Data Governance and Compliance: Act of Checks & Balances
Share this article
Compliance is one of the main reasons why companies feel the need to make data governance a priority. It ensures that the data ecosystem complies with the laws and regulations on data collection, management, and use.
Effective data governance guarantees that compliance isn’t an afterthought or purely an IT function, but is inherent to an organization’s data culture and practices. That’s the best way to balance the need for security with data democratization.
Here we explore the correlation between data governance and compliance, starting with a comparison to understand the difference.
Table of contents
- Data governance vs. data compliance
- Why is compliance important?
- Does complying with regulations mean stifling data access?
- How does data governance balance compliance with democratizing data?
- Data governance and compliance: Concluding thoughts
- Data governance and compliance with Atlan
- Data governance and compliance: Related reads
Governance vs. compliance
Here’s the primary difference when comparing governance vs. compliance — compliance is one of the outcomes of good data governance.
Let’s look at the definitions to understand why.
According to Gartner, data governance is “the specification of decision rights and an accountability framework to ensure the appropriate behavior in the valuation, creation, consumption, and control of data and analytics.”
Data governance is a management approach for data that facilitates its security, availability, integrity, privacy, and use.
Meanwhile, the VP and Chief Global Compliance Officer at New York University, Robert Roach, defines compliance as “the use of systemic approaches for governance. These approaches ensure institutions meet their obligations under the applicable laws, regulations, best practices and standards, and institutional policies. Data compliance helps in promoting transparency and accountability in institutional operations.”
Compliance implies that your data capture, storage, and management practices follow the data-related rules and regulations. These regulations vary depending on geography, industry, and data type.
Some of the most common regulations include:
The EU’s General Data Protection Regulation (GDPR) protects the data of European Union residents. It outlines guidelines for securing sensitive personal information.
Under GDPR, companies can be asked for clarifications on their data collection. They can also be asked to delete the data on EU residents and provide comprehensive reports on any data leaks or breaches.
Companies that go against the GDPR data governance regulations can face high penalties of up to €10 million or 2% of the annual revenue from the previous financial year.
CCPA (The California Consumer Privacy Act)
The CCPA protects the privacy rights of California residents. It applies to businesses in California (or ones with 50,000+ customers in California) with gross annual revenue over $25 million. Non-profits and government agencies don’t have to ensure CCPA compliance.
Under the CCPA, California consumers can ask companies to disclose how they collect and use personal information. Failure to comply with the CCPA can attract fines from $2500- $7,500 per violation.
HIPAA (Health Insurance Portability and Accountability Act of 1996) protects patients’ data across the US. According to the act, a patient’s consent is mandatory before disclosing their information.
Failure to comply with HIPAA attracts a fine of $100 - $50,000 depending on the offender’s culpability, with a maximum penalty cap of $1.5 million per calendar year. HIPAA violations can also lead to criminal penalties of up to 5-10 years of imprisonment.
Why is compliance important?
- Improves brand reputation
- Keeps businesses from paying hefty fines due to non-compliance
- Enhances cybersecurity
- Improves data management
Compliance helps customers know their data is safe, thus building customer confidence, trust, and loyalty. It also helps improve brand reputation, cybersecurity, and data management practices, while avoiding fines for non-compliance. Let’s explore each benefit further.
1. Improves brand reputation
When a business shows transparency through a clear data compliance strategy, it improves customer confidence and brand reputation.
Customers appreciate and respect businesses with high levels of data compliance and transparency in their data governance practices. It helps customers understand how businesses handle their data while respecting their privacy.
That’s why non-compliance doesn’t just lead to fines but also to loss of trust in customers.
A cautionary tale is that of Meta CEO Mark Zuckerberg having to appear before the U.S. Congress because of data breaches and privacy concerns. Zuckerberg had to explain how the company handled user data and how it planned to uphold data privacy in an attempt to salvage his company’s reputation.
2. Keeps businesses from paying hefty fines due to non-compliance
Non-compliance penalties can be high enough to affect your company’s finances. Some of the biggest companies that have paid hefty fines in 2020-2021 include:
- Amazon: Fined €746 million in Luxembourg for its aggressive advertising forces users to accept cookies, thereby violating GDPR laws
- WhatsApp: Fined €225 million by Ireland’s Data Protection Commission (DPC) for lack of transparency in its data processing and privacy practices
- Google: Fined €150 million in France for dropping the site’s tracking cookies without consent
- British Airways: Fined €23 million in the UK for a breach that affected 400,000+ customers
- Marriott International Inc: Fined €21 million in the UK for a breach that leaked the personal data of millions of its customers
Most of these fines are because of non-compliance with major regulations like GDPR or cyberattacks leading to data breaches.
3. Enhances cybersecurity
The Cost of a Data Breach Report by Ponemon Institute highlights that data breaches have cost companies USD 4.24 million, the highest in 17 years. The Identity Theft Resource Center’s 2021 Data Breach Report complements these findings — there has been a 68% rise in data breaches in 2021.
According to the President and CEO of the Identity Theft Resource Center Eva Velasquez:
“We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud. The number of breaches in 2021 was alarming. Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”
The solution lies in adopting a solid data security framework driven by automation, AI, and a zero-trust approach to granting access, according to the Ponemon Institute’s 2021 report.
Compliance with regulations like GDPR requires something similar — all companies must set up data security strategies with protected workflows, end-to-end monitoring, and secure infrastructure. So, compliance can help you tackle cyber threats and minimize the risk of data breaches.
4. Improves data management
Compliance with data regulations ensures that companies document how they collect, store, and use data. The documentation also includes an action plan in the event of a cyberattack or a data breach.
In addition to addressing data compliance issues, proper documentation and planning also enhance the overall data management across the organization.
Does complying with regulations mean stifling data access?
No. Compliance with regulations shouldn’t come at the cost of data democratization and collaboration.
When the concept of data governance started taking off in the mid-2000s, the idea was to tame and protect data, essentially data stewardship. Data stewards were meant to bridge the gap between people and processes. Their role was to deftly navigate through the world of regulatory compliance and governance policies while offering clarity to business teams.
The author of “Disrupting Data Governance” Laura Madsen puts it this way:
“Data stewards were meant to help solidify the squishy… They speak the language of IT and translate that back into the business. The role requires the patience of a kindergarten teacher and the ability to successfully negotiate a hostage situation.”
However, the implementation didn’t occur as planned, instead, it became all about imposing control with complex security processes and restrictions. As the regulations tightened, these methods became more stringent at the cost of hindering data access and limiting its use.
Stifling access leads to data chaos, collaboration problems, and a general lack of trust in data. As such, compliance cannot be successful by simply restricting access. Instead, it must be part of a data governance program that’s an agile, collaborative, bottom-up effort with the right people, processes, and tools in place.
How does data governance balance compliance with democratizing data?
Any organization should have strict permissions governing data access, but not at the cost of data democratization. A solid governance framework outlining the purpose, scope, standards, and conventions helps establish the right processes and involve the right people.
The next step is to invest in technology that automates data classification, provides audit logs, and supports granular access controls based on the “trust, but verify” approach.
Let’s look at how data governance tools facilitate.
1. Auto-classifies PII data and enables tag-based access policies
Most regulations dictate the rules for managing sensitive information — Personally Identifiable Information (PII) such as credit card numbers, customer names, and email addresses.
Active data governance tools can help you auto-classify PII data and monitor access using tag-based policies.
Besides PII data, other categories include business metadata, security rules, public or private data, and more.
2. Supports column-level access controls
In addition to tag-based policies, column-level permissions are a must to regulate access to individual columns such as “location”, “job role”, and “monthly income” in databases and schemas.
3. Propagates policies through the lineage
Visualizing lineage helps trace the flow of data and validate whether the access policies are consistent. Propagating policies through lineage ensures that every data set modeled using a column tagged as sensitive inherits the same classification and security controls.
4. Enables access management via groups
Monitoring access at the user level can get complex. However, you can set up user groups depending on the role or function, and manage access for the entire group via a single dashboard.
So, you can customize policies to enable access without risking non-compliance.
5. Traces audit logs
Audit logs tell you:
- Who’s using which data asset and how frequently
- Which are the most accessed data assets
- Who’s accessing sensitive data assets and how often
Addressing these questions is crucial to understanding what’s happening to your data and whether the sensitive data is secure.
Data governance and compliance: Concluding thoughts
Data governance and compliance are crucial for every organization, regardless of size or capacity.
The Wall Street Journal emphasizes that organizations cannot merely choose to be open and transparent with their data management practices when “their backs are against the wall”, as evidenced by Facebook’s (now Meta’s) Cambridge Analytica scandal.
Because of Facebook’s data governance problems, the company was investigated by U.S. lawmakers in 2018, and that incident led to a global reckoning on data governance and compliance.
Organizations already consider compliance with increasingly stringent regulations to be a top priority. However, the best way to achieve it is to establish a solid governance framework and culture built on the principles of collaboration, transparency, and democratization.
As the director of cybersecurity and IT, GRC programs for EDUCAUSE Joanna Grama says, “implementing a framework will never be successful unless the organization’s culture evolves to support governance activities.”
Data governance and compliance with Atlan
With Atlan, say goodbye to the complex, bureaucratic version of governance. Say hello to enablement — a simpler, community-centered approach, with privacy at its core.
Data governance and compliance: Related reads
- Data Governance in Action: Community-Centered and Personalized
- Data Governance and Its Importance in the Modern Data Stack
- Data Governance Framework — Examples, Templates, Standards, Best practices & How to Create One?
- Snowflake Data Governance — Features, Frameworks & Best practices
- Open Source Data Governance Tools - 7 Best to Consider in 2023
- Data Governance Policy: Examples, Templates & How to Write One
- 7 Best Practices for Data Governance to Follow in 2023
- Benefits of Data Governance: 4 Ways It Helps Build Great Data Teams
- Data Governance Roles and Responsibilities: A Quick Round-Up
- Key Objectives of Data Governance: How Should You Think About Them?
- The 3 Principles of Data Governance: Pillars of a Modern Data Culture
- A Guide to Gartner Data Governance Research — Market Guides, Hype Cycles, and Peer Reviews
- 5 Popular Data Governance Certifications & Trainings in 2023
- 8 Best Data Governance Books Every Data Practitioner Should Read in 2023
- Automated Data Governance: How Does It Help You Manage Access, Security & More at Scale?
- Data Governance and Compliance: Act of Checks & Balances
- Data Governance vs. Data Management: What’s the Difference?
- Enterprise Data Governance — Basics, Strategy, Key Challenges, Benefits & Best Practices
Share this article