Data Governance and Compliance: Act of Checks & Balances

July 7th, 2022

header image for Data Governance and Compliance: Act of Checks & Balances

Compliance is one of the main reasons why companies feel the need to make data governance a priority. It involves ensuring that the data ecosystem complies with the laws and regulations on data collection, management, and use.

Effective data governance guarantees that compliance isn’t an afterthought or purely an IT function; but is inherent to an organization's data culture and practices. That’s the best way to balance the need for security with data democratization.

Here we explore the correlation between data governance and compliance, starting with a comparison to understand the difference.

Governance vs. compliance

Here’s the primary difference when comparing governance vs. compliance — compliance is one of the outcomes of good data governance.

Let’s look at the definitions to understand why.

According to Gartner, data governance is “the specification of decision rights and an accountability framework to ensure the appropriate behavior in the valuation, creation, consumption, and control of data and analytics.”

Data governance is a management approach for data that facilitates its security, availability, integrity, privacy, and use.

Meanwhile, the VP and Chief Global Compliance Officer at New York University, Robert Roach, defines compliance as “the use of systemic approaches for governance. These approaches ensure institutions meet their obligations under the applicable laws, regulations, best practices and standards, and institutional policies. Data compliance helps in promoting transparency and accountability in institutional operations.”

Compliance implies that your data capture, storage, and management practices follow the data-related rules and regulations. These regulations vary depending on geography, industry, and data type.

Some of the most common regulations include:

GDPR

The EU’s General Data Protection Regulation (GDPR) protects the data of European Union residents. It outlines guidelines on securing sensitive personal information.

Under GDPR, companies can be asked for clarifications on their data collection. They can also be asked to delete the data on EU residents and provide comprehensive reports on any data leaks or breaches.

Companies that go against the GDPR data governance regulations can face high penalties of up to €10 million or 2% of the annual revenue from the previous financial year.

CCPA (The California Consumer Privacy Act)

The CCPA protects the privacy rights of California residents. It applies to businesses in California (or ones with 50,000+ customers in California) with gross annual revenue over \$25 million. Non-profits and government agencies don’t have to ensure CCPA compliance.

Under the CCPA, California consumers can ask companies to disclose how they collect and use personal information. Failure to comply with the CCPA can attract fines from $2500- $7,500 per violation.

HIPAA

HIPAA (Health Insurance Portability and Accountability Act of 1996) protects patients' data across the US. According to the act, a patient’s consent is mandatory before disclosing their information.

Failure to comply with HIPAA attracts a fine of $100 - $50,000 depending on the culpability of the offender, with a maximum penalty cap of \$1.5 million per calendar year. HIPAA violations can also lead to criminal penalties of up to 5-10 years of imprisonment.

Why is compliance important?

  1. Improves brand reputation
  2. Keeps businesses from paying hefty fines due to non-compliance
  3. Enhances cybersecurity
  4. Improves data management

Compliance helps customers know that their data is safe, thus building customer confidence, trust, and loyalty. It also helps improve brand reputation, cybersecurity, and data management practices, while avoiding fines for non-compliance. Let’s explore each benefit further.

1. Improves brand reputation

When a business shows transparency through a clear data compliance strategy, it improves customer confidence and brand reputation.

Customers appreciate and respect businesses that have high levels of data compliance and transparency in their data governance practices. It helps customers understand how businesses handle their data while respecting their privacy.

That’s why non-compliance doesn’t just lead to fines but also loss of trust in customers.

A cautionary tale is that of Meta CEO Mark Zuckerberg having to appear before the U.S. Congress because of data breaches and privacy concerns. Zuckerberg had to explain how the company handled user data and how it planned to uphold data privacy in an attempt to salvage his company’s reputation.

2. Keeps businesses from paying hefty fines due to non-compliance

Non-compliance penalties can be high enough to affect your company's finances. Some of the biggest companies that have paid hefty fines in 2020-2021 include:

  • Amazon: Fined €746 million in Luxembourg for its aggressive advertising forces users to accept cookies, thereby violating GDPR laws
  • WhatsApp: Fined €225 million by Ireland’s Data Protection Commission (DPC) for lack of transparency in its data processing and privacy practices
  • Google: Fined €150 million in France for dropping the site's tracking cookies without consent
  • British Airways: Fined €23 million in the UK for a breach that affected 400,000+ customers
  • Marriott International Inc: Fined €21 million in the UK for a breach that leaked the personal data of millions of its customers

Most of these fines are because of non-compliance with major regulations like GDPR or cyberattacks leading to data breaches.

3. Enhances cybersecurity

The Cost of a Data Breach Report by Ponemon Institute highlights that data breaches have cost companies USD 4.24 million, the highest in 17 years. The Identity Theft Resource Center's 2021 Data Breach Report complements these findings — there has been a 68% rise in data breaches in 2021.

According to the President and CEO of the Identity Theft Resource Center Eva Velasquez:

We may look back at 2021 as the year when we moved from the era of identity theft to identity fraud. The number of breaches in 2021 was alarming. Many of the cyberattacks committed were highly sophisticated and complex, requiring aggressive defenses to prevent them. If those defenses failed, too often we saw an inadequate level of transparency for consumers to protect themselves from identity fraud.”

The solution lies in adopting a solid data security framework driven by automation, AI, and a zero-trust approach to granting access, according to the Ponemon Institute’s 2021 report.

Compliance with regulations like GDPR requires something similar — all companies must set up data security strategies with protected workflows, end-to-end monitoring, and secure infrastructure. So, compliance can help you tackle cyberthreats and minimize the risk of data breaches.

4. Improves data management

Compliance with data regulations ensures that companies clearly document how they collect, store, and use data. The documentation also includes an action plan in the event of a cyberattack or a data breach.

In addition to addressing data compliance issues, proper documentation and planning also enhance the overall data management across the organization.


[Download ebook] → Rethinking Data Governance for the Modern Data Stack


Does complying with regulations mean stifling data access?

No. Compliance with regulations shouldn’t come at the cost of data democratization and collaboration.

When the concept of data governance started taking off in the mid-2000s, the idea was to tame and protect data, essentially data stewardship. Data stewards were meant to bridge the gap between people and processes. Their role was to deftly navigate through the world of regulatory compliance and governance policies while offering clarity to business teams.

The author of “Disrupting Data Governance” Laura Madsen puts it this way:

Data stewards were meant to help solidify the squishy… They speak the language of IT and translate that back to the business. The role requires the patience of a kindergarten teacher and the ability to successfully negotiate a hostage situation.”

However, the implementation didn’t occur as planned, and instead, it became all about imposing control with complex security processes and restrictions. As the regulations tightened, these methods became more stringent at the cost of hindering data access and limiting its use.

Stifling access leads to data chaos, collaboration problems, and a general lack of trust in data. As such, compliance cannot be successful by simply restricting access. Instead, it must be part of a data governance program that’s an agile, collaborative, bottom-up effort with the right people, processes, and tools in place.

How does data governance balance compliance with democratizing data?

Any organization should have strict permissions governing data access, but not at the cost of data democratization. A solid governance framework outlining the purpose, scope, standards, and conventions helps establish the right processes and involve the right people.

The next step is to invest in technology that automates data classification, provides audit logs, and supports granular access controls based on the “trust, but verify” approach.

Let’s look at how data governance tools facilitate.

1. Auto-classifies PII data and enables tag-based access policies

Most regulations dictate the rules for managing sensitive information — Personally Identifiable Information (PII) such as credit card numbers, customer names, and email addresses.

Active data governance tools can help you auto-classify PII data and monitor access using tag-based policies.

Besides PII data, other categories include business metadata, security rules, public or private data, and more.

Governance and compliance: Auto-classify PII policies across your data stack. Source: Atlan

Governance and compliance: Auto-classify PII policies across your data stack. Source: Atlan


2. Supports column-level access controls

In addition to tag-based policies, column-level permissions are a must to regulate access to individual columns such as “location”, “job role”, and “monthly income” in databases and schemas.

Governance and compliance: Privacy and security access controls at the table column level. Source: Atlan

Governance and compliance: Privacy and security access controls at the table column level. Source: Atlan


3. Propagates policies through lineage

Visualizing lineage helps trace the flow of data and validate whether the access policies are consistent. Propagating policies through lineage ensures that every data set modeled using a column tagged as sensitive inherits the same classification and security controls.

Governance and compliance: Auto-Propagate policies and access controls via lineage. Source: Atlan

Governance and compliance: Auto-Propagate policies and access controls via lineage. Source: Atlan


4. Enables access management via groups

Monitoring access at the user level can get complex. However, you can set up user groups depending on the role or function, and manage access for the entire group via a single dashboard.

So, you can customize policies to enable access without risking non-compliance.

Governance and compliance: Manage access controls via user groups. Source: Atlan

Governance and compliance: Manage access controls via user groups. Source: Atlan


5. Traces audit logs

Audit logs tell you:

  • Who’s using which data asset and how frequently
  • Which are the most accessed data assets
  • Who’s accessing sensitive data assets and how often

Addressing these questions is crucial to understanding what’s happening to your data and whether the sensitive data is secure.

Governance and compliance: Audit logs for data access

Governance and compliance: Audit logs for data access


Data governance and compliance: Concluding thoughts

Data governance and compliance are crucial for every organization, regardless of the size or capacity.

The Wall Street Journal emphasizes that organizations cannot merely choose to be open and transparent with their data management practices when “their backs are against the wall”, as evidenced by Facebook’s (now Meta's) Cambridge Analytica scandal.

Because of Facebook’s data governance problems, the company was investigated by U.S. lawmakers in 2018, and that incident led to a global reckoning on data governance and compliance.

Organizations already consider compliance with increasingly stringent regulations to be a top priority. However, the best way to achieve it is to establish a solid governance framework and culture built on the principles of collaboration, transparency, and democratization.

As the director of cybersecurity and IT, GRC programs for EDUCAUSE Joanna Grama puts it, “implementing a framework will never be successful unless the organization’s culture evolves to support governance activities.”

Data governance and compliance with Atlan

With Atlan, say goodbye to the complex, bureaucratic version of governance. Say hello to enablement — a simpler, community-centered approach, with privacy at its core.


Ebook cover - metadata catalog primer

Everything you need to know about modern data catalogs

Adopting a modern data catalog is the first step towards data discovery. In this guide, we explore the evolution of the data management ecosystem, the challenges created by traditional data catalog solutions, and what an ideal, modern-day data catalog should look like. Download now!