Protecting Data Starts With Good Governance

Protecting Data Starts With Good Governance

Whatever the trigger, significant technological and other business changes should never damage your customers' trust in you. This means keeping their personal data safe. In fact, done well, data protection ought to increase confidence in your business. How to get there? It starts, as with many things, with a detailed understanding of the challenges and strong governance around the solutions.

If you are currently accountable or responsible for processing data, you might be feeling the pressure. Today, it feels customers are more demanding and cyber-crime threats are growing daily. However, it's worth pausing to reflect. Today, data protection, in general, is increasingly perceived as adding value.

This is backed by survey data. For example, the proportion of German consumers who were sure, or very sure, their data was safe on the internet grew from 13% in 2014 to 29% in 2020. In our cynical world, this improvement feels worthy of celebration.

As well as this steady improvement and development, our Governance, Risk and Compliance (GRC) teams are usually involved when our clients are planning or expecting major strategic changes that may directly or indirectly impact on data use.

All our work is based on capturing and responding to customer requirements. Each comes with unique data flow and storage arrangements, for example. They will come with their own project technical and commercial measures of success in place. Their attitudes to risk will also differ. A luxury retail client, for example, might put greater weight on protecting data than its competitors. Harrods of London is famously intolerant of tabloid snooping. Finally, each customer will apply data protection law according to their own interpretation.

Despite this varied and complicated picture, there are enough commonalities across our work and established best practice to share key lessons.

A brief history of data protection

IBM's System/360 hardware arrived on the scene in 1964 as the first real commercial computing solution. Germany's first data protection legislation followed in 1970. In September that year, the Hessian State Parliament passed a Data Protection Act. The next big step in German data protection law came in 1983. The Constitutional Court established fundamental rights of informational self-determination. These state that individuals own, and can control, their personal data.

Other countries' legal frameworks generally followed in parallel. The current EU-wide General Data Protection Regulation (GDPR) came into force in 2018. It should be noted that it's best practice to assume the provisions of the GDPR apply to any organization processing data of EU citizens. We helped a client in Switzerland, for example, keep their German employees' data safe in line with EU law.

If legal aspects of data protection have moved relatively slowly over the last 50 years, the same cannot be said for technology. How much data we share and how and why we share it have changed beyond measure. The scale is immense. The world is expected to be juggling 175 trillion gigabytes (zettabytes) of data by 2025. One hundred trillion seconds equates to three million years, if you were wondering how big that number was.

In the case of our personal data, this all needs protecting and, at the same time, to be instantly accessible. We are now used to using our smartphones to do everything, from paying bus fares and buying coffee to monitoring our health and watching the latest blockbusters. As a result, the technology surrounding data protection has become an incredibly complex landscape.

Why change data protection in your business?

If changing data protection policies and procedures in 2022 is difficult, why do it? A trigger for some is, naturally, a breach of the rules. Examples still regularly reach the press such as a Dutch airline, fined €400,000 for letting hackers download 83,000 customer records. Financial costs aside, the real impact of being caught is reputational. Problems, once identified, need to be taken seriously and improvements implemented transparently. Trust is easily lost and is hard to recover.

Change, however, needn't be a response to bad news. NTT DATA's work is often part of positive business planning. We helped a bank modernize, for example, as they moved away from fixed infrastructure to the cloud. The GRC Consulting team often works with clients around outsourcing business processes too. Successful human resource management depends on efficient and secure management of employee data. Organizations wishing to manage customers through third parties also need to carefully consider where and how their data is shared.

In these circumstances, data protection can fall into the trap of defining what can't or shouldn't be done. This view is always an important one to challenge. Rather than acting as a barrier to change, keeping data safe and secure ought to be seen as a valuable addition to improvement.

In the effort to not fall into this trap, it can be challenging to know where to start. We recommend beginning by building a data governance framework that takes into account different data processing requirements in an integrative approach.

Start with good governance

It is important to leverage the capabilities of the entire enterprise as you consider the data protection organization within it. Working in silos is best avoided.

It is here where you define your data handling strategy, including setting protection goals and defining roles and responsibilities. You should take into account and supplement specifications and guidelines from various management systems too. Data protection, information security and risk management all need to be involved.

It pays to be pragmatic and balanced. Policies that are too restrictive can be just as damaging to your business as those seen as too lax. This will also depend on how mature your organization is. If it's well-established, a light touch may be all that's required. If you're still at the very beginning of your journey, you may need to prioritize data protection to avoid it becoming an issue down the line. It is often useful to get external help here. Outside eyes can galvanize efforts across different business units and project teams. An external Data Protection Officer might prove a catalyst.

Whatever your starting point, with a strong data governance framework in place, you're well on your way to keeping data safe in the long run. What's more, your customers, colleagues and the wider communities you work with will have greater confidence in you. Building and extending trust is always the goal.

This article has been reprinted with permission from the CXO Magazine website.

Eva-Maria Scheiter

Eva-Maria Scheiter
Vice President GRC Consulting, NTT DATA DACH