British Airways Fine Puts Sensitive Data Governance Back on the Front Burner

Come on, admit it. You were kind of hoping it would all just go away, right?

It’s a sentiment more than just a few individuals have shared with me over the past couple of years.

If it wasn’t already clear, this week’s news that British Airways is facing a nearly $230M GDPR-related fine made it so: the need for sensitive data governance isn’t going away. As TechRepublic reporter Mark Kaelin wrote, “Compliance is not optional.”

The fine British Airways is facing–the largest fine thus far–stems from a 2018 data breach that exposed the credit card records of many of its passengers.

The news does not bode well for the 50+% of organizations still struggling to comply with GDPR (according to the International Association of Privacy Professionals) even as they’re being hit with even more new regulations, such as the  California Consumer Privacy Act (CCPA), which officially goes into effect this January. According to Dimensional Research, only 14 percent of U.S.-based companies are ready to comply with the CCPA. 44 percent haven’t even begun the implementation process.

Will organizations straighten up their act in time? Not if GDPR taught us anything.

Offenders Can’t Bank on Overtaxed Regulators

Granted, while EU organizations have reportedly experienced 60,000 data breaches through January (DLA Piper), only 100 fines were issued. Clearly, regulators are overtaxed, but businesses should not expect to slip through the cracks forever.

This was underscored in January when France’s data regulator, the National Commission on Informatics and Liberty (CNIL), fined Google €50 million ($57 million) for not properly notifying its users how data is collected from its properties, including Google.com, Google Maps and YouTube, to present personalized advertising.

While it may be the largest GDPR-related penalty we’ve seen so far, larger fines are sure to follow.

Regulation is Here to Stay with More on the Way

GDPR and the CCPA are just the beginning as public opinion against the indiscriminate use of personal data begins to take hold. More governments are sure to follow suit.

Plus, there’s the myriad industry regulations many organizations must adhere to anyway. The credit card industry, for example, has PCI regulations that define how sensitive credit card data should be handled. The medical industry has HIPAA. Regulation will only become more complex  as the sources and nature of data change. Thus, it would behoove organizations to simply accept it now as a growing fact of life. The shift is on: all customers everywhere will probably eventually have full control over their own data.

Governance: A Near-Impossible but Critical Undertaking

The problem, of course, is the sheer enormity and complexity of the task.

Governing all of an organization’s mountains of sensitive data, or even knowing what sensitive data exists and where it’s located within the enterprise, isn’t easy. Data classification is hard to accomplish. Often it does not occur reliably given the volume of data that must be discovered and when the task is left to business users.

A large health care provider stores 4.1 billion columns of data. A financial services company  sucks in more than 10 million data sets per day. As the data pours in, only a small percentage of it — the so called Critical Data Elements (CDEs) — are tagged in a painfully slow and error-prone manual process that leaves most data miscategorized, lost or still waiting to be discovered, and impossible to track. Most companies have between 100 and 200 CDEs, while CCPA covers any data you know about your customers — typically thousands and sometimes even millions of data elements depending on your business, data organization and representation.

It’s a near-impossible undertaking for today’s enterprises and one reason why so many big data initiatives have stalled and continue to lag behind in compliance.

Automation in Governance: An Underused Godsend

The good news is automation in this area can accelerate discovery of massive amounts of data and the subsequent governance of that data. The problem is most organizations still haven’t even completed this crucial first step.

At the most recent Catalyst Conference, speaker Gartner analyst Sanjeev Mohan seemed stunned to discover that most of his audience of data professionals didn’t even know such automation capabilities existed. 

Some organizations are therefore still reacting to data governance initiatives like GDPR and CCPA by quarantining and limiting access to large volumes of data. But by treating all data as sensitive, including data that isn’t, business analysts are required to submit formal requests for access to understaffed IT groups that can take weeks if not months to respond.

Their data’s value in today’s real-time world is, as a result, in large part drowned by this firehose approach.

Right to Erasure Requires Knowing Your Data

Even data that’s buried somewhere and virtually inaccessible is still subject to regulations like GDPR’s right-to-erasure rule. This requires organizations to jettison personal data on a number of grounds, including when it’s no longer necessary “in relation to the purposes for which they were collected or otherwise processed” and explicitly upon request (right to erasure).

If data is compromised, companies are required to notify customers about the breach. Imagine having to explain to a customer who asked to be forgotten and was told that the request has been fulfilled that their data has been compromised because the company was not aware it was in a particular data set.

But how can you jettison certain personal information (let alone prove it has been discarded) if you don’t even know where it is? Alternatively, how can a U.S.-based organization that wants to remove itself from GDPR’s purview by discarding EU-based PII find that data?

These are the questions many businesses are now asking themselves. Since most companies lack a comprehensive inventory of their data, including data related to development, test, production, warehouse and backup systems, they only have tabs on about 10 to 20 percent of their total data estate. This lack of knowledge around data lineage can also inhibit the organization’s ability to mask sensitive data (another GDPR requirement) and properly track all processing activities (yet another requirement), including categories of recipients of personal data, transfers of personal data to a third country or an international organization, and those who process data on behalf of the organization.

Other Challenges Persist

Despite what I believe in most cases are an organization’s best intentions, it’s still very difficult for them to deliver on consumers’ wishes for complete control over their personal information. Implementing consistent governance policies across heterogeneous systems that use different technologies (which are managed by different teams with competing priorities) is a mind-bending challenge for most enterprises. Even with certain technologies available to assist, other challenges remain.

In NewVantage Partners’ latest annual Big Data and AI Executive Survey of blue-chip organizations, for example, it was discovered that only 31 percent of the organizations surveyed have succeeded in creating a data-driven organization. What did 95 percent of them pin the blame on? An inability to create a data-minded company culture.

And we all know how easy changing company culture is, right?