Information governance 101: The regulatory compliance survival kit
Data provenance
The preceding methods enable organizations to comply with regulations. Data provenance, however, provides the vital distinction of enabling the enterprise to “prove” compliance—which becomes essential in the event of an audit. Metadata is the first form of traceability for data’s journey throughout the enterprise. However, when tracing all of the inter-system complexities associated with regulations, graph settings are useful for specifying “where each piece of information came from and how it changed over time,” Aasman noted. Visualizing the lineage of how systems interact to understand who altered information and how is ideal for relationship-sensitive graph settings. The utility of this approach to data lineage is multifaceted.
Organizations can leverage these clear visualizations to remediate any also serve as a fertile means of depicting information for regulators to demonstrate adherence. Assembling graphs of social media interactions allows such organizations “to keep track of everything their users ever did,” Aasman noted. This capability is necessary for fulfilling information requests about customers. When customers want organizations to delete their data, this approach enables companies to delete everything but keep all the links in the knowledge graph so that they can later show the information is now gone, Aasman explained. Blockchain can aid with data lineage by facilitating trusted provenance that’s easily demonstrable.
Centralizing regulatory knowledge
Enterprise architecture, data discovery, data profiling, and data cataloging let organizations know which information pertains to specific regulations. These measures are the blueprint for enforcing policy with access control, obfuscation, and aspects of segmentation. Data lineage is the means of proving compliance or fixing any issues related to it prior to costly audits. As a best practice, firms can optimize almost all of these measures by centralizing their various regulatory requirements into a single repository. Collocating knowledge about regulations delivers the following tangible advantages:
♦ Inter-regulatory understanding: Viewing requirements alongside one another is ideal for devising enterprise strategies for them. Contextualizing regulations with one another is necessary to rectify any conflicts between them, such as when one specifies deleting a customer’s information while another requires keeping it for several years. Aasman noted that fine-grained security filtering at the data level can resolve these situations by “making data unavailable for everyone so no application ever sees it, except the government, which gets a secret key to see the data.”
♦ Requirement clarification: Uniform data models that standardize the terminology and schema of various regulations are beneficial for providing capabilities to “express obligations, permissions, and prohibitions,” Hodgson added. “And, there’s more to it than that. There are waivers as well,” he said, noting it is important to understand the situations in which these things are waived.
♦ Automation: These data models that pair compliance information with requisite vertical knowledge for regulations are pivotal for operationalizing these repositories to see whether governance policies comply with regulations— including new or modified ones. Natural language processing can utilize information from these graphs to “automate or record the compliance of these documents,” noted Aasman.
Ensuring compliance
It’s not only the number of information-handling regulations that is increasing; the severity of the penalties for failing to adhere to them is growing as well. Punitive measures include various aspects of fines, litigation, loss of reputation, and more. Implementing effective information governance practices will enable any organization, regardless of industry, to fulfill its regulatory obligations. These methods provide a framework to understand what data pertains to which regulations, empowering companies to institute concrete measures to preserve data privacy, protect data assets, and show exactly how they were able to do so.