Last month we outlined a five-step approach for better security and compliance.  Now, we would like to take you on a journey, each month performing a deep dive into those five steps, to help you understand how to implement them in your own data access control strategies. The first topic on the table is: ‘Clearly Define Responsibility for Digital Data.”

When data is the cornerstone of modern business operations, it’s crucial for organisations to establish clear guidelines and responsibilities for its management. You wouldn’t open an office building without making someone responsible for overseeing it’s proper and secure operation, and the same must be said of your digital assets.

Corporate Digital Responsibility (CDR)

One set of strategies at the core of defining digital data responsibilities is Corporate Digital Responsibility (CDR), as published in ‘Sustainability’, an international, peer-reviewed, open-access journal, in 2023. CDR goes beyond mere rhetoric; it’s a fundamental principle that underlies ethical business practices in the digital age. The authors of this report identified two main categories to be considered.

  1. Corporate Digitized Responsibility: This includes unbiased data acquisition, data protection, and data maintenance.
  2. Corporate Digitalized Responsibility: This involves appropriate data interpretation, objective predicted results, and tackling value conflicts in data-driven decision-making.

The report goes on to highlight some of the key risks you should be aware of when defining responsibility within your digital ecosystem:

  1. Unbiased Data Acquisition: The process of collecting data can be biased, which can lead to skewed or inaccurate results.
  2. Data Protection: Protecting the data collected is a significant challenge. Breaches can lead to loss of sensitive information.
  3. Data Maintenance: Ensuring the integrity and accuracy of data over time is a crucial responsibility.
  4. Appropriate Data Interpretation: Misinterpretation of data can lead to incorrect conclusions and decisions.
  5. Objective Predicted Results: Predictions based on data should be objective and unbiased.
  6. Tackling Value Conflicts in Data-Driven Decision-Making: Balancing different stakeholders’ values when making decisions based on data can be challenging.

By embracing CDR as a framework for digital data responsibility, organisations can grow trust with customers and stakeholders while mitigating risks associated with data misuse or breaches.

Regulatory Compliance and Data Responsibility

The regulatory landscape surrounding data can be overwhelming, but we can use the frameworks established by legislation like the General Data Protection Regulation (GDPR), to further guide us in establishing a robust data access control strategy that aligns with legal requirements.

  1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to individuals.
  2. Purpose limitation: Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data minimisation: The data collected should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: Personal data should be accurate and, where necessary, kept up to date.
  5. Storage limitation: Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Integrity and confidentiality (security): Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
  7. Accountability: The data controller should be responsible for, and be able to demonstrate compliance with, the above principles.

Data Innovation and Artificial Intelligence

Artificial Intelligence (AI) has transformed the way businesses leverage data, driving innovation across various sectors in the most incredible ways. However, the success of AI applications hinges on the quality and integrity of the underlying data, and that requires dedicated and expert oversight inside your business. Tasking someone with direct responsibility for data quality initiatives will help ensure the reliability and accuracy of AI-driven insights.

Gartner has identified closing the trust gap in AI accountability and data responsibility as one of the key factors driving the near-term success of these innovations.

According to Svetlana Sicular, research vice president at Gartner, “Increased trust, transparency, fairness and auditability of AI technologies continues to be of growing importance to a wide range of stakeholders. Responsible AI helps achieve fairness, even though biases are baked into the data; gain trust, although transparency and explainability methods are evolving; and ensure regulatory compliance, while grappling with AI’s probabilistic nature.”

Data Access Control in Data Management

Effective data management starts with robust access controls that restrict unauthorised access, but do not hinder the workflow of those who need access in a timely and secure manner. As discussed in this article on popular learning portal, DATAVERSITY, this is one of the most important components of your Data Access Management strategy.

The goal is to define a hierarchy of access rights using the ‘principle of least privilege’ concept (PoLP) in which a user is given the minimum levels of access necessary to complete their job functions.

To achieve this, role-based access control (RBAC) forms the cornerstone of access management, enabling organisations to assign specific privileges based on users’ roles and responsibilities. Combining PoLP and RBAC minimizes the risk of data exposure by limiting users’ access to only the information necessary for their duties.

Master Data Management (MDM)

Master Data Management (MDM) plays a crucial role in ensuring data consistency and quality across the enterprise, so it’s important to bake this idea into the foundations of your data access control strategy. By centralising and standardising critical data assets, MDM empowers organisations to maintain a single source of truth, thereby enhancing operational efficiency and decision-making accuracy. Effective MDM practices encompass data governance frameworks, validation processes, and ongoing monitoring to uphold data integrity and reliability.

As well as the security benefits, structuring your data in this way will give you real-time access to accurate insights, helping prepare your business for the unknown twists and turns of a constantly changing world. According to this article on Reltio, “a great example of how insight-ready data was critical to success was during the global pandemic. When companies needed to pivot quickly to changing consumer behaviour, the companies with master data management best practices in place were confident in the insights they were monitoring on a daily basis and pivoted faster”. 

Six Important Questions when Defining Data Responsibility

  • What is Data Governance? Data Governance is a strategic program for optimising the way a business deals with data. It aims to organise and improve the policies and procedures a company uses to define, collect, store, secure, manage, and monetize business data.
  • What goes into Data Governance? Data Governance involves people, processes, and information technology. It evaluates and redefines roles and responsibilities, augments policies to improve communication and sharing between departments, defines and expands access to business-critical data, and standardizes data collection and handling practices to ensure the quality and consistency of your company’s data.
  • Are we prepared for a data breach? To ensure effective incident response, it is important to have well-documented processes in place. Regular security drills can help teams practice handling data breaches and improve their abilities to respond in the future.
  • Do we have an incident response plan in place to handle a breach? Having an incident response plan is essential for preparing, identifying, containing, and recovering from a security incident.
  • Do we know how, when, and who to notify in the event of a breach? Failure to report a data breach can result in severe financial consequences. It is crucial for the incident response team to understand the breach reporting rules imposed by new global data privacy laws.
  • Do we know where our most high-risk data is? To accurately assess the potential impact of a data breach, it is crucial to determine the data assets held by your organisation.