Are you tired of The EU General Data Protection Regulation (GDPR) discussion yet? I hope note. GDPR represents a tremendous opportunity to discuss risk management in a much wider context. GDPR, being all about data, is the opening you need to discuss how data fuels your organization.
Why is Data Governance So Important?
With data so widely distributed in today’s organizations, the power of end users is tremendous. Just a simple download of personal data from a central, controlled system into a spreadsheet by a marketing person for a one-time use is a risk. So, not only must you understand where the managed systems containing personal data are, but also the possible outputs from those systems.
Processing activities can be extremely complex. This is where engaging those process owners is critical. First, you need to educate them on the risks and second, get their help in working out where data flows. Third parties are also a major challenge in this area. Many companies leverage cloud service providers or external vendors for many types of data processing. You must identify these vendors, and understand if they access or process personal data.
Shadow IT, or functional groups working directly outside the scope of IT with external vendors, is a major challenge. Policies, education and better options must come into play. You may not be able to eliminate all the instances where a functional group works with an outside firm – but you can certainly ensure policies and training are in place to educate those groups on the potential risks.
While the discussion with your business may start with personal data, it isn’t a long shot to talk about other elements of data, the importance of data governance and the controls needed to secure all types of data. Once you cross the chasm of discussing data, the opportunity to talk about internal and external threats is open.
# # #