Increasing awareness among citizens about data privacy, and the compliance requirements of various data protection regulations, have made it necessary for organizations to focus on protecting sensitive and personally identifiable information (PII). In order to comply with regulatory requirements, data protection programs comprise multiple processes such as consent management, privacy-safe data processing, sharing and access, data archival and retention. Along with these processes, organizations must focus on data quality since various data protection regulations give importance to data quality management. It is important to understand areas, where data quality management can play a role in safeguarding data protection programs, and in fulfilling data quality management requirements.
Let us understand the role of data quality management in propelling data protection initiatives.
Role of data quality management in data protection programs
Consent management: Data protection regulations mandate the procurement of explicit consent from all citizens to collect, process or share their personal data. Complying with this requirement implies that organizations need to take consent from citizens for various business purposes such as payroll processing, marketing, personalized offerings, and data analysis. However, citizens may not give a perpetual consent for all kinds of data processing, so the purpose and duration of holding PII, while collecting consent from citizens must be defined.
The IT landscape of organizations is complex, with multiple applications and data stores, making it a herculean task to manually check the availability of consent before processing PII. This manual process is burdensome and error prone. There is an urgent need to implement an automated approach for consent-based data processing. Organizations need to maintain a central repository of citizen consents, along with the details of the name of the application and data store, consent received status, purpose of processing, and duration for which the consent is valid. Since citizens can withdraw prior consent, this repository must be scanned regularly for checking the availability of the latest consent for all applications and data stores. The scanning process can be automated using data profiling and can be used for sending appropriate notifications to concerned stakeholders.
Privacy-safe data processing: Various de-identification techniques are used to protect sensitive data or PII. However, it is necessary to understand the associated risk of using masked data attribute values, like original values. A possible mechanism to address this requirement is data profiling, where de-identified data values are reconciled with the original data, using primary or unique identifiers, before sharing the de-identified information, so that the citizen’s identity is not revealed. Relevant reconciliation reports act as evidence for future reference. The result of such reconciliations elevates the trust of organizations and citizens on the data de-identification process.
Consent-based data sharing: The advent of digital transformation and automation has ushered in an era where the focus is on automating tasks, using automated workflows for data sharing. It is important to check if data sharing is being done in accordance with the received consent. This can be achieved through automated profiling of data requests against the central repository of consent. Subsequently, organizations can take appropriate measures to ensure data privacy, such as de-identification, before sharing or rejecting data requests.
Purpose-driven and privacy-safe data provisioning: When organizations focus on data protection, it is important for them to identify the quality of data to be protected before data provisioning. They need to analyze if the data to be protected is consistent across multiple data stores and is relevant for de-identification and sharing. Organizations can perform this by profiling the data and correcting quality issues before the de-identification process, to ensure that the results of de-identification are desirable.
Data retention: Organizations may need to archive some data to adhere to regulatory compliance processes, for a specific duration. This archived data may contain sensitive information. Inadvertent or malicious access to archived data can pose a serious data privacy-risk, so data profiling can be used to scan the archived data. This checks the existence of sensitive information beyond the required retention period.
Data breach notification: One of the regulatory requirements of data protection is notifying citizens about breaches of PII, within the defined time. This is possible only if the citizen’s information, such as name and contact details, is complete, accurate, up-to-date, and non-duplicated. Data profiling can be used to ascertain the quality, and subsequently, data quality issues can be fixed through data cleansing, standardization, enrichment, and data de-duplication. Organizations should connect with citizens to procure missing details.
Data quality with data protection: a strong combination
Data quality management plays a key role in the data protection regulatory compliance initiatives undertaken by organizations. Data privacy combined with data quality is a powerful accelerator for any enterprise transformation program.