This time of year is traditionally the time we declutter our homes and remove what we don’t need. Sonia Cheng explains why the same principle should apply to data, particularly as the pandemic has led to the accumulation of data from new sources
”Spring is in the air, which means it’s time for the annual ritual of cleaning house. As an information governance and privacy professional, spring cleaning always reminds me of the parallels between a well-organised home and well-kept data.
I often think of Marie Kondo’s philosophy that we should only keep items that spark joy and discard the rest.
Really, corporate data is no different. Sensitive information that is left to collect cobwebs in dark corners becomes decreasingly valuable and increasingly risky over time. But data that is ushered through its lifecycle in a mindful, compliant way can deliver tremendous usefulness and value to an organisation. Given the explosion of information volume, diversity and dissemination that has taken place over the last year due to COVID-19, work from home and digital transformation initiatives, most organisations are overdue for a data deep clean.
The IAPP’s recent Privacy Governance Report found that by late 2020, roughly half of organisations across industries had started collecting COVID-19-related information—such as biometric data, health updates, travel history and contact tracing—from employees to ensure safe workplaces. This is a significant shift in the types and quantity of data organisations are collecting and storing, yet approximately half of those collecting this kind of information have not conducted a data privacy impact assessment or other analysis of how this implicates their legal and regulatory risk.
At the same time, most organisations have been forced to accelerate digital transformation initiatives and quickly deploy systems to facilitate widespread work from home. This has meant rapid operational and technological change, which has created new sources of data and the potential undermining of existing data privacy policies and controls.
“Sensitive information that is left to collect cobwebs in dark corners becomes decreasingly valuable and increasingly risky over time”
Leaving new data sources and risks unattended—or letting the clutter pile up until a problem arises—can result in dire consequences. If data subjects and employees are expected to comply with health screening, contact tracing and new modes of communicating and doing business, they must be able to trust the entities controlling their personal information. This trust can be undermined in the absence of strong privacy safeguards.
So, what are some of the key steps to take to get data organised as part of spring cleaning?
First is conducting a data privacy assessment to understand what data exists and where, what systems have privacy implications and gaps in current policies and practices.
This is analogous to taking stock of everything you have, so you can determine what you no longer need (i.e. that old tennis racket, or a 10-year-old box of backup tapes) and perhaps which items you might need to take better care of (such as a family heirloom buried under months’ worth of junk, or employee health information spread over dozens of email accounts).
“Disposing of legacy data can help build momentum for more ambitious data organising and remediation projects”
As part of this effort, data privacy professionals should be thinking about how the findings from the assessment connect to broader business priorities—including the substantive risks to the business, how they can be mitigated, how much proposed solutions will cost and whether stronger data privacy will help drive business value.
Freshening up your technology is another practical cleaning house activity. Regulators are paying increasing attention to the systemic controls companies have in place to protect sensitive data, and privacy-enabling technologies are an important part of that.
Broadly, technology solutions for privacy fall into three categories: privacy management software that supports and demonstrates overall regulatory compliance, tools that support consent and preference management and data discovery capabilities to help identify sensitive information across the organisation’s environment. Examine your organisation’s needs in all three of these areas and begin making decisions about which new “cleaning supplies” you might need.
It’s also important to address data living on legacy systems and backups. Just as you might start spring cleaning by filling up boxes of old items you no longer need, focus data privacy initiatives on the low-hanging fruit of old data that is obviously no longer in use. Disposing of legacy data can help build momentum for more ambitious data organising and remediation projects.
Also like spring cleaning, data privacy can’t be viewed as a one and done endeavour. Clutter will inevitably accumulate again, and new types of messes will be made. Programmes (and company culture) must be built to ensure data privacy risks are continually monitored over time, throughout the entire data lifecycle.
This spring, most people will still be under some degree of COVID-19 restrictions, leaving extra time at home for deep cleaning and clearing out old clutter. Privacy, legal, compliance and IT professionals can take this as inspiration for ways to apply the same sentiments to their organisation’s data. Ultimately, data privacy forces us to really think about what information we’re collecting, why we have it and whether we really need it, so that we can “spark joy” in the form of strong compliance and trust among customers, partners and employees.
Sonia Cheng, senior managing director, FTI Technology