The bad news continues to mount for Facebook in the wake of its massive data scandal. Trust in Facebook's data handling has tanked, with just 27% of people now thinking Facebook would protect their privacy compared with 79% last year, a study by the Ponemon Institute found. Two days of Congressional testimony by Facebook CEO Mark Zuckerberg this month failed to restore trust in the social network's privacy and calls continue to mount for more reforms.
The Facebook debacle has put data privacy and policy front and center in the minds of consumers and lawmakers—at least for now. But just weeks before the Facebook news, a data breach affected 880,000 payment cards from online travel site Orbitz and FedEx faced a breach of 112,000 customer records. The Facebook breach wasn't a de facto security breach but was instead a breach of trust.
Going forward, Facebook's policies around consumer privacy and data will no doubt receive intense scrutiny. And they should. As a social media site, Facebook has almost unprecedented access to consumer data and has long nurtured a broad ecosystem of data collection by third-party application developers. Most enterprises aren't set up that way but even the stodgiest of companies today are collecting more and more data about consumers and customers.
As the Facebook example underscores, organizations that are entrusted with customer data hold an obligation to govern that data well. That means more than just keeping data secure. It means having thoughtful and comprehensive policies about how data is managed, shared and used.
Setting up and carrying out good data policy is not easy. In many companies, data is still stored in silos, in separate departments or in public or private cloud environments. That's why it is critical to bring data and policy together so that data policies sit with the very data itself, wherever that data lives.
While every enterprise will face unique data policy challenges, there are four key characteristics that all good data policies include. Good data policies need to be:
- Granular. This is where the nitty-gritty comes in to protect data and consumer and customer privacy. A granular data policy is a policy that covers all the bases. What data is to be encrypted? What data is to be redacted so that some is hidden while other data is not? How tight are access controls? Today's leading database technologies enable access controls that ensure that employees have access to do their jobs and nothing else. For instance, an HR employee may access employee home addresses but not salary information. Granular policies will also describe what happens to data acquired as part of a merger and how long data should be kept around. FedEx's February breach involved records—on an unsecured server— that dated from 2009 to 2012 and belonged to Bongo International, which FedEx bought in 2014. The data had been archived, FedEx says, and was part of a service that was discontinued after FedEx purchased Bongo. FedEx says no data was misappropriated. But the fact that the data was in an open bucket, and discoverable by a security research firm, is a good indication that it wasn't being tended to properly. Granular data policies leave nothing to chance.
- Flexible. While data policies need to be granular, they also need to be flexible to accommodate new and evolving data types, as well as shifting regulatory requirements. The financial industry, for instance, has to track dozens of rule changes a day. For policies to remain effective and up-to-date, they need to be changeable. With all data centralized in a data hub, policy updates can be made more often and more easily. With data in a data hub, enterprises can also simply take data in as it is—and then form policies after the data arrives. This better ensures that policies match data and it makes data ingestion easier, too. The European Union's upcoming General Data Protection Regulation, which affects any company dealing with data of EU citizens, underscores that privacy policies now have a global reach and will need to be updated.
- Universal. In today's data-driven economy, data gets combined with other data to produce new data that provides valuable insights into consumers or markets. To get the best intelligence out of data, enterprises will want to merge data from multiple parts of the company and probably from outside sources, too. This leads to data sharing. For data to be appropriately shared, data governance policies need to be universal enough that every entity abides by the same high-level set of rules. Here again, a data hub is useful. Via a hub, enterprises can set universal policies that can also be granular enough to meet independent departmental needs.
- Comprehensive. A comprehensive view of data includes policy, security and privacy. Security needs to not only be strong enough to protect against hackers, but also stringent enough to ensure that data is only available to authenticated and authorized individuals. Privacy includes data owners being able to make decisions on access rights and controls. As part of GDPR, consumers can demand to be “forgotten” for instance. Policies also need to stick to data even when data moves around the globe, traversing systems and machines. Because data can escape beyond protected network perimeters, it is imperative that policy and data travel together. That way, if there is a perimeter breach, the data is still secure and still attached to the policies that govern who can access that data.
Ultimately, companies that do not adequately protect consumer and customer data will suffer the same loss of trust as Facebook has. That's where another factor comes in with data governance: is it cost-effective? One breach is evidence enough that good policy—and good policy that is consistently implemented—will pay off.