Significant government regulations have changed the landscape for data governance, with far-reaching implications.
In this day and age, virtually every company on the planet understands the value of data. What has moved beyond most human comprehension, however, is the sheer amount of new data created every day that companies need to manage. According to Earthweb.com, that number is 2.5 quintillion bytes of data created every day. That’s where a robust data governance program becomes vitally important to an organization’s success. But there’s a difference between data governance policies and data governance regulations.
While data governance policies may be in place to ensure competitiveness and/or to improve data quality, data governance regulations are formal legal requirements outlining how consumer data can and cannot be used. This article will address the differences and outline the vital role data governance regulations play in your company remaining compliant and competitive.
Jump to a section…
Data Management vs. Data Governance
The Impact of Data Governance Regulations
Data Governance Regulations Examples
Protected Health Information (PHI)
Health Insurance Portability and Accountability Act (HIPAA)
Federal Risk and Authorization Management Program (FedRAMP)
Clinical Laboratory Improvement Amendments (CLIA)
General Data Protection Regulation (GDPR)
Children’s Online Privacy and Protection Act (COPPA)
California Consumer Privacy Act (CCPA)
Sarbanes-Oxley (SOX)
Learn more about how to keep you and your business’ information secure with the Symmetry Systems’ guide, What Is Data Governance?
Data Management vs. Data Governance
According to Gartner, data management “consists of the practices, architectural techniques, and tools for achieving consistent access to and delivery of data across the spectrum of data subject areas and data structure types in the enterprise, to meet the data consumption requirements of all applications and business processes.” Whereas data management addresses much of the “what,” data governance relates to the “how” and “by whom.” In other words, data governance is “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”
The goals of any data governance program are multi-faceted. Organizations need such programs to drive better decision-making, reduce costs and increase effectiveness, and reduce operational friction. But there are also strong compliance and risk-management goals at play. Risks include financial misstatement, accidental release of sensitive data, or over-aggressive collection of consumer data.
The Impact of Data Governance Regulations
The Impact of data governance regulations goes well beyond the cost of compliance and fine mitigation that hangs in the balance. According to IBM’s “Cost of a Data Breach Report 2021, the largest share of total breach costs is lost business, at 38%. “Lost business costs included increased customer turnover, lost revenue due to system downtime, and the increasing cost of acquiring new business due to diminished reputation.”
Examples of Data Governance Regulations
Many data governance regulations fall under the categories of Health Care, Finance and Consumer Privacy. Here are several regulations with which security professionals should be familiar:
Protected Health Information (PHI)
Protected Health Information (PHI) is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed while providing a health care service, such as a diagnosis or treatment. Significantly, for the 11th consecutive year, healthcare organizations experienced the highest average cost of a data breach.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act, known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). It was signed into law in 1996. HIPAA modernized the flow of healthcare information and stipulates how PHI maintained by the healthcare and insurance industries should be protected from fraud and theft. One of its major provisions was to prohibit healthcare providers from disclosing protected information to anyone other than a patient and the patient’s authorized representatives. HIPAA compliance is a complex process that health care organizations must implement into their business to protect the privacy, security, and integrity of protected health information.
Federal Risk and Authorization Management Program (FedRAMP)
As outlined by the U.S. General Services Administration, The Federal Risk and Authorization Management Program (FedRAMP) “is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP empowers agencies to use modern cloud technologies, with emphasis on security and protection of federal information, and helps accelerate the adoption of secure, cloud solutions.”
Clinical Laboratory Improvement Amendments (CLIA)
The Clinical Laboratory Improvement Amendments of 1988 statute is an amendment to the Public Health Services Act in which Congress revised the federal program for certification and oversight of clinical laboratory testing. Two subsequent amendments were made after 1988.
General Data Protection Regulation (GDPR)
Europe’s General Data Protection Regulation is described by GDPR.EU as “the toughest privacy and security law in the world.” Drafted and passed by the European Union (EU), it imposes obligations onto organizations regardless of location if said organization targets or collects data related to people in the EU. The GDPR levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros. GDPR was groundbreaking when adopted in 2016 (and enforceable in 2018) and has become a model consumer privacy law globally.
Children’s Online Privacy and Protection Act (COPPA)
As outlined by The Federal Trade Commission, The Children’s Online Privacy and Protection Act “imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.”
California Consumer Privacy Act (CCPA)
Enacted in 2018, the California Consumer Privacy Act gives consumers more control over the personal information that businesses collect about them. The CCPA secures new privacy rights for California consumers, including the right to know about the personal information a business collects about them and how it is used and shared, and the right to delete personal information collected from them.
Sarbanes-Oxley (SOX)
The Sarbanes-Oxley Act of 2002, sometimes known as SOX, is a US law that mandates certain practices for record-keeping and reporting for corporations. Sarbanes-Oxley places strict rules on US public company boards of directors, management, and public accounting firms. Certain aspects of SOX apply to privately held companies and prohibit the willful destruction of evidence to obstruct a federal investigation. The law was a reaction to a number of high-profile corporate scandals, including Enron and WorldCom.
This article only touches on a few of the fairly recent, and significant, data governance regulations that have been introduced worldwide. Understanding each is paramount, particularly since laws and regulations vary from country to country and even within some states, like California.
The best practice for multi-cloud data security compliance is to have a data storage plan. Data storage is one of the most crucial considerations for security and compliance in a multi-cloud environment. Most nations have data localization laws that prevent electronic records from being stored outside the country from which they originated — and new legislation emerges every year.
Symmetry Systems designed DataGuard to meet the complex demands of multi-cloud data compliance and data governance regulations. Whether mapping sensitive data, identifying risks, or enforcing least privilege, DataGuard helps all security teams govern cloud architecture at an object-level and at scale. To experience the value of DataGuard first hand, reach out. Our team will be happy to get you set up with a demo and address any questions you may have.
Share this entry