Ten Questions CDOs Must Ask to Operationalize Privacy
Not all companies with good data governance can protect privacy. Data privacy requires a few unique vectors. These ten questions will help rank your governance program’s readiness to implement data privacy.
As data becomes more valuable for organizations and compliance requirements become more stringent, most companies have made a data governance a priority. In broad terms, data governance focuses on data availability, data quality, and compliance across the complete lifecycle of the data. Governance is accomplished based on a set of well-defined practices and principles.
Reliable data governance is essential to implement a robust data privacy program. Here are the top 10 questions needed to evaluate a data governance program for its readiness to deliver data protection/data privacy. These factors determine your governance program’s effectiveness in implementing data privacy. Identifying the gaps helps you understand the effort required to operationalize privacy.
1. Have you inventoried data and mapped where it is stored?
Having a holistic understanding of your data sources is an essential building block. Your inventory must include the backup and recovery process of your data, including how many copies exist. Your data might be stored in one or more locations, on the premises or cloud environments, or hybrid environments. Does your governance team track how long data are kept in the storage? Location, data lifecycle, and storage will influence your governance policy.
2. Have you identified sensitive data? Have you classified and prioritized the data assets based on sensitive data?
Data assets can be classified as confidential, sensitive, personally identifiable information, internal, and so on. This classification can identify how to treat data and prioritize governance efforts. Proper management practices can often stem from understanding the importance of different types of collected data, and this is an important step for establishing the right privacy governance program.
3. Are the data sources secured and encrypted?
Data security is essential in deciding the outcome of your data governance plan. Security vulnerabilities negate all the progress through other governance efforts. When it comes to data security, users pose the highest risk to security. Hence you should include audit user access privileges (who has access to what data.)
4. Have you cataloged metadata attributes required for data privacy?
- Purpose of use: Both the GDPR and CCPA mandate that an entity must describe the purpose for how that data is collected and processed.
- Consent — Do you have a legit purpose or user consent to process data.
- Data subject attributes such as geography, number of data subjects, minor’s data. Applicable privacy rules change based on these attributes.
5. Do you know who consumes data?
Privacy laws require you to maintain all data use/processing activities. Having a proper trail of data consumption helps with recording processing activities. Moreover, 60–70% of enterprise data is never used. These stale data increases your privacy and security risks without adding business value. Tracking data activities helps you identify such unused data assets and delete them, aka data minimization.
6. Have you identified data lineage?
As data moves inside an organization, it gets transformed and merged with other data. Hence privacy managers can’t track the context such as purpose and consent. Data lineage traces the end-to-end journey of data, starting from the ingress source that created the data to downstream users and applications that use and transform data.
7. Have you mapped the data flow?
A good data flow should capture data controls, business rules, and processes that determine the flow of data across the organization.
8. Do you have a documented data ownership structure?
Data owners and stewards play a critical role in defining the proper use of data, data quality, business rules, and compliance controls needed for data. Having data stewards and owners can significantly reduce the effort needed to meet the privacy requirements.
9. Have you mapped the vendor/partner data sharing activities?
Third parties significantly impact your privacy risk exposure. By law, for all data sharing, data received and transfers from outside your organization need to be documented. Additionally, when you implement privacy, this information helps you determine whether you are a data processor or data owner, which determines the type of contracts that you need with a third-party.
10. Do you have a reverse index of users’ personal data?
User personal data indexes help you locate a specific user’s data. Having such a map enables you to address data subject requests (DSARs) - e.g., request for information, request to be forgotten.
These ten questions check foundational blocks of data governance on which you can implement privacy-specific best practices and legal requirements.
If you want to score your privacy readiness, take a quick evaluation (~3 mins). The assessment scores your answers and classifies your organization to the following categories.
< 25 points = Not ready for privacy. Hard to identify privacy vulnerabilities and triaging incidents.
25–50 points = Good start. Reactive to privacy issues and incidents.
50–75 = Privacy ready. Processes can help achieve privacy compliance but requires manual efforts in executing processes.
> 75 points = Well-prepared. Proactive. You can operationalize privacy with minimal efforts.
Amar Kanagaraj is the founder and CEO of oneDPO, a PrivacyTech startup that applies AI and ‘privacy by design’ to help companies protect consumer privacy. Amar is passionate about building innovative products. Before oneDPO, he was the co-founder of FileCloud, a leading enterprise collaboration solution. Amar has 20+ years of experience in building products, marketing, scaling companies, and leading teams. He has an MBA from Carnegie Mellon, MS from Louisiana State University, and B.E from College of Engineering, Guindy, Anna University.
oneDPO applies artificial intelligence and privacy engineering to analyze massive data and data activities to uncover privacy risks. It helps companies address privacy and data security issues before the issues turn into expensive incidents. Its name stands for one unified privacy technology platform for Data Protection Officers. oneDPO was recently inducted into the National Center of Excellence by the Data Security Council of India. For more information, visit www.onedpo.com.