It has been four years since the GDPR came into force in Europe, and the United States does not yet have a national law on privacy and data security. However, US companies are moving towards better data governance policies, even without regulatory guidance or incentives at the national level, experts say.
Balaji Ganesan, CEO and founder of Privacera and a committer and former founder of XA Secure (acquired by Hortonworks), has been in the trenches of access to data for decades. As a PMC member of the Apache Ranger project, Ganesan helped keep Hadoop data straight and narrow, which was no easy task.
Now that big data has exploded in the cloud and data democratization is in full swing, he sees a consensus forming at council level when it comes to taking the necessary steps to ensure that data is protected and not are abused at the same time. enabling internal stakeholders to make progress on big data projects.
“Confidentiality and governance have become issues at the board level in companies. They have become very serious, we need to know where our sensitive data is and also make sure that the data is used for the right purpose by the right people in the company, ”says Ganesan. “It’s a kind of industry and a cultural change that’s happening … which is fantastic.”
There were some companies that practiced good data governance four or five years ago and tended to be larger companies, says Ganesan. Much of this has been determined by the GDPR and California privacy laws, all of which involve sanctions for companies that abuse data and have attracted the attention of the boards of large companies.
But now companies of all sizes are starting to embrace the cause of data governance, and that’s a good thing. There is also a growing awareness among consumers about how companies have collected and analyzed data. This awareness is raised by companies that listen.
“In 2022, there is more awareness of privacy than ever before,” says Ganesan. “So things are going in the right direction. We just hope it accelerates. ”
Privacera is one of the few software companies that seeks to give companies the ability to control who can access data wherever they are in their organization. Given the large (and growing) number of data silos and the proliferation of data consumers within businesses, this is a significant challenge.
This also puts Privacera in the middle of the conversation about what data people should have access to and what they should be allowed to do with the data. Many products may offer monitoring capabilities in general in IT, but Privacera goes beyond that to provide a point of application for data access policies.
The need to play data attack and defense is what Ganesan calls a “double mandate” for data. On the one hand, big data can be a differentiating factor, helping to increase profits and market share and reduce market risk. But data can also be a responsibility if it is not protected and secured. These double mandates can be contradictory if not handled well. The key is to find a happy environment and share some of it.
“It’s not a zero-sum game. You don’t have to block your data and say no one touches it, “says Ganesan. “And we don’t have to be the Wild West in terms of everyone’s access to anything and it’s an open culture. We say, hey, we can do both. You can have privacy and governance and use the data. ”
Basic governance needs
What consumers want when it comes to data is pretty basic, says Ganesan. “We need to know where the data is used, we need to be aware of it, and it should not be used for purposes beyond what you have approved,” he said. That’s it.
If companies meet these basic minimum standards when it comes to consumer data that they collect and store, then consumers would be quite happy. The good news is that most companies seem to agree to abide by these basic principles, says Ganesan. In other words, the general culture of data converges to a set of core policies, which is a good thing for all stakeholders in the conversation.
This convergence should make it easier for parliamentarians to come up with a set of data privacy laws that give a large number of stakeholders the majority of what they want, while disappointing the least number of people. While the industry may be preparing for such a law, it does not hold your breath that Congress will adopt something in the near future, due to the political deadlock in the House and Senate.
However, the industry can’t afford to wait for regulations to come from Washington DC or state chapters before moving on with big data analytics and AI / ML projects. That’s why companies are moving forward with their own data governance initiatives even without the clarity that regulation can bring.
“It simply came to our notice then. They shape opinions. It certainly helps to provide a standard, ”says Ganesan. “We need a common guide. But if you look at PCI or other regulations, it’s just the industry that is coming together and setting a much broader standard. “
As with the Payment Cardholder Initiative (PCI DSS) Data Security Standard, companies can come up with data governance and privacy standards on their own, perhaps through industry groups and consortia. This will lead the way when it comes to data governance guidelines without government assistance.
Market forces are already involved in the challenges of data governance and confidentiality. “I saw the world’s apples taking the lead and really leading part of the conversation,” says Ganesan. “Some of the larger organizations have taken the initiative and said, hey, how can we turn privacy into a differentiator?”
In the long run, however, the data industry would benefit from a national law. Ganesan says it appears that US companies have accepted California’s privacy laws, which have been largely modeled on the GDPR. The industry would probably welcome a national law that would impose these data privacy standards in all 50 states.
“Right now, as technologists, we are looking for the minimum things that come from the government,” says Ganesan. “We don’t even look for them to be really aggressive - we just set minimum standards.”
Rising and falling data governance (again)
Finding the sweet spot for governing access to data
Security, privacy and governance at the crossroads of data in ’22