Almost everybody working with personal data will be aware of the glut of legislation, worldwide, that is seeking to protect consumers against the abuse of their personal data.

In Europe, GDPR; in South Africa, PoPI, in Nigeria, DPR; in California, CCPA…

Around the world, data laws are changing to promote the ethical use of consumer data. In many cases, corporations are responding with a focus on the security implications. Yet, data protection is about much more than security.

What other data management capabilities are essential to compliance/

Data profiling and discovery

“Before you secure your data, you have to
know your data. You have to know what data
you have, where you have it, why you have it
and how you use it”

Brian Boyd, IAPP (International Association of Privacy Professionals)

Many organisations struggle to understand what personal data they hold, where they hold it and for what purpose. Even structured data (data stored in databases) may not be as it seems, as information is often captured in unintended places., We must also consider unstructured data (e.g. email, files, biometrics) , big data, and cloud data the problem definitely requires a specialist capability as manual approaches cannot succeed.

Process register

“What do processes have to do with data?” you may ask.

Data protection regulations such as PoPI and GDPR place limitations on the processing of personal data. A process register is a good way to understand what business processes use personal data, for what purpose, where data is stored etc. Your process register should link business processes to systems, to conditions and restrictions for lawful processing, to responsible parties, and so on.

The process register helps to define the scope and priority of your data privacy initiative

Data policies

Linked to the above – what policies do you have defined for the lawful processing of data?

Most regulations limit the capture and storing of personal data to specific, agreed business purposes. Your policies help to define what data is necessary to achieve your business purpose, what additional purposes (e.g. advanced analytics or marketing) you may wish to use the data for, how long you may retain it, etc.

Data policies should stretch across enterprise siloes to ensure the needs of all business areas are considered – for example, including feedback from marketing and risk. Data policies define the ethical use of data, agree accountability, and provide a framework for engagement with new and existing customers, suppliers and staff.

Data quality and a single customer view

One of the biggest challenges facing most corporations is the need to provide data subjects with access to the information held about them.

Information is frequently scattered piece meal across multiple systems and business units, often with no real link. Data quality helps to link these disparate records into a consistent view that can make this requirement easier to meet. Data quality is also a requirement in its own right as data protection seeks to ensure that data subjects are not prejudiced by poor quality data

Data stewardship

A key focus of most data privacy regulations is the need for accountability for personal data.

Accountability can be traced to stewardship.

Data stewards may help to define data policies, execute data sharing agreements, perform Compliance Assessments, or may be responsible for managing the consequences of a data breach.

We may not call our stewards by that name – they may be Data Owners, Data Protection Analysts, IT Security or Data Quality specialists, Line of Business Managers, or part of the Legal or Risk teams.

The data stewardship function needs to drive and coordinate the entire data protection capability.

Data governance is the foundation of compliance with data protection.