Laura’s meeting with the Board and other C-suite executives will start in 30 minutes. Everyone is expecting her to showcase how her office is addressing the company’s data problems.
Her first two years in the company were strewn with challenges. At first, she was very optimistic about her new job because she had several years of experience in both analytics and marketing. So when her good friend –– who happened to be the firm’s first Chief Data Officer –– left the post in 2016, she grabbed the opportunity.
“You sure you want it? It won’t be easy,” her friend, Adam, said. “You’ll need to govern every piece of data coming in and out of the organization, wire different sets of data, squeeze value out of them, and convince the higher ups that you’re doing everything right. And you’ll also need patience when dealing with data-illiterate persons — there are many of them and they might consider you a spoilsport for simply doing your job and ensuring data compliance.”
Adam was right; the job was not easy, and it was riddled with complexities.
Dealing with Compliance Complexities
“So how was your first month on the job?” asked Adam when they bumped into each other a few weeks later.
“You were absolutely right,” sighed Laura. “It’s even more complex than I expected. I thought my daily breakfast would be a loaf of value creation, two cups of cost savings and efficiency, and just a tablespoon of risk mitigation. But the company’s unbelievable data compliance problem overwhelmed me. The GDPR was my welcome cup of coffee.”
“Tell me about it. So when are you resigning? I’m kidding!” said Adam.
Two years later and Laura is still playing the CDO role for the company. One of her main areas of focus in her initial years was data compliance. She found out that year-over-year, their organization was likely to experience an increase in the total number of compliance requirements for the privacy and security of their enterprise data. And it’s not easy dealing with every compliance requirement because of the multiple types of data and data-related processes that were subject to compliance requirements.
She knew that as the CDO, she’s also responsible for implementing data privacy policies and ensuring data security. And to be effective in that aspect, she should have a good grasp of every type of data that their company collects and processes. This can also enable her to clearly define ethical guidelines for data usage and collection. But this is easier said than done. Their company, which caters to different sectors, including the healthcare industry, collects and houses more than 3 types of data –– including employee records, personal health information, and cardholder data –– and more than two types of data-related processes –– such as HIPAA and Privacy Shield Framework.
“I knew it would be complex. But I can’t believe that despite being in the industry for almost 30 years, our company is still immature in terms of achieving and reporting data privacy and security compliance,” she thought as she scanned the company records, looking into how their enterprise approaches data compliance.
A Big Source of Frustration
Another thing that perplexed Laura was that despite their high levels of investment in compliance, their organization is neither fully compliant nor fully secure.
“Seriously? 30% of our IT OpEx goes to reporting and certification of data privacy and security?” she asked David, the company’s compliance officer.
“Well, I think that’s reasonable,” retorted David.
“Yet we’re still unable to become fully compliant. And look, according to our records we experienced various data breaches and faced many other compliance issues in recent years despite the huge amount of money we had allocated on data protection, security, and compliance. Unbelievable,” she exclaimed.
“I know. On our end, we are doing our best to ensure our systems are running like clockwork to guarantee data security and protection,” replied Liam, the firm’s CIO.
“Do we employ encryption? What about tokenization?” asked Laura.
“Yes to encryption; but we’re still evaluating the feasibility of implementing tokenization,” said Liam.
Her meeting with David and Liam prompted her to dig deeper into their company’s approach to data compliance. She felt the urgent need to level up their strategies and look at data compliance holistically. But before she formulates a solution and presents it to the Board, she must first look into the current state of their enterprise data privacy and security compliance and the potential consequences if they don’t revamp their compliance strategies right away.
Here’s what Laura found out:
Their company has a low level of maturity in its existing data capabilities. For one, they are still employing traditional and stiff data protection strategies –– perhaps one of the reasons they can hardly keep pace with changes in compliance requirements. They need to create a future-proof data protection and security strategy.
In terms of data integration, it seems that they are looking at it simply as a prerequisite to value creation. They implement integration tools that are only focused on data amalgamation and warehousing; data compliance was almost out of the picture because they think that it goes under the data privacy and security umbrella. They don’t seem to be aware that poor data integration strategies can result not only in poor decision making, but also in noncompliance.
Sad to say, in terms of data protection and security compliance, they are being left behind not only by their competition but by attackers, too. They need a data governance and management overhaul. They need to supercharge their data capabilities with technologies that can scale with their changing data governance and management needs and empower them to develop and streamline all of the elements of the data lifecycle.
She knows that it will be very challenging to radically transform the entire organization into a data-centric enterprise. Data illiteracy and resistance to change are the main hindrances to achieving her goals.
“Meeting starts in 10 minutes,” her digital assistant alerted her.
“It’s time to reconsider our approach,” she murmured to herself as she hurried toward the conference room.
According to Aberdeen’s latest research report, in partnership with Liaison Technologies, the current state of privacy and security compliance for enterprise data is exceedingly complex, surprisingly immature, and disappointingly ineffective. Complexity, costs, and consequences make a compelling case for reconsidering your approach to managing your data and data-related processes, across key elements of the enterprise data lifecycle.
Download the report to learn how businesses navigate privacy and security compliance and what key factors influence enterprises’ ability to comply with various data regulations and standards. You might be surprised to see where you stand.