ESG analysts discuss how to manage compliance, data privacy
ESG analysts offer three recommendations for effective data governance: good C-level and IT leadership, visibility into cloud infrastructure and understanding cloud architecture.
Data privacy and compliance programs are considered mature in most organizations, but the landscape is changing as new regulations and distributed environments make the tasks more challenging, according to new research on the state of data privacy and compliance from Enterprise Strategy Group (ESG), a division of TechTarget. ESG analyst Vinny Choinski, who covers data management, data protection and data governance, surveyed 304 midmarket and large enterprise IT and business professionals knowledgeable about data compliance and privacy programs across the U.S. and Canada.
Businesses understand the importance of meeting compliance obligations and are planning to invest accordingly. The research revealed most organizations plan to increase spending on privacy-enhancing technology over the next 12-18 months. At the same time, with increasing regulations and increased compliance audits, businesses need to be aware that noncompliance can be wide-ranging and include legal costs, recovery and penalties.
The amount of sensitive data moved to public clouds is expected to double over the next two years, but more than half of survey respondents said they believe notable portions of sensitive data stored in public cloud services are insufficiently secured. Respondents also said public cloud data loss can be attributed to human error and unintentional actions, as well as the increase in remote work.
Tune in to the video to learn more as Choinski and ESG practice director Christophe Bertrand talk about managing data compliance, governance and privacy from an IT perspective.
Transcript
Christophe Bertrand: Hello, I'm Christophe Bertrand. I'm joined by Vinny Choinski, senior analyst at ESG, who is focused on intelligent data management and data governance. So, Vinny, thank you for joining me today in this conversation. I'd like to get your definition of data compliance, data governance and data privacy. What does that mean from an IT perspective?
Vinny Choinski: When you're talking to IT and IT operations, I consider data governance the higher level of all the elements. I think compliance and data privacy are components or elements under an overarching data governance title.
I think you're looking at making sure you manage risk with compliance and making sure you manage personal information correctly. There are a lot of things happening. There are a lot of regulations that are coming fast and furious. A lot of them are at the state level in the U.S., or the provincial or regional level. I think customers themselves want to deal with companies that they can be assured are handling compliance and their personal information correctly.
Bertrand: Companies are interconnected; it's a big ecosystem in the economy, by definition. So, compliance matters. When you think about it from an IT standpoint, pragmatically, what are we talking about? Are we talking about storage, software, SaaS? What does it entail?
Choinski: All of the above. Your sales application could have data. Initially, when people moved to SaaS, they thought just data protection was covered. But in fact, it's not. And just like you have to protect the data you put into SaaS, you have to manage the compliance with the data you put into SaaS. So, as you have regular on-prem IT, servers, sprawl and applications, you have storage, you have SaaS, you have cloud. In fact, cloud is becoming a big destination for a lot of sensitive data. And as a matter of fact, 52% of the people we surveyed said the cloud is making compliance, managing compliance and meeting their obligations harder.
Bertrand: This is very interesting also because of the critical and massive amount of data that's being created, and it seems to never stop. Let's take a look at the state of the market. Where are organizations today, based on your research, when it comes to preparedness and maturity for data governance, privacy and compliance?
Choinski: We recently did a survey. I think a lot of the initial feedback was on programs that have been in place for some time and programs that have been in the traditional data center. We got a lot of positive feedback. A lot of the programs, or the majority of programs, have been in place for over six years. A lot of folks have been investing in data compliance officers. I think 80% is the number that have data compliance officers. And a good majority of those have been in place for over a year. They've been in place for a while, and I think they've done a good job so far managing compliance, managing regulations and managing personal information.
However, now we're starting to see a new dynamic -- the remote worker, data is distributed, it's going to the cloud. This is putting stress on the environment. In fact, there is data loss that's happening now with data that's being moved to the cloud. I don't think a compliance officer would have said that in an environment that was an on-prem-type solution from the past. So, though we're getting a pretty good picture right now, I think the stresses are starting to show in existing programs, and the new environments are starting to cause some problems.
Bertrand: It seems we're really in a market that, while it's sort of established and people developed best practices in IT and use technologies that seem to work to a large extent, at the same time, it's about to pivot to its next phase with a lot of unknowns. So, thinking about what you're seeing here and with this next phase coming up, are there any recommendations you would give IT professionals? Maybe give us your top three recommendations. What are the three things or initiatives that they should consider as they think about data governance?
Choinski: I'm really excited to see the data compliance officer become part of the picture because I think a lot of people involved in compliance or governance programs want to see sponsorship at the C-level, especially IT folks. And I think they want the visibility to go up to that level. The programs are starting to be managed from the top down, meeting the business requirements.
One, having good leadership at the top at the C-level and IT is important. Two and three are having the visibility into your infrastructure and then having an understanding of the cloud architecture. So, when you move data to the cloud, you can move your policies and procedures and execute against them. I think as environments become distributed, that's important.
There's one last piece, I think it probably showed up with the pandemic and people being remote. There's a large number of people who are full-time employees that have access to sensitive data in their organization. They may not have access to everything. But as regulations get tighter, I think who has access to data has to be looked into. Investing in personal information management tools is actually expected to outpace security in general.
Bertrand: We talked about a lot of things here: privacy, compliance, and within the context of governance, IT infrastructure, including on premises and cloud. If you project yourself three or four years ahead, what do you think this architecture for successful governance will look like? Is it going to be more integrated with cybersecurity processes? Is it going to merge with data protection? Is it going into more of a data focus with analytics? What's your take?
Choinski: Well, I think the analytics are important. Whether that comes from security or data protection or just data management. I think data management plays a critical role. And they have to make sure they're managing their data correctly. Now that could extend into the legal department and the compliance department of an organization. In fact, we see a lot of the most successful programs coming from people who have been involved in document management over time in the organization. They apply these sound policies. I think the key is to have the right policies in place, then understand whether you have shortcomings in your technology -- whether that's data protection, whether that's data management, whether that's security -- then how they all integrate together.
That's another key component of having a compliance officer to kind of be the point figure inside the organization to look at it from a holistic view from the top down, or all the components.
I think we're going to be seeing a little bit of a struggle with the distributed environments for a period of time. Then, as people start to get their hands on how they're managing that and starting to apply their sound policies, then we should be back to a place where our initial survey showed -- that things are looking good, that the programs have been in place for a long time, there are privacy offices in place, things like that.
Bertrand: Great. Well, thank you so much, Vinny, for joining us.
Choinski: It was a pleasure.
ESG is a division of TechTarget.