printer friendly version

Where are your crown jewels?

We have all heard of the missing sock theories and conspiracies. We know for a fact that it went into the washing machine, but it has suddenly vanished. It has to be somewhere, but where? Such a minor occurrence can be irritating, so imagine extrapolating that scenario into the business world where no one knows the whereabouts and details of huge amounts of personal data.

Craig Rosewarne

Consider our humble sock (data) being part of a whole bundle of washing delivered to the laundromat. Once delivery has taken place, who assumes accountability for the whole load? Ultimately it has to be the owner of the business, the data owner. Other workers may take care of different parts (pants, shirts, dry cleaning, etc.) and they take on the roles of data stewards.

Understanding what data they store and analyse is gaining increasing urgency for organisations that are now accountable to new(ish) privacy regulations such as the EU’s General Data Privacy Regulation (GDPR) and our country’s Protection of Personal Information Act (PoPIA). Historically, companies have invested in various technologies to create an inventory of their physical assets (servers, PCs, etc.) but fell behind in the latest methods to find, map and inventory their data assets.

In simple terms, the purpose of the PoPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way. The PoPIA legislation basically considers your personal information to be ‘precious goods’ (content granularity) and therefore aims to bestow upon you, as the owner of your personal information, certain rights of protection and the ability to exercise control over ownership, processing, consent, reasons, purpose, access, removal, safeguarding and accuracy (See https://www.workpool.co/featured/popi for more information).

What are the basics needed to set-up a data registry?

Create an inclusive list of what data is kept, where and why. Creating an enormous data warehouse will be simply muddying already muddy waters. Continuously backing up huge amounts of duplicated data will severely hurt your storage capabilities and add to costs. It is far more simplistic, realistic and cost effective to create the registry in an index-like map focusing on five functionality and operational characteristics:

1. Content granularity: As discussed above.

2. Usage context: This requires operational, technical and business knowledge, such as who can access this data, what applications are consuming the data, what third-parties have access to the data, what is the purpose for collecting this data and does the organisation have adequate consent to collect and process the data.

3. Data source coverage: Organisations need to create a process that covers both unstructured file shares and structured databases, big data, cloud, NoSQL, logs, mail, messaging, applications and more.

4. Ability to scale: Organisations gather and analyse tens, if not hundreds of petabytes of data. A petabyte of data is the equivalent of one million gigabytes. With increasing pressure to extract more value from data, this number is only increasing. A modern data registry not only needs to deliver an efficient index of data along with associated usage, but it must do so in a way that is scalable for a global enterprise.

Dynamic not static: Once a data registry is established, it is not the time to rest on your laurels. It must be anticipated that it could be moved or changed on a regular basis. The register should also have the ability to self-update and be compatible to any changes in as near-time as possible to provide a clear accurate picture of what data is kept where, when and who it belongs to. (See more at https://www.helpnetsecurity.com/2019/04/19/modern-data-registry/)

Enhancing the above ‘Data Governance 101’ will entail a further feature on its own. In summary, the crucial question is why this issue has become so vital to running a successful business. In the not too recent past, most companies, firms, practices and individuals had major problems in handling clients’ personal information. Remember filing cabinets groaning and bursting at the seams, personal files tattered and torn, document rooms with a rudimentary filing system that only allowed certain people with certain knowledge access?

Libraries on the other hand were (and still are) models of data governance. An experienced librarian could access the reading matter you needed in minutes thanks to the excellent Dewey Decimal Classification System. A brief no brainer would be the following benefits:

• Data sharing: Many people in a company work on the same project and easily finding a file you need and sharing it will be a load off your shoulders.

• Reusing data: Most documents can be sanitised and reused for many different projects with the minimal insertion of personal information and branding. It also helps eliminate unnecessary exchange of different versions of the same document.

• Analysing data: Management decisions rely on the analysis of data at hand to judge the direction a company is heading in. This is particularly the case in fast growing small businesses who can be caught short if the wrong choices are made.

• Backing up data: Speaks for itself. The damage a crashed hard drive can cause can be mitigated by data governance and simplified backups of data.

Share this article:

Further reading: