Chapter 6
Best Practice #5
Make Data Compliance an Integral Part of Analytics

“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that, you will do things differently.”

Warren Buffet

As data becomes the new currency of the world, new rules are drawn on business data analytics, and one of the key rules is on data compliance. What exactly is data compliance, and how does it impact data analytics? In simple words, data compliance is the adherence of data on four key aspects:

  1. Government Laws and Regulations. A law is a rule of conduct developed by the government or society over a certain jurisdiction. Regulations, on the other hand, are rules adopted by the government agencies that govern how laws will be enforced.
  2. Internal Business Rules. Business rules are statements that give businesses the criteria and conditions for making decisions. Business rules provide businesses the structure to control or influence the operation of the business.
  3. Industry Standards. Industry standards are a set of criteria within an industry related to the functioning of the business entity within the industry. In other words, industry standards are the generally accepted practices followed by the member companies of the industry sector. For example, due to the global nature of the automotive industry, there are numerous communications and document standards used, such as ANSI (American National Standards Institute) and EDIFACT (Electronic Data Interchange for Administration, Commerce, and Transport) used by the businesses in the automotive industry.
  4. Ethics. Business ethics are a set of moral rules that govern how businesses operate. Data ethics, which are driven by business ethics, prescribes what business ought to do with data in terms of rights, obligations, impact to society, or fairness in business operations.

Why is this a best practice?

Data compliance is compliance to government laws and regulations, to industry standards, to business rules, and to ethics. What is the business impact on each of these four elements on data compliance?

  1. Failure to comply with data compliance laws and regulations can have serious consequences for both individuals and organizations, including fines, imprisonment, and disqualification. In 2019, France’s DPA (Data Protection Authorities) imposed 50 million euros as fine against Google for failing to properly disclose to users how data is collected across services [Dunn, 2019].
  2. Non-compliance of data to industry standards will result in products and services produced not being safe and reliable for consumption. For instance, standards on road safety and secure medical packaging rely on compliance with ISO standards.
  3. Non-compliance of data to internal business rules will affect the business productivity of the company.
  4. Finally, not being ethical in conducting business operations will affect the brand and the reputation of the company.

In addition, while data can be an asset, it can even be a liability when not complied with laws, internal business rules, industry standards, and ethics. There are three situations where data can be a liability to the business.

Too much of a good thing can sometimes be a bad thing; while data can be a great business asset, it can quickly become a huge liability for the business. Figure 6.2 shows the amount of quality data in the business and its impact on the actual performance of the business. The bottom line is that data can be a business asset only if it is within a specific range. While little data impairs data-driven business performance, lots of data can also hamper business operations. The bottom line is that if the business data does not follow compliance requirements, the business can have a massive financial loss, inefficient business operations, and irreparable damage to its reputation. This can ultimately affect the existence of the firm. Hence the data analytics team should look at compliance elements like compliance to laws and regulations, compliance to industry standards and business rules, and compliance to ethical aspects, as an integral part of business analytics. Take, for example, Nexen, an oil company based in Alberta, Canada. When Nexen spilled over 30,000 barrels of crude oil in July of 2015 in Alberta, Canada, the Alberta Energy Regulator (AER) ordered the immediate suspension of 15 pipeline licenses issued to Nexen due to lack of maintenance data records. This is an example of a lack of compliance data to the regulations set by the provincial energy regulator.

In 2017, hackers accessed hundreds of millions of customer records from the credit reporting agency, Equifax. This is an example of a lack of compliance with the security standards, that is, internal business rules, as the company spent US$1.4 billion to transform the technology infrastructure. The Facebook–Cambridge Analytica data scandal resulted in Facebook losing US$35 billion in market value following reports that Cambridge Analytica had unauthorized access to over 50 million Facebook user accounts. This is an example of a lack of compliance with the privacy regulations and data ethics from both Facebook and Cambridge Analytica.

Data Management is all about balance! Plan and then execute. Don’t rush!

Realizing the best practice

How can businesses ensure compliance to data? At the highest level, data compliance is the responsible and sustainable use of data. While no or little data in the business is a problem for business, often lot of data is also a problem if compliance aspects are not managed properly. The scale, pace, and ease with which analytics can be conducted today completely change the compliance framework on data management. In this regard, data considerations for analytics compliance can happen by addressing three main capabilities:

  1. Compliance to external and internal mandates
  2. Compliance to purpose
  3. Compliance to transparency

Compliance to external and internal mandates

If companies must operate in a jurisdiction, they must follow the applicable laws and regulations, that is, external mandates. Compliance with external mandates is adhering to laws on privacy, payments, environment, and other government regulations. Data privacy concerns with the proper handling of personally identifiable information (PII) data with consent, notice, and regulatory obligations. If the business collects payments from credit cards, then the business must adhere to the Payment Card Industry Data Security Standard (PCI DSS). The US Environmental Protection Agency (EPA) has standards for reducing greenhouse gas emissions, and oil companies are mandated to follow these EPA guidelines. The Sarbanes-Oxley (SOX) Act is to protect investors from fraudulent financial reporting, and businesses must present financial reports in adherence to SOX Act.

The compliance to internal mandates is mainly on data security, that is, ensuring that business activities are conducted securely. Data security needs to be applied across multiple layers on both during Data in Motion (DIM) and Data at Rest (DAR). This starts with understanding the flow of data, that is, data lineage or data provenance, and classifying data based on its sensitivity, that is, restricted, confidential, or open. And if the data is sensitive, one must then look at data protection measures such as role-based access control (RBAC), authorization management, encryption, network security, and database protection, to name a few.

The right level of data compliance balances business risk with agility.

Compliance to purpose

While companies have an option or flexibility in managing internal operational business processes and the associated data in their own way, they have little or no option on capturing regulatory data. Collect only what is mandated when capturing regulatory data. For example, when collecting privacy-related data, businesses should only collect what is needed. If the person’s date of birth is not needed, then businesses should not collect it. This helps in not only holding sensitive data but also saves the company with the bandwidth in protecting that data. Fundamentally, while data is an asset, it can be a liability as well as seen in the data breach cases of Equifax, CapitalOne, Cambridge Analytica, Marriott Hotels, Target, and many more.

A key technique to ensure that the data captured is purpose-driven is by ensuring that the data elements on business categories, entities, and events are mapped to every element on the business value stream map (VSM). A VSM is a visual tool that shows the flow of materials and data the company uses to produce a product or service for its customers. VSM has its origins to lean manufacturing, and the business value of VSM is to identify and remove or reduce waste in the process, thereby increasing the efficiency in the system.

The key to developing a strong VSM is to treat your business as a network (of customers, employees, vendors, dealers, partners, and so on.) and not as an aggregation of individual LoBs. This means looking at the entire value chain on how the firm’s products and services reach the end consumers. Put simply, looking at VSM as a business network will improve the management of expenses, enable inventory control, better information flow, and will optimize the company’s cash flow and growth. As Aristotle said – “The whole is greater than the sum of its parts.” and this is very much relevant in developing VSMs.

So, if the data element in question is not finding a place in the value stream map (VSM), that means the data element potentially has no business value and shouldn’t be captured and stored. Below is a simple example of VSM in an oil company, where the key data elements are mapped to the individual value streams.

While the consumption of restricted data in the business is defined by laws and regulations, the purpose or consumption of confidential data or internal business data is normally defined by business rules. For example, vendor purchase order data might be of interest both to the finance department and the purchasing department. In that case, purchase order data authorization should be done at the point of data capture so that the right users are authorized to access the right data based on their role. This role-to-position (RTP) authorization ensures data integrity along with offering non-repudiation and traceability features to data.

Compliance to transparency

Transparency in the context of data compliance is building education and awareness on handling data in business operations. Business stakeholders should have a clear understanding of how the business data is extracted, migrated, and transformed, the way data lineage exists across systems. Data lineage is tracking data from the point of origination until it is archived or purged. Transparency is also on the way the data and insights are shared with the business stakeholders. For example, privacy data does not mean secrecy, and that data should not be shared. Privacy data that is obtained from the person can be shared with their consent. Similarly, sensitive data —asset, financial data, or locational data—need to have restrictions on when and how that data can be shared. However, the aggregate data used in BI (Business Intelligence) systems can have a broad level of access, but granular data that is captured and stored in the transactional systems should be mapped to the right business roles and positions.

Implementation of data compliance to data transparency is typically done with Digital Asset Management (DAM) systems, which help in organizing, storing, and retrieving digital assets (structured and unstructured data) with the appropriate rights and permissions. Technically, DAM holds metadata records that contain the name of the file, its format, and details about its content and usage from a central content hub. In simple words, DAM is a digital library of all the digital assets of the enterprise – documentation, images, audio, video, presentations, podcasts, animations, and any other digital content – in an easy-to-access, quick-to-search, centralized location.

Conclusion

Even though data is a business asset and a key component in analytics, the compliance aspects, if not managed well, can limit the use of data in analytics. Data analytics can be adversely impacted by compliance issues, especially when dealing with data related to laws and regulations and when companies begin using their data for purposes different from those for which the data was initially collected. The bottom line is that data compliance is an integral part of analytics, and compliance aspects should be addressed with the right stakeholders having access to the right data and insights. It should be addressed upfront immediately when the stakeholder needs are identified, and the data is selected, not after insights are derived and about to be consumed. Last but not least, data compliance should be driven by the business sponsor for the analytics programs and should be one of the key charters for the Chief Data Officer (CDO). In short, data is an asset only if managed well. If not, it can become a liability or even a nightmare.

References