Data Compliance: An Integral part of Business Analytics
Prashanth Southekal and Santhosh Raju
“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that, you will do things differently”
As data becomes the new currency of the world, new rules are drawn on business analytics and one of the key rules is on data compliance. What exactly is data compliance and how does it impact business analytics? In simple words, data compliance is compliance to laws and regulations, to business rules, and to ethics. Often, businesses capture data for legal and regulatory reasons. Compliance is also required while adhering to internal business rules and industry standards, and this is typically the operational needs. Lastly, ethics in business are the moral principles that govern the behavior of the business when conducting business activity. In today’s data-driven world where increasing business decisioning is based on data, data ethics come into the forefront as one of the key drivers for the business. Business ethics typically prescribes what business ought to do, usually in terms of rights, obligations, fairness, and impact on society. In this backdrop, the data compliance framework for a business enterprise is as shown.
Most organizations believe that compliance is an afterthought in analytics. But instead, compliance should be considered upfront and all stages in the analytics project. No matter the size, industry, location, or level of profitability of an organization, compliance is one of the most important aspects of the long-term subsistence and being a responsible business. Today, businesses focus on the triple bottom line (TBL), an accounting framework on social, environmental and financial aspects in their commitment to sustainable development goals (SDGs). In this backdrop, if a business enterprise aspires to be a data-driven organization with SDGs, it ought to follow data compliance throughout the data lifecycle; if not it will affect the very existence of the business itself.
Take for example Nexen, an oil company based in Alberta, Canada. When Nexen spilled over 30,000 barrels of crude oil in July of 2015 in Western Canada, the Alberta Energy Regulator (AER) ordered the immediate suspension of 15 pipeline licenses issued to Nexen due to lack of maintenance data records. This is a lack of compliance data to the regulations set by the provincial energy regulator. In 2017, hackers accessed hundreds of millions of customer records from the credit reporting agency, Equifax. This is an example of a lack of compliance with the security standards as the company later spent $1.4 billion to transform the technology infrastructure. The Facebook–Cambridge Analytica data scandal resulted in Facebook losing $35 billion in market value following reports that Cambridge Analytica had unauthorized access to 50 million Facebook user accounts. This is an example of a lack of compliance with the privacy regulations and data ethics from both Facebook and Cambridge Analytica. Bottom line is that if data is not managed, governed, and secured well, the business can have a massive financial loss and irreparable damage to the brand. Hence analytics team should look at compliance elements i.e. compliance to laws and regulations, compliance to business rules and industry standards, and compliance with ethical aspects as an integral part of business analytics.
So, how does a company realize or achieve data compliance in analytics? At the highest level, data compliance is the responsible and sustainable use of business data. While no or little data in the business is a problem for business, often a lot of data is also a problem if compliance aspects are not addressed properly. The scale, pace, and ease with which analytics can be conducted today in business completely change the compliance framework of data management. In this regard, data considerations for compliant analytics can happen by addressing three main capabilities.
Compliance with external mandates, for instance, is implementing laws on privacy, payments, environments and other regulations. Data privacy concerns with the proper handling of personally identifiable information (PII) data with consent, notice, and regulatory obligations. If the business, collects payments from credit cards, then adherence to the Payment Card Industry Data Security Standard (PCI DSS) is needed. The US Environmental Protection Agency (EPA) has standards for reducing greenhouse gas emissions and oil companies are mandated to follow these EPA guidelines. The Sarbanes-Oxley (SOX) Act is to protect investors from fraudulent financial reporting and businesses have to present financial reports in adherence to the SOX Act.
The compliance to internal mandates is mainly on data security. Data security needs to be applied across multiple layers in the IT landscape pertaining to issues on both during Data in Motion (DIM) and Data at Rest (DAR). This starts with understanding the flow of data i.e. data lineage and classifying data correctly based on its sensitivity i.e. restricted, confidential and open. And if the data is sensitive, one must then look at data protection measures such as access control, authorization management, encryption, network security, and database protection to name a few.
While companies have an option on managing internal operational business processes and the associated data in their own way, they have little or no option on capturing compliance data. But when capturing compliance data, the business has to collect only what is mandated or required. For example, when collecting privacy-related data, the business should only collect what is required. If there is no need to know a person’s date of birth, then it should not be collected. This helps in not only holding the required sensitive data, but also saves business with the bandwidth in protecting that data. Fundamentally, while data is an asset it can be a liability as well as seen in the data breach cases of Equifax, CapitalOne, Cambridge Analytica, Marriott Hotels, Target, and so on.
While the consumption of restricted data in the business, is defined by laws and regulations, the consumption of confidential data or internal business data is defined by industry standards, internal business rules, and user roles. On industry standards, the UNSPSC is the commodity classification for doing business with companies like GE and Motorola. On the internal business rules, for example, vendor purchase order data might be of interest to both the finance and the purchasing departments. In that case, purchase order data authorization should be done at the point of data capture so that the right users are authorized to access the right data based on their role. This role-to-position (RTP) authorization ensures that there are non-repudiation and traceability of data related to the proof of the origin of data and the integrity of the data.
Transparency in the context of data compliance is building education and awareness on handling data in business. Business stakeholders should have a clear understanding of how the business data is extracted, migrated, and transformed, the way data lineage exists across IT systems. Data lineage is on the data origin, what happens to the data and where the data moves over time. Transparency is also on the way the data and insights are shared within the business. For example, privacy data does not mean secrecy and data should not be shared. Privacy data that is obtained from the person should be shared with their consent and should not be exposed for use with any traces to their identity. Similarly, sensitive data —asset, financial data or locational data—need to have restrictions on whether and how that data can be shared. However, while aggregate data, which is used in BI (Business Intelligence) systems can have a broad level of access, granular data which is used in the transactional systems should be mapped to the right business roles and positions.
Even though data is a business asset and a key component in analytics, the compliance aspects, if not managed well, can limit the use of data in analytics. If data compliance issues are not addressed adequately, data analytics will bring forward many of the compliance issues, especially as when companies begin leveraging their data for purposes different from those for which the data was initially collected. Data compliance is an integral part of any successful and responsible analytics rollout. It needs to be driven by the business sponsor for the analytics programs and should be one of the key charters for the Chief Data Officer (CDO).
About the Authors
Prashanth Southekal is the Managing Principal of DBP-Institute a Data Analytics and Metrics firm. He has consulted for over 50 organizations including P&G, GE, Shell, Apple, SAS, and SAP and solved problems that are at the intersection of data, technology, and business productivity. Apart from his consulting assignments, he is a Strategic Analytics Advisor to SAS-Institute (Western Canada) and Grihasoft (India). Mr. Southekal is the author of the book- Data for Business Performance and is an Adjunct faculty of Data Analytics at the University of Calgary (Calgary, Canada) and IE Business School (Madrid, Spain).
Santosh Raju is a consulting and practice leader with over 20 years of experience providing data analytics, connected and digital solutions. He brings extensive experience shaping and delivering innovative solutions across various industry verticals and advising Fortune 2000 customers. He is a speaker at several industry events and advisor to several start-ups. Santosh lives in London, United Kingdom (UK).