and the auditability of data being traced to ensure regulatory compliance and client confidence. With E2E visibility and active lineages, both enterprises and regulators can track the creation, acquisition, and movement of consumer data throughout the various systems, applications, and workflows.
PeerNova’s solution provides a unified view across systems and applications. The platform continuously builds, updates, and optimizes data dictionaries, glossaries, and rules repositories. The dynamic lineages shorten and ease root cause analysis allowing enterprises to quickly identify data and process issues with consumer data.
The Cuneiform Platform allows ongoing Data Quality and Timeliness rules to be perpetually run across the live data. The solution defines, measures and enforces key quality indicators around data, metadata, rules definition, and execution. The solution provides for creation of accurate dashboards, reports and metrics for enterprises using a self-serve model, lowering the overall cost of risk and compliance for GDPR and CCPA. PeerNova’s tools include capabilities to manage multiple versions of metadata catalogs, dictionaries, and glossaries including deletion, archival, and migration.
With consumers quickly losing faith in businesses’ ability to safely and securely manage their personal data, enterprises must implement an effective data governance framework to regain customer trust. Through PeerNova’s active data governance tool, enterprises can use automated and self-servicing tools to easily meet regulatory compliance and address any current obstacles. By successfully protecting personal data and providing transparency to clients and regulators, an enterprise can quickly transform into a customer advocate and industry leader.
To learn more about how PeerNova’s Cuneiform Platform can help your enterprise meet GDPR and CCPA regulatory requirements, be sure to get in touch with us and request a demo today.
Sources:
PricewaterhouseCoopers. “GDPR Compliance Top Data Protection Priority for 92% of US Organizations in 2017, According to PwC Survey.” PwC, Link
OAG.GOV. “California Consumer Privacy Act (CCPA) Fact Sheet.” Link
Browne, Ryan. “Europe’s Privacy Overhaul Has Led to $126 Million in Fines – but Regulators Are Just Getting Started.” CNBC, CNBC, 20 Jan. 2020, Link
