A Culture Shift on Data Privacy

(Valery Brozhinsky/Shutterstock)

It’s been four years since GDPR went into effect in Europe, and the United States is still without a national data privacy and security law. Nevertheless, American companies are moving to adopt better data governance policies even without regulatory guidance or prodding at the national level, experts say.

Balaji Ganesan, the CEO and founder of Privacera and a committer and formerly the founder of XA Secure (acquired by Hortonworks), has been in the data access trenches for decades. As a PMC member of Apache Ranger project, Ganesan helped keep Hadoop data on the straight and narrow, which was no easy task.

Now, as big data has exploded to the cloud and the democratization of data is well underway, he sees a consensus brewing at the board level when it comes to taking the steps necessary to ensure that data is protected and that it’s not abused, while simultaneously enabling internal stakeholders to make progress with big data projects.

“Privacy and governance have become board-level topics in companies. They have become very serious about hey, we need to know where our sensitive data is and also make sure data is being used for right purpose and by right people in the company,” Ganesan says. “It’s kind of an industry and a cultural shift that is happening…which is fantastic.”

Data governance has become a board-level discussion

There were some companies practicing good data governance four or five years ago, and they tended to be larger companies, Ganesan says. A lot of that was driven by GDPR and the California Privacy laws, all of which carry penalties for companies that abuse data, and which got the attention of the boards of directors of large companies.

But now companies of all sizes are starting to embrace the cause of data governance, and that’s a good thing. There is also more awareness among consumers about the way companies have collected and analyzed data. That awareness is bubbling up to the companies, who are listening.

“In 2022 there’s more awareness for privacy than ever before,” Ganesan says. “So things are going in the right direction. We just hope it accelerates.”

Dual Mandate

Privacera is one of a handful of software companies seeking to empower companies to control who can access data wherever it resides across their organization. Considering the large (and growing) number of data silos and the proliferation of data-consuming personas within enterprises, that’s a considerable challenge.

That also puts Privacera squarely in the middle of the conversation about what data people should have access to, and what they should be allowed to do with the data. Many products can provide monitoring capabilities broadly across IT, but Privacera goes beyond that to provide an enforcement point for data access policies.

The need to play offense and defense with data is what Ganesan calls a “dual mandate” for data. On the one hand, big data can be a differentiator, helping to drive profits and market share and lower market risk. But data can also be a liability if it’s not protected and secured. Those dual mandates can be at odds with each other if not handled well. The key is to find the happy medium and deliver some of both.

“It’s not a zero-sum game. You don’t have to lock down your data and say nobody touches it,” Ganesan says. “And we don’t have to be the Wild Wild West in terms of everybody gets access to everything, and it’s an open culture. We’re are saying, hey, we can do both. You can have privacy and governance and leverage the data.”

Basic Governance Needs

What consumers want when it comes to data is pretty basic, Ganesan says. “We need to know where the data is being used, we need to have some awareness of it, and it should not be used for purposes beyond what you’ve given approval for,” he says. That’s it.

If companies are meeting those basic minimum standards when it comes to the consumer data they collect and maintain, then consumers would be pretty happy. The good news is that it appears that most companies are on board with adhering to these basic principles, Ganesan says. In other words, the overall data culture is converging on a set of core policies, which is a good thing for all stakeholders in the conversation.

That convergence should make it easier for lawmakers to come up with a set of data privacy laws that give a large number of stakeholders most of what they want, while disappointing the fewest number of people. While the industry is perhaps ready for such a law, don’t hold your breath that Congress will pass anything in the near future, thanks to political gridlock in the House and Senate.

However, the industry can’t really afford to wait for regulation to come from Washington D.C. or the state capitols before moving forward with big data analysis and AI/ML projects. That’s why companies are moving forward with their own data governance initiatives even without the clarity that regulation can bring.

“Regulations help. They shape opinions. It certainly helps providing a standard,” Ganesan says. “We need a common guideline. But if you look at PCI or other regulations, it’s just the industry getting together and establishing a much broader standard.”

Just like with the Payment Cardholder Initiative Data Security Standard (PCI DSS), there is the potential for companies to come up with data governance and privacy standards by themselves, perhaps through industry groups and consortiums. That will move the ball forward when it comes to data governance guidelines, without the help of government.

Market forces are already being brought to bear on the data governance and privacy challenges. “We’ve seen the Apples of the world taking initiative and really driving some of the conversation,” Ganesan says. “Some of the larger organizations have taken initiatives and said, hey, how can we enable privacy as a differentiator?”

In the long run, however, the data industry would benefit from a national law. Ganesan says it appears that American companies have accepted the California privacy laws, which was modeled in large part on GDPR. The industry would probably welcome a national law that enforces those data privacy standards across all 50 states.

“Right now, as technologists, we are looking for the bare minimum things coming from the government,” Ganesan says. “We’re not even looking for them to be really aggressive…just setting minimum standards.”

Related Items:

The Rise and Fall of Data Governance (Again)

Finding the Data Access Governance Sweet Spot

Security, Privacy, and Governance at the Data Crossroads in ‘22