Establishing Enterprise Roles for Data Protection

The rise of data sovereignty ideas in various countries, combined with the growing recognition of the utility of data (particularly how data may be used to influence geopolitical events), data residency and localization considerations, is gaining traction in the public sphere. There are clear challenges associated with how specific types of data need to be safeguarded, stored and shared on a need-to-know basis, and data governance mechanisms provide guidelines for these practices. Based on surveys and interviews conducted with senior leaders across industries, an approach for scoping roles, data classification, data governance and decision rights with reference to enterprise data is proposed.

Background

The Data Management Association (DAMA) International defines data governance as the “planning, oversight, and control over the management of data, use of data and data-related sources.”¹ Data governance is typically implemented in organizations through policies, guidelines, tools and access controls. If the data are considered information or intellectual assets, the accountability increases. From a practical perspective, there are additional parameters for each concept within data governance (figure 1).

Enterprise owners, stakeholders and managers encounter data governance every day as they are challenged to manage data across geographies, business units, teams and individual boundaries. Due to the growing importance of data protection and governance, research was conducted to evaluate the impact of data protection considerations on enterprise risk management (ERM), planning and infrastructure/software portfolio management. The aim was to understand how decision makers and enterprise influencers handle evolving data protection considerations in terms of relative importance/impact, cost and ownership. The research objective was to get wide-ranging inputs from a sample of key decision makers and influencers in the data space across multiple industries, including from enterprises, data (platforms) service providers and third-party system integrators. It is important to consider how to think about data stakeholders in an enterprise and how to define their roles and responsibilities based on different aspects of data governance.

Understanding Data Governance

There are four key components of data governance: data residency, security, privacy and compliance.

Data residency is the “storage of personal information within a particular region where data is processed per laws, customs and expectations of that region (country/economic boundary).”² As per the International Association for Privacy Professionals (IAPP), information privacy is the right to control how personal information is collected and used.³ If an organization does not address data residency and privacy, it is at risk of facing potential government enforcement, class action lawsuits, financial penalties and liabilities, damaged reputation, and loss of customer and business partner confidence.⁴ Hence, it is critical for the enterprise to get data security and regulatory compliance right.

DAMA defines data security as “the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access and auditing of data and information assets.”⁵ Data security can be established through a road map of controls, policies, systems and procedures to protect data from risk⁶ including loss, unauthorized access and destruction.

Data compliance refers to the set of practices that ensure that sensitive data are collated, organized and managed in a way that permits organizations to meet their business rule boundaries and legal and governmental regulations.⁷ Privacy and security are usually included in the scope of data compliance.

Challenges for Data Management

The International Data Corporation (IDC) has predicted that the amount of worldwide data will grow 61 percent from 33 zettabytes to 175 zettabytes by 2025.⁸ This growth creates significant challenges in managing enterprise data flows across systems and lines of business while keeping focus on the alignment between data and business.

Data governance establishes working boundaries for data management, which could operationally include policies, roles and stakeholders, norms for data management operational teams, standards, references or valuation methods. The Profisee 2019 State of Data Management Report identifies four key challenges to data management captured in its survey: compliance, security, analytics and the need for experienced talent.⁹

In 2019, data management strategies focused on alignment of data strategy with enterprise goals, defining the value of professionally managed data and assigning data management responsibility to dedicated staff. In today’s context, additional important dimensions include data residency, data privacy, data security and data compliance.

A common challenge for enterprises is managing disparate/distributed data across the life cycle—only then can the data governance boundaries be monitored and controlled.

A common challenge for enterprises is managing disparate/distributed data across the life cycle—only then can the data governance boundaries be monitored and controlled. In addition, data risk and compliance requirements can vary by industry. With a 20 percent growth in data every year beyond storage and routine management, automating and prudently managing data are crucial (i.e., tagging, classifying, securing, retaining).¹⁰ For some industries, this is an enormous expense if done primarily using human intervention. Data intelligence and automation help reduce data management risk significantly across an organization.

Data Protection Laws

Most countries have laws related to data protection, and their enforcement is often the responsibility of multiple agencies.

The United States has laws such as the Driver’s Privacy Protection Act (DPPA) of 1994, Children’s Online Privacy Protection Act (COPPA) and Video Privacy Protection Act (VPPA).¹¹

In India, the IT Act 2000 Sections 43A and 72A outline compensation rules if personal information is improperly disclosed. Other measures include the Aadhaar Act, an Indian national registration and identification system in which individuals are assigned unique 12-digit numbers that protect confidentiality obligations and the use of personal information by any industry.¹² In addition, the right to privacy is recognized under Article 21 of the Indian Constitution as part of the right to life and personal liberty. A publication by the Indian Ministry of Electronics and Information Technology (MeitY) states that with the transformation of India’s economy to a digital economy, “[T]he reality of the digital environment today is that almost every single activity undertaken by an individual involves some sort of data transaction or the other.”¹³

The EU General Data Protection Regulation (GDPR) and similar legislative acts point toward a set of principles for the lawful processing of personal data. The UK Information Commissioner’s Office (ICO) cites a piece of 2016 EU legislation that represents seven key principles applicable to EU countries for determining basic policies/guidelines on data privacy.¹⁴ The principles are accountability, accuracy, integrity, confidentiality (security), purpose limitation, data minimization, storage limitation and lawfulness, fairness, and transparency. Such principles are useful to boards of directors (BoDs) to set broad frameworks for enterprise governance to address data privacy concerns.

In the context of country-level data protection laws, it is important to understand the differences between data terms to establish focus areas for data protection actions in enterprises:

• Data residency—This is a set of policies, actions and activities pertaining to the geographical location of data storage for regulatory, compliance or policy reasons, including cross-border laws (e.g., tax data and medical records).
• Data sovereignty—This entails protection of data by the location and the laws of a country. It is important as data subjects have different levels of privacy and security protection depending on their data center/hosting location (e.g., email, personal/enterprise data archives). Data sovereignty also defines the stakeholder rights of access to data and national rights and obligations (e.g., government, enterprise, individual, affinity group and social media data).
• Data localization—This is a specific definition purely based on legal obligations, and it is gaining wider acceptance as the entire data life cycle is often managed within a single geographic boundary. It is currently applied primarily to the creation and storage of personal data for audit and traceability since any transactions would require audit, validation or verification.

Data localization and privacy regulations continue to be developed in many countries, and although the data protection principles established by GDPR created a basis for most of them, there are nuances at the country level.

In the context of country-level data protection laws, it is important to understand the differences between data terms to establish focus areas for data protection.

Research Methodology

Researchers conducted mixed-method research triangulating inputs from qualitative research and literature review. The research followed a sequential exploratory approach with interviews conducted up front to develop focus areas, concepts and hypotheses that were followed by surveys intended to validate the concepts and hypotheses using qualitative methods. Researchers used semistructured interviews and collation and qualitative analysis of the literature available in the public domain, including press releases and disclosures.

Interview participants were selected based on these criteria:

• Decision-making/influencing role with reference to data strategies
• Extensive industry experience (e.g., a senior leadership role)
• Practitioner experience in data management and analytics
• Technologist’s experience with product development and services experience in data management

Researchers sought industry professionals’ opinions on several concepts, including:

• Enterprise ownership of data governance—Do IT and associated functions remain the primary owners of data and enterprise data governance, or is enterprise data governance co-owned by all functions, with IT taking a leadership role?
• Use of formal enterprise data governance frameworks—Are formal data governance frameworks established and operational in enterprises across industries?
• Ownership of enterprise data privacy and compliance considerations—Are data privacy requirements and compliance owned by IT security/enterprise architecture teams, enterprise leaders or legal functions?
• Data sovereignty trends—Are data residency (localization) requirements expected to continue increasing globally or decline as economies expand?
• Choice of tools and technologies to enable data privacy, security and regulatory compliance—Should the organization adopt cloud-based data storage and governance technologies based on the industry sector of which the organization is a part?

Interviews
Researchers interviewed seven senior leaders from major multinational/Indian businesses that are global or transnational. Although the interviewees worked in different industries, they shared common concerns about data protection and the evolving regulatory landscape for data privacy, security and residency, and expressed needs including:

• The need for business leaders to develop an awareness of enterprise data governance and evolving regulations that impact roles and responsibilities regarding data storage, location and movement
• The need for increased spending on data privacy, security controls and localization compliance as a proportion of the organization’s overall IT budget

Surveys
The researchers conducted two surveys from September to November 2021:

1. Survey 1 measured leadership awareness of data privacy, security and residency considerations for enterprises. This survey targeted senior leaders across industry verticals playing global roles in multinational organizations in India.
2. Survey 2 examined enterprise data management and governance practices and tools supporting data privacy, security and residency. This survey targeted senior-level industry practitioners across industry verticals playing global roles in multinational organizations in India.

Senior Leadership Survey
One hundred two senior professionals participated in the first survey, of which 55 percent were top management in enterprises and more than 92 percent were senior professionals. Most of the respondents (50 percent) had leadership roles in IT/cloud service provider enterprises, and 58 percent of the respondents came from midsize to large organizations (i.e., more than 500 employees). Nearly 48 percent of the respondents believed that ownership of data management is the responsibility of the enterprise, and 49 percent of the respondents believed that ownership of data management lies with IT/data leaders (figure 2).

As shown in figure 3, regarding data storage decisions pertaining to multinational business operations, most of the respondents put the onus on respective enterprise architecture and legal teams for compliance with relevant data localization and storage requirements rather than business/country-level leaders. This response is driven by respondents in the IT/cloud services provider industry. Respondents from manufacturing, professional services and e-commerce industries emphasized business owner and legal team ownership of data storage decisions.

The respondents put the onus on local business and legal teams to maintain awareness and understanding of the developing data privacy, security and residency regulations (figure 4). These responses indicate a need for practices for business/legal teams to sustain awareness of developing regulations to align the respective enterprise architecture/IT teams when developing the relevant infrastructure and policies for success.

The respondents ranked data management and tool implementation as the leading ways to address enterprise data privacy, security and residency requirements.

The respondents ranked data management and tool implementation as the leading ways to address enterprise data privacy, security and residency requirements. Respondents from the manufacturing industry placed relatively more emphasis on regional stewardship of business rules related to data privacy/security and residency compliance in data governance solutions (figure 5).

Most of the respondents (43 percent) believed that the data sovereignty trends developing worldwide will increase with more specific regulations developing around national interests (figure 6). Conversely, only a small minority of the respondents (3 percent) believed that data sovereignty trends will decline as global economies expand.

Segmenting responses by industry vertical, a significant portion of respondents from the manufacturing industry (30 percent) and the services/professional services industries (37 percent) believed that regulations on data privacy, data residency and data security will be driven by regional trading agreements or free trade agreements between countries in the future. The respondents were asked to share any current gaps perceived in enterprise data privacy, security and residency. The gaps mentioned were:

• Cloud data leak prevention security
• Multicloud security
• Employee-level awareness gaps
• Establishment of data management roles and practices focused on privacy, security and residency

Practitioner Survey
For the second survey, participants were randomly selected, subject to the following shortlisting criteria based on professional experience with data privacy and residency decisions in an enterprise context:

• Active decision makers in enterprises with decision-making authority in IT services or products, maintenance, procurement/buying, IT infrastructure/outsourcing, systems integration, data storage, virtualization, Internet and wireless services, network products and enterprise applications
• Field expertise in product management, medical, legal/law, engineering, market research, finance/accounting, marketing, technology implementation, production, management, technology development hardware, sales/business development, technology development software, operations, procurement and executive leadership

One hundred thirty-seven respondents were qualified based on their awareness and experience as decision makers with data privacy, security and residency considerations in an enterprise context. Out of 157 participants, 89.5 percent (137) were qualified to continue the survey, and the rest (16) were disqualified. The majority of the respondents (57.6 percent) were managers/functional leaders and 23.7 percent were business leaders. Most of the respondents (58 percent) were from the IT/cloud service provider industry, and more than 56 percent of respondents were from mid- to large-sized organizations (500 or more employees). Most of the respondents (55 percent) believed that IT/data center managers are responsible for technology and data management in their organizations (figure 7).

Data residency is positioned near the bottom with regard to the types of policies that the organizations ask their employees to follow (figure 8).

Some respondents described organizational practices that risk violating data privacy policies, such as the use of personal storage devices on enterprise hardware even when they are not permitted by policy (figure 9).

Virus, malware and phishing attacks topped the list of threats organizations have faced over the last three years, followed by service breaches by IT/cloud service providers (figure 10).

Seventy-four percent of respondents used cloud data protection tools in their organization, and approximately 55 percent used data privacy solutions (figure 11).

Establishing Leadership Awareness

The leadership survey respondents in the first survey put the onus on enterprise architecture/IT and legal teams to handle data protection. Based on the responses, data protection relies on a policy and tool-driven approach. The practitioner survey reveals perceived threats to data security and various tools used in enterprises for data protection. The interviewees shared their reflections that there is a need to improve leadership awareness on the topic of data protection, particularly on evolving laws and regulations that could impact them and their teams’ roles and responsibilities. The interviewees also felt that the share of spend on data privacy, security controls and localization compliance needs to be increased.

Based on the surveys and interviews, there is a clear need to enhance enterprise leadership awareness on the topic of data protection and its implications. This leadership awareness is a prerequisite to establishing accountability for data protection in enterprises. Establishing role-based enterprise accountability to handle data protection is a good first step.

Enterprise Accountability
A good way to establish accountability for data protection is by assigning roles and responsibilities to various aspects of data governance (figure 12). An inside-out approach or a set of boundary conditions to define enterprise accountability for data can be used. Traditionally, chief information officers (CIOs) and chief technology officers (CTOs) have been tasked with enterprise accountability for data; however, employees in business and functional roles often create transactional data.

Enterprise Data Responsibilities
Based on the research results, a broad-based approach to responsibilities for handling data governance (figure 13) is recommended.

These roles represent various senior stakeholders in the enterprise. They address internal and external governance requirements and balance the risk and controls across stakeholders, which is often the single point of failure leading to breaches, violations or fraud.

Enterprise Data Boundaries
Logical boundaries can help clarify decision rights on enterprise data. This includes stakeholder actions covering data governance, data strategy and data management (figure 12).

By treating data governance, data strategy and data management as focus areas, activity areas and role considerations can be mapped to each focus area (figure 12). These role considerations intersect with the decision aspects and scope described in figure 14. From the literature review, surveys and interviews, it can be inferred that the data strategy is connected to data management and that data governance needs to balance external (regulatory and business partner) and internal (enterprise) stakeholder expectations. This approach aligns the BoD’s thought process and risk/controls with implementable, quantifiable and actionable measures for various teams and stakeholders. It also provides clear visibility into residency, privacy and security at the BoD level to determine policies and governance mechanisms for execution downstream by teams and leaders.

Enterprise Data Classification Schema

A taxonomy/schematic for enterprise data used by location, as shown in figure 15, can be created to guide business/functional stakeholders that must handle active data assets.

This schema can help consolidate and baseline data assets that are in active use or archived, as only an end user of data would have the required degree of visibility. Such taxonomies can then be integrated into an overall enterprise-level data management framework and monitored through an enterprise data grid that tracks all active and archived data assets. This approach also helps enterprise governance stakeholders conduct data use audits to ascertain compliance with various parameters and increase the coverage of such audit exercises across important datasets.

Conclusion

This research examined practitioner perspectives on data protection, including data privacy, data security and data residency/localization considerations. Considering the evolving data regulation landscape and impact to enterprises, it is clear that the responsibility of data protection is not limited to IT/legal considerations; it involves all functions in an organization. Therefore, it is crucial to enhance leadership awareness of data protection and develop a meaningful accountability structure in an organization. Visualizing enterprise data assets in the context of their location, subject area, potential risk, compliance required and data owner/data steward can enable organizations to build a common/cross-functional framework of where to focus on data protection. A structure of roles and responsibilities with decision rights and boundaries can help improve clarity on data ownership and accountability for data protection. Implementing a data classification schema and accountability model for data protection across the enterprise can help reduce threats to data security, data privacy and data residency compliance, thereby reducing enterprise business risk.

It is crucial to enhance leadership awareness of data protection and develop a meaningful accountability structure in an organization.

Authors’ Note

The authors would like to thank all interview panelists and survey respondents for their valuable inputs in the primary research.

Endnotes

¹ DAMA International, DAMA-DMBOK2: Data Management Body of Knowledge, Technics Publications, USA, 2017
² Day, P.; “Data Across Borders: The Importance of Data Residency,” Venture Beat, 3 October 2019, https://venturebeat.com/2019/10/03/data-across-borders-the-importance-of-data-residency
³ International Association of Privacy Professionals (IAPP), “About the IAPP,” https://iapp.org/about/what-is-privacy/
⁴ Ibid.
⁵ Op cit DAMA International
⁶ de Groot, J.; “What Is Data Security,” Digital Guardian, 12 August 2021, https://digitalguardian.com/blog/what-data-security
⁷ Reciprocity, “What Is Data Compliance?” 11 January 2020, https://reciprocitylabs.com/resources/what-is-data-compliance
⁸ Profisee, 2019 State of Data Management Report, USA, 2019, https://go.profisee.com/thank-you-2019-state-of-data-management-report
⁹ Ibid.
¹⁰ Richardson, D.; “Best Practices in Data Governance and Legal Use Cases,” Aparavi, https://www.aparavi.com/resources-podcasts/data-governance-best-practices-legal
¹¹ Global Legal Group, Data Protection Laws and Regulations, USA, 2022, https://iclg.com/practice-areas/data-protection-laws-and-regulations/usa
¹² Linklaters, “Data Protected: India,” September 2022, https://www.linklaters.com/en-us/insights/data-protected/data-protected---india
¹³ Ministry of Electronics and Information Technology (MeitY), Data Protection in India, India, February 2018, https://digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf
¹⁴ UK Information Commissioner’s Office (ICO), “The Principles,” https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/

SAI KRISHNAN MOHAN | CMC

Is vice president of management information systems (analytics) at Bajaj Auto Ltd. Mohan is a member of ISACA^® and the Data Management Association (DAMA) International and can be reached at saikrishnan.mohan@gmail.com and https://decisionradius.com.

RANGANATH IYENGAR | CMC

Is director and cofounder of Strategic Interventions India Private Limited. Iyengar is a member of ISACA and the Data Management Association (DAMA) International. Iyengar can be reached at ranga@siiplconsulting.com and https://www.strategicin.org.