No More Data Excuses
This article originally appeared on Forbes.com as part of Delphix CTO Eric Schrock’s ongoing column. See the original post here.
From the deletion of a decade worth of user data on Myspace and Facebook storing millions of user passwords in plain text to FEMA exposing millions of disaster survivors to identity theft, every industry is coming to terms with its data failures. Today, just one data mishap can cause irreparable harm to your business’ reputation (and some hefty fines too). Although companies have ramped up investment to bolster cybersecurity vulnerabilities, they continue to deal with self-inflicted wounds from their data management approach.
None of the examples above were caused by a malicious actor, and all could’ve been avoided with the proper data practices. In my experience as an expert in the world of enterprise software, I believe that, collectively, it’s time for businesses to stop making data excuses and start embracing data responsibility.
Compliance is not enough.
While we’ve just come up on the one-year anniversary of Europe’s General Data Protection Regulation (GDPR), in general, data privacy laws are still pretty nascent. In fact, despite a growing number of data breaches — more than 60,000 during the first eight months of GDPR — the vast majority of companies are still not being fined for failing to protect consumers’ data.
According to the European Data Protection Board, almost €56 million (approximately $63 million) in fines were levied against companies in the first nine months since the law was enacted. A writer for Slate notes that this feels like a significant figure until you realize that Google received a single €50 million fine in January accounting for almost 90% of that sum (chump change for any tech behemoth).
These are important facts, but not the end-all be-all when it comes to keeping consumers’ data safe. That’s because when it comes to protecting data, attempting to avoid fines does not equate to being a responsible data company. Organizations today can’t wait for legal repercussions to be coded in stone before they do anything since laws are reactionary and will always be playing catch-up to what’s actually happening in the world.
To be a responsible data company, organizations must be on the leading edge when it comes to protecting privacy. They should beat regulation to the punch by becoming responsible stewards of data, with a strong moral, ethical and legal foundation to preserve consumer trust and privacy. This means understanding the privacy implications around consumer data at every turn and even anticipating them before they can happen.
We are at least hearing the big tech companies like Google, Apple and Facebook saying they’re taking steps to do that, but what about everyone else — how can businesses both big and small do a better job handling users’ data? (Full disclosure: Google and Facebook are clients of my company.)
Invest in guard rails.
Responsible data management requires organizational and cultural transformation supported by technology. In order to cut out the excuses and scale data stewardship, companies can implement “guard rails” that limit the opportunity to make mistakes — without stifling the ability to move fast or be innovative.
With the number of breaches that are self-inflicted, it’s clear that too many decisions are made on the fringes of an organization without much oversight. That puts developers in a precarious position, and oftentimes in a hurry to get the latest iteration or update out. They don’t always make the right call — but it’s not entirely their fault when they’re thrown in the ocean without a life vest.
Companies should look out for them by implementing technological guard rails that decrease the chances of accidentally mishandling sensitive data — including automated tools for scanning and masking data, as well as review processes that are baked-in to developers’ workflows. That said, the right technology is just the foundation that allows for collaboration with data. The company must also set the terms for how collaboration will actually happen.
Put data first.
Technology alone is not enough to create a strong culture around data. First, you have to talk about data and how you’re going to handle it. Too many organizations think that more security bells and whistles automatically makes us safer, but how we implement those often goes overlooked.
For starters, data management should not be centralized to one-person or gatekeeper (sorry executives). Doing so puts more ratchets, gates or approval processes behind data. If it takes six months to get approval for access to data, that could be the time it takes to introduce a key differentiating feature that wins over the market. It doesn’t matter how “secure” your data is if you’re out of business.
For a data culture to thrive, I recommend putting data first. How do you determine its business value, risk, mechanisms for gathering, its movement, its uses elsewhere? It’s not just about access to data, but how they use that data. A perfectly authorized person can, for example, use that data access to do things they shouldn’t (imagine a Facebook employee looking at their ex’s private feed, for example). This requires strong data ethics and morals, reinforced through training and guardrails.
That’s where your security, data privacy or compliance teams need to exist to meet this responsibility. The first step is to understand what data you have such that you can come up with policies, and define what's truly going to keep someone from improperly storing information. Hopefully, that means a process that sees them masked before leaving production environments — because if an organization’s security team is making those requests on a case by case basis, that’s already a huge red flag.
The impact around the loss of personal data doesn’t feel as painful as it used it, but before we become completely desensitized we need to remember that companies have a responsibility. Avoiding data breaches is the business cure, but what about actually protecting our customers and giving them peace of mind that when they use our services, we’ll keep their information safe? This is not just good business practice, it’s what’s going to define winners in the data economy. Yes, they will avoid fines, but they’ll also create trust and drive differentiation.