In recent months elevenM has been inundated with requests from organisations looking for help on strategies to reduce their data holdings, particularly personal information. The businesses making these requests sit across the spectrum — including finance, retail, aviation, healthcare and government.
After decades of frenetic data accumulation, and in the wake of major data breaches such as Optus, Medibank and Latitude, it’s clear there’s been an awakening in corporate Australia to the risks of holding too much data.
With this in mind, many businesses are now on a mission to slim down their data inventories and improve data governance.
In this blog, we’ll lay out how businesses can respond to this trend.
Data housekeeping: time to clear out the attic
Data governance is akin to the household management of the possessions we accumulate over time. Some remain essential, while others get stowed away in a dusty corner of the attic to be dealt with and decluttered at a later time (which often never comes).
As many businesses increasingly acquire and utilise data for new capabilities and efficiencies, this data can accumulate in the manner of household clutter.
Like an attic, much of the data held by organisations sits out of sight, while day to day data management activities only address surface data. Meanwhile, large amounts of data sits archived in legacy systems, no longer holding much value and, even worse, sitting as a dormant risk.
Apart from compliance issues, poor data management has the potential to cause real harms to individuals (and lead to class actions). While good privacy practice and strong security measures protect your data, good data governance ensures you’re only keeping what you need, making your data more accurate, reliable and user friendly. Besides, who doesn’t love a tidy home with everything in its place, neatly organised, decluttered and disposed of when it’s no longer required?
The importance (and value) of good data governance
About 80% of Australians place a high importance on how their data is collected, used, and protected when choosing a product or service. Coupled with increased civil penalties for serious and/or repeated privacy breaches and privacy law reform, our clients are redirecting their focus towards data management, giving data governance and information management greater prominence.
One of the interesting things we’re noticing is that the requests for help with data governance that we’re receiving are coming from different parts of the organisation. Privacy teams, chief information security officers, IT teams and chief data officers are all now seeing how improved data governance supports their individual objectives — including preparing for upcoming privacy law reforms, reducing the risk of data breaches, achieving cost savings associated with efficient storage, and improving data quality in support of better data analytics and innovation.
Teams that can often be fragmented are finding unity in data governance.
Where to start? 3 steps to address data governance
Stepping into the world of data governance can seem complex and daunting task, but it doesn’t have to be. Here are three things you can do to start improving data governance within your organisation.
1. Data minimisation
We’ve all been guilty of collecting and keeping things ‘just in case’ it comes in handy at a later time, but hoarding large amounts of data, submerged in legacy systems and forgotten about over time creates unnecessary privacy risks.
The Australian Information Commissioner and Privacy Commissioner Angelene Falk said Australian organisations should “make sure that they are only gathering personal information that is necessary to carry out their business.” As elevenM director and privacy practice lead Melanie Marks recently highlighted, data minimisation means fewer records exposed in the event of a data breach. The more data you harbour, the more data you have that is subject to privacy and cyber security risks.
2. Data processing inventories (DPIs)
Organisations should review their existing data holdings, because ‘you can’t protect what you don’t know’. A DPI gives you visibility of the size and depth of data held by your organisation. Consider your data’s lifecycle — what data do you hold, collect and create, and for what business purposes? Where is it being stored and processed? How is it secured, and what happens when the information is no longer needed? Having a good DPI as part of your privacy and data governance program is increasingly important to meet regulatory requirements. You can read our five-part blog series on Data Processing Inventories (DPI) to learn about its importance and how to go about developing, implementing and maintaining your DPI.
3. Retention and disposal: translating old methods for data-rich environments
The tools traditionally used to manage the routine disposal of information have failed to keep pace with our changing technological landscape. Retention policies and schedules often falling short of establishing rules that provide specificity around steps that may be authorised on expiry of a retention period — should it lead to deletion? Archiving? De-identification? There is a disconnect between the rules and actual implementation in systems.
To tackle these challenges, we are seeing a convergence of what might be regarded as traditional information management and recordkeeping models with data governance. This means designing retention and disposal rules in ways that take account of the specific needs of data, and that integrate with other controls such as de-identification frameworks. It means using the results of data processing inventories to target higher risk data holdings when prioritising the implementation of retention and disposal rules. And it means recognising that data, like all the other forms of information made and kept by an organisation is a valuable asset that requires active management.
Current proposed Privacy Act reforms include a proposal that organisations identify both minimum and maximum retention periods into their retention policies or schedules, meaning that the regulator will be putting the onus on organisations to proactively dispose of eligible information.
Time for a spring clean
Organisations must not only address the visible risks, but acknowledge the complexities associated with data retention and disposal.
Apart from being a security risk, it also begs the question of whether the data still holds any value. Is that information even still current? Does it support your business forecasting? Even if it does, businesses should be thinking about whether that data can be used in a way where the personal information is masked or de-identified.
It’s time to get a stack of cardboard boxes together and clear out the attic.
Contact us
If you’re interested in learning more about how to implement retention and disposal and other data controls, contact us at hello@elevenM.com.au or on 1300 003 922.