Our movement through the digital space doesn’t go unnoticed. On the contrary, our digital footprints are all over the internet, and companies use them to offer their products or services. But if they want to operate legally, businesses must comply with data privacy regulations.
That’s why the most reputable companies and those aspiring to become such pay a lot of attention to data governance.
In this episode of Identity Revolution, Infutor’s host Eric Gastevich welcomes Christine Frohlich, the Head of Data Governance at Verisk Marketing Solutions. The two discuss data governance and its three core elements – processes, technology, people – existing and upcoming data protection regulations, and resources that can help companies use data to build trust and credibility and drive business growth.
What Is Data Governance?
“Data governance is not a one size fits all approach. So every company is going to have a slightly different variation on what they believe data governance is and how they organize their company around it.
But if we get to the heart of what data governance is, it’s about making sure there is a dedicated framework in your business to have the right people, the right processes, and the right technology in place to make sure the data that you’re working with and have in your business is discoverable […] and that the data ultimately is being used properly.
And when I say properly, that’s in consideration of some state privacy regulations. We’ve seen some of the existing federal regulations, but also the contractual requirements between the data buyers and the data sources.
Companies Must Modify Their Privacy Programs to Comply With State-Specific Data Regulations
“Most marketers in our industry have heard about CPRA, which is California’s extension of CCPA. But there’s also been a handful of other state privacy bills that have passed and will have effective dates in 2023. So the state of Colorado, Connecticut, and even Utah.
One of our challenges as an industry that we’re facing is that each of these five state comprehensive privacy bills is unique. We are starting to see a few consistencies emerge. A blueprint is emerging, but the specific requirements under each of those are different.
And so, again, that creates some of the challenges we’re facing in the industry today. So, for example, the original CCPA did not have a consumer right ‘to correct.’ If we look at CPRA, Colorado, Connecticut, and Virginia, those bills do have a right ‘to correct.’ And so I think what that means is we’re gonna need to modify our privacy programs, and we’re gonna need to make sure we set up new operations to meet this whole new set of requirements.”
The Top Concerns Around Data Governance
‘The first one we’ve talked about already is trying to manage all of the evolving state privacy laws. […] That’s important for marketers to avoid fines and litigation at the end of the day. […]
The second one is engaging the C-suite. Businesses are starting to understand the value, and that’s been driven by state privacy legislation. But one of the concerns I see in the space and with businesses across a whole host of industries is they’re not putting enough resources into data governance. They’re expecting their existing staff to try to do this on the side, and that’s not gonna work. […] You’ve gotta engage the C-suite.
The third one is to leverage technologies. Technology is great, but it’s gotta be integrated the right way, and from a data governance perspective, I believe it’s essential. It needs to be implemented the right way, and you’ve gotta pick the right tools.”
A Piece of Advice for Companies That Might Be Behind on 2023 Adherence
“There are lots of law firms that specialize in privacy and have a multitude of step-by-step guides on how to get through the preparation process. […] I would tell everybody to think about the timeline that they have left and start to plot out how they want to attack the four essential phases of readiness.
So the first phase is a baseline gap assessment. […] What you want to do is look at those bills, the consumer rights, and the business obligations and start to map how your business is either adhering to those or, if you’re not, what the gap is. […]
The second phase is about design. So once you know what those gaps are, you’re gonna have to make some decisions on how you wanna close those gaps. And you’re gonna have to make sure you’re aligning the right resources to that as well. […]
And then, in that third phase, you can develop. […] So this is where you’re gonna start to make those modifications to your consumer request procedures to adapt to the new consumer rights. This is where you’re gonna make those changes to the consumer disclosure report formats to make sure you’re providing consumers transparency. […]
The fourth phase is around the launch. That should be the time where you’re thinking about improvement as well because whatever you build out needs to be able to scale for the future.”
[04:26] “My philosophy is that good data governance requires a holistic approach. So some companies are very focused on the more technical side, and others are more focused on the business side. From my perspective, good data governance covers both of them. And also, it’s building in the glue between those two things. Make sure that a business understands how it’s building controls and monitoring all of those processes. So not just writing down a policy, having your technical team program something, but making sure that you’re consistently going back and ensuring that those controls are effective and upheld.”
[13:15] “When I think about data governance, yes, we’re trying to make sure we understand all of the regulatory requirements, and we’re upholding all of those. But we’re also taking it a step further to think about how we would feel as consumers because we all are consumers. How would we feel about our data being used in that way? So it makes it a step beyond just what the legal requirement is and making sure that we’re proactively thinking about privacy by design and how we operate as a business.”
[20:33] “I’m a big proponent of developing a functional team dedicated to data governance. I’m seeing a lot of companies asking their existing compliance team, product management team, data management team, or security team to do data governance on the side after they’re done with their day job. That’s not going to scale, and it’s not going to provide the support needed for the future. So I think it’s essential that companies dedicate teams just focused on data governance.”
