Earlier this year, I heard a presentation from Adobe regarding the need to create a mammoth repository for customer data. As someone who works in marketing, I could see the business advantages – but as someone who is concerned with data privacy, I immediately saw the red lights flashing.
The fact is, today we often have a free flow of data between systems and data repositories. And for many, at each layer, there are different protections and governance of data. Given this, it was time to solicit CIOs thinking on data privacy in the digital age. Their wisdom should prove valuable to CIOs and data privacy professionals alike.
What role does architecture need to play in protecting the privacy?
Former CIO Tim McBreen started the conversation by saying, “architecture and data governance programs are foundational to data privacy. Architecture ensures there is segregation of data and the ownership of data is maintained across multiple business solutions, users, and customers. Data buses and regulatory should be managed and layered.
"This allows for plug and play. Architecture must cover both analytic and operations worlds from ownership through usage. This by necessity includes privacy and associated security by roles and segments. We used to show the architecture with a rubrics cube. You need today to balance and line up each piece of data area within the data side of cube. Then make sure they are aligned with the other sides of the cube.”
CIO Milos Topic agrees and believes that “architecture needs to ensure connectivity, redundancy, and reliability design. Data architects today need to go beyond that and ensure uniformity across systems in data sharing and integrations.”
For this reason, CIO David Seidl suggests that “in a textbook, I'd have this on a chart where architecture, processes, policies, governance, and technical capabilities are all balanced to protect privacy. Capabilities, maturity, and similar factors all influence each of these.”
Paige Francis agrees when she says, “smart architecture ensures low redundancy in data gathering, storage, and, most importantly for security and privacy concerns, access. Fewer access points represent fewer opportunities for security incidents.” With this said, CIO Melissa Woo suggested that “many still do not understand the difference between data privacy and data security.
My opinion is that they are driven differently – information security is driven by risk management whereas privacy is driven by compliance.”
Where are the biggest gaps today for organizations ensuring data privacy?
CIO Martin Davis believes, “one of the first gaps is organizations recognizing what data they actually have! This may sound a bit silly, but you would be surprised by how many don’t really know.”
CIO Joe Sabado says as well, “it is essential that you know where your data exists. You can’t protect data/assets if we don’t know where they are.” For this reason, Topic says it is essential to “identify and classify all of your data as the first step to data privacy. You first need to know what you have and where it is before proceeding further.”
Meanwhile, Seidl suggests, it is critical to get a firm grasp of ethical standards and practices, and what your firm is willing versus able to do with data. Understanding the legal requirements, then talk technology and implementations.” Seidl continues by saying, “there is a huge issue with the variety of legal structures (and lack of the same) that are there.
Organizations can't easily fix this, but really, that's massively impactful. At the same time, the balance point between having data, using data, and privacy is something that takes a lot of thought. Organizational ethics, business models, and the benefits of having/using the data and the dangers of the same are a hard thing to grok.”
McBreen agrees and says “understanding what data privacy is and what it encompasses. Similar to security you have to understand roles and categories of owners, users, and consumers. Then you have to look at industry, federal, and state regulations. Now move onto rest of gaps.”
Are Uber customer data repositories at odds with privacy legislation?
Seidl believes, “this is way more than about access limitations. It's the entire data gathering, storing, removal, and lifecycle process. Privacy legislation is a huge mess in the US, and only getting more challenging, and if you're a multinational it's even harder.’
McBreen agrees and suggests “there are conflicting needs/requirements. It gets complicated. There is, also, a cost versus liability issue. Similar to security you have to make sure your privacy coverage is affordable otherwise you could spend your entire IT budget on data privacy and security matters. Unfortunately, few companies are still putting in the effort to even have a data governance let alone an automated policy driven one. Then you have to make sure you can evolve policies on a timely basis, so we aren't using 2020 data with 1990 rules.”
Given this, Davis believes “this is a complex issue and the mix of data residency, various privacy legislation, compliance etc. plus which countries you serve and their individual requirements.”
Should there be limits upon data use?
Seidl says the answer should be yes. “What sort? That gets interesting. Ethical, legal, and some hey, is that even a good idea question. This is one where I hope that organizations make good decisions, so laws aren't needed, and have very little confidence in that being the reality.” Enterprise Architect Ed Featherston believes "this all goes back ethics and compliance.”
Meanwhile, Topic suggests the potential for an invasion of privacy remains a real concern.”
What role can CIOs play in helping to balance the fair use of data with customer data privacy?
Davis claims that the CIO must help drive the right approaches along with the data owners and the CISO. Topic agrees and says the CIO “can lead the conversation and institute changes and standards.”
In Michelle Dennedy’s book she claims, “CIOs and IT have an important role in delivering data privacy. Privacy engineering is dependent on IT both for implementing privacy policies by means of privacy rules and for securing data. It is impossible to control access to data stored in IT systems if those systems and their physical environment is not adequately secured. Therefore, it is particularly important that the privacy function is closely aligned with IT and information security.” (The Privacy Engineer’s Manifesto, Michelle Dennedy)
Data Privacy: Parting Remarks
It seems clear that the data privacy agenda will only grow as the digital age continues at warp speed. I remember hearing Target’s CIO say a few years ago that another massive hack will end their business franchise.
With so much riding on data privacy, it is clear that CIOs and their IT organizations will need to get their act together on privacy or risk everything. The digital age which is founded upon data needs to start by governing and controlling access to data.
ABOUT THE AUTHOR:
Myles Suer is #CIOChat Facilitator, the #1 CIO Influencer, a Top 100 Digital Influencer, and Head, Global Enterprise Marketing, Boomi.