MS Publication - A Guide to Data Governance for Privacy, Confidentiality and Compliance
Microsoft recently released a draft guide to Data Governance for Privacy, Confidentiality and Compliance. It is written by Patrick Voon, Senior Governance Risk Management and Compliance (GRC) subject matter expert at Edgile Inc, a privately held consulting firm based in San Jose, California, USA.
This whitepaper is the first in a series that looks at different aspects of data governance. It opens with a brief overview of the entire whitepaper series. It then outlines the threats and challenges that organizations face in this area and looks at the concepts of governance, risk management, and compliance in general. From there, it examines the concept of data governance for privacy, confidentiality, and compliance (DGPCC) in particular. It closes with a brief overview of the objectives and overall process flow for a DGPCC initiative.
I think it's a good guide and is worth reading for anyone interested in data governance and compliance. It is introductory in content, providing an overview of some key drivers behind GRC, the growing importance of privacy controls that supplement security controls, and the relationship between IT governance, compliance, and data governance.
The drivers noted by the paper include:
- an increasingly complex regulatory environment - the law is becoming increasingly restrictive and broader in scope, impacting a lot of business operations. Organizations will need to align and comply with these changes across the board, including IT departments. The governance implication here is that some of the decisions that are currently made by IT departments should in fact be made by the business with proper input from compliance and legal teams.
- consumer and citizen concerns about privacy - can organizations be trusted to treat private information properly? do they really do what they say they will do? who do they share data with? how do they protect against hacking and accidental loss of information? historically, businesses have considered themselves to "own" customer data. However, in the European Union and elsewhere legislation has been passed saying that this is not the case.
The paper provides an overview of Governance, Risk Management and Compliance and the relationship between these activities:
the need for some kind of GRC approach to maintain the security of confidential data, the privacy of personal information, and related compliance obligations—while also maintaining alignment with business goals—becomes clear.
... In today’s organizations, no single group or entity holds all the relevant knowledge and expertise necessary to achieve this. The necessary knowledge might encompass organizational practices and processes, financial and legal aspects of the business, company policies, and market trends. An integrated approach—data governance—is required.
Data Governance is positioned as the solution to this, providing:
- protection of data against threats to security and privacy;
- compliance with applicable legislation and policy; and
- documented proof of compliance
The document also provides a set of principles loosely based on the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. (The OECD's guidelines are scoped to international-level privacy considerations aimed at helping harmonise national privacy legislation).
- Honor policies throughout the confidential data lifespan
- Minimize risk of unauthorized access or misuse of confidential data.
- Minimize impact of confidential data loss
- Document applicable controls and demonstrate their effectiveness.
As mentioned above I think it is worth reading and I'm looking forward to the other documents to be published in the series.
: