The concept of “Data” as a raw material on which a certain business can be built gives rise to a discussion on how “Data” can be made more productive and more useful for an organization.
In the context of Data Protection, we always look at one dimension of “Data” namely how the Data may be compromised and how we can prevent such compromise. In defining “Compromise” we need a bench mark on which “Compromise” can be measured and this includes certain measures of “Data Governance” such as
a) How Data can be classified
b) How to collect only such data that is required so that every element of data collected has a specific purpose and use. (Purpose limitation)
b) Who needs to access data (Need to know basis)
c) How to avoid unnecessary data lying around the company occupying resources (Storage limitation) etc
We may observe that the above aspects of Data Governance is covered under the Data Security regime under the principles of Data collection and processing. Additionally other aspects of security and destruction are part of the Data Security.
The Data Security requirements are codified into a “Framework” under various approaches such as the ISO27701, BS 10012 or PDPSI.
If we look at “Data Governance Framework” as a different concept, it appears that the significant difference is that a “Data Governance Framework” should consider “Data” as a raw material for business and the Governance Framework should enable the Company to use “Data” productively.
“Productivity” therefore becomes the principal objective of Data Governance while Data Security is the principal objective of Data Security.
This does not mean that Governance does not involve Security or Security does not have to factor in the “Context” of why Data is being used by an organization.
Data Governance and Data Security are therefore related and complimentary to each other.
Productivity and Security however indicate that there could be some conflict. “Security” and in the framework of Privacy protection for example restricts the use of available data only to the extent of available “Consent” which is “Purpose specific”. If a company is in possession of certain data which can be productively used for a purpose other than what the consent has permitted, then under the Data Security regime, the data cannot be used for the alternate purpose unless the consent is modified. This delays the productive use and often prevent the alternate use if the data subject refuses additional consent or otherwise not available for a response.
Most companies which had a vast amount of personal data in their possession before the GDPR kicked in on 25th May 2018, had to simply discard the data unmindful of the cost at which they had been earlier acquired and the use that it possessed subsequently. A similar situation will arise in India also when PDPA becomes effective from a specified data.
This is a case where “Security” shoots down productivity mercilessly.
As for as a “Collector” of personal data is concerned (eg Digital Marketing Company), it would be more productive to collect a set of personal data once and distribute it to a number of data controllers. This is like the software framework/components which are re-usable. But the Data Protection regulations prevent the collection of data for one purpose or controller/processor and its use for a different purpose for a different controller/processor. Here again productivity is sacrificed for the purpose of “Data Security”.
There could be many more such instances where Data Security prevents the productive use of Data.
One escape route that the Data Protection regulations provide to overcome the restrictions is when the personal data is “Anonymized”. “Anonymization” needs to be distinguished from “Pseudonymization or De-identification” which is referred to in GDPR.
Indian regulation (PDPA) provides a legal definition of “Anonymization” as an “Irreversible process” by which identifiable personal data is removed of it’s identity parameters in such a manner that it cannot be re-identified.
As regards the “Data User” industry such as the “Big Data industry”, some of the requirements donot require the identity parameter and hence “Anonymization” may release the identifiable personal data collected under a “Consent” for purposes outside the “Consent terms”.
The “Data Governance Framework” needs to explore the possibilities of how Data collected with a restrictive consent be used more productively. Hence “Anonymization” would be one of the strategies that the Data Governance Framework needs to debate and establish standards.
The second aspect of “Data Governance” is “Productive processing of the identifiable data itself”. This would require precision classification of data, centralized storage, pseudonymization, efficient access systems etc .
Hence Data Governance Framework has a role for identifiable data as well as anonymized data.
The challenges that the development of a non conflicting, mutually supporting frameworks for Data Governance and Data Security is a challenge to delicately balance “Productivity” with ” Security”.
This would also provide an interesting battle in organizations in future between “Data Management Professionals” and “Data Security Professionals”. The IIMs of the future will have to therefore update their curriculum from a study of E Commerce to Study of “Governance of Data” which includes Data Security and how to manage the conflicts between Data Security and Data Productivity.
In developing standards we should work on whether we can combine the Data Governance and Data Security to a single framework instead of proliferating the standards. The approach of ISO or BS would ofcourse to introduce new standards for Data Governance but in India we need to work on how we can make PDPSI work as an integrated standard of Data Governance and Data Security. A further research is required in this direction.
(Invite comments for debate)