fbpx
Data Governance

Data Governance

What do data mining, analytics, and marketing all have in common? They all require the collection of information. You’ll often hear buzz words like cookies, big data, data mining, machine learning, and artificial intelligence. One that has grown in importance is data governance. Data governance is a collection of processes, roles, policies, standards, and metrics that ensure the effective and efficient use of information – in essence it ensures that user information is no longer collected irresponsibly or misused.

Since 2016 there has been wide sweeping legislation regarding the collection, use, and access to personal information collected by businesses. Prior to these regulations there was little to no governance over how user information was collected or distributed.

Some people will tell you to collect all the information you can, regardless of what it is, because ‘you never know when you might need it.’ That creates two issues – 1. you have an overabundance of information requiring more storage and processing capabilities than you actually need and 2. you have displayed that you do not have a disciplined marketing strategy. A third issue arrises with regards to data governance – as a business you have an ethical responsibility to only collect the information that you need and manage it appropriately.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is an EU regulation that governs the collection of information related to anyone in the EU. While a lot of companies may not do business in Europe, those that do or plan on doing business with any members of the European Union must comply with the GDPR. The GDPR outlines seven protection and accountability principles for anyone who processes information gathered by EU citizens.

  1. Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
  2. Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
  3. Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
  4. Accuracy — You must keep personal information accurate and up to date.
  5. Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
  6. Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Accountability is one of the most important principles regarding the GDPR. You must be able to actively demonstrate GDPR compliance. A good rule of thumb is that if you think you are GDPR compliant, but cannot show how, then you are not GDPR compliant. You can do this by:

  • Designating data protection responsibilities to your team.
  • Maintained detailed documentation.
  • Train your staff in the appropriate measures.

You have likely noticed many websites with pop-up boxes informing you that they use cookies to collect data. These same boxes often request your consent to collect said data. According to the GDPR consent must be “freely given, specific, informed and unambiguous.” People are given the ability to withdraw previously given consent at any time and request that their data be removed. No only can they make these requests, but data processors must honor the users’ decision.

Non-Compliance

The GDPR can impose fines of up to €20 million (roughly $20.3 million) or 4 percent of the company’s worldwide turnover for the preceding financial year, whichever is higher. From the years of 2019 – 2021 several fines assessed have amassed over $500 million. Amazon was fined €746 for improperly sharing and collecting personal data via cookies. Had Amazon simply obtained “freely given”, informed, and unambiguous opt-in consent these fines could have been avoided.

California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California. The CCPA is similar to the GDPR – it’s purpose is to give consumers more control over the personal information that businesses collect about them. The CCPA gives consumers

  • the right to know about the personal information a business collects about them,
  • the right to delete personal information collected from them,
  • the right to opt-out of the sale of their personal information,
  • the right to non-discrimination for exercising their CCPA rights.

It is important to note that these rights are only afforded to California residents. However, should a business wish to interact in the state of California, they must abide by these laws.

The CCPA requires that businesses notify customers of data collection, typically done through a privacy policy. The privacy policy should also include information on the consumers’ privacy rights and how to exercise them.

Non-Compliance

The maximum civil penalty is $2,500 for every unintentional violation and $7,500 for every intentional violation of the law. Like the GDPR compliance is not optional and neither is ignorance – whether you meant to violate someone’s rights or not, you are responsible for your use of their data. In the event of a data breach fines can range from $100 to $700 per consumer. Even unintentional violations can add up to significant fines for most businesses.

Companies like Amazon, Zoom, and TikTok are already under investigation for CCPA violations.

Data governance has become necessary in the wake of decades of careless information management – from various data breaches to companies irresponsibly collecting user data. Aside from the ethical reasons to responsibly collect user information, there are also practical marketing and business applications to the same effect. Only collecting data that you need reduces your need for expanded storage, over-enhanced processing, and demonstrates a well defined set of business marketing goals.

This article is not to be assumed as professional legal advice. This article is simply for informational purposes. For professional legal advice it is recommended that you contact an appropriate attorney.