Podcast: Data Discovery – The Critical First Step in Controlling Your Data Risks
In this podcast data governance and compliance expert, Charlie Hill, discusses data discovery and why it is essential to minimizing your risks of data breaches and compliance violations.
Summary: We continue to read about major data breaches that have compromised the personal data of millions of people and violated compliance regulations around the world. These events put us all at risk and have severely damaged customer trust, shareholder value, and the financial condition of companies. Listen to this podcast to find out why data discovery and classification is the essential first step to mitigating your risks and protecting sensitive data. You will learn from a data governance and compliance expert what data discovery is and what are the common challenges in getting it right.
Podcast Show Notes
Sensitive Data Discovery – The Critical First Step in Controlling Your Data Risks
Chris Doolittle: Welcome to our podcast on discovering your sensitive data – the most critical step in any data protection and compliance project. In this podcast, you’ll learn what data discovery is, why it is so foundational to implementing effective data protection and regulatory compliance, and what the most common challenges and inhibitors are that companies encounter.
This is the first of a series of podcasts on simplifying, automating, and accelerating data protection and compliance. We’ll be discussing important topics, including common challenges and best practices discovering your sensitive data, understanding applicable regulations, assessing your real risks, and applying the optimal auditing analysis and controls, among many other topics.
My name is Chris Doolittle. I am VP of marketing at Teleran Technologies, a data protection and compliance software company. I’m really pleased to be here with Charlie Hill. Charlie is the founder of Information Governance Strategies, a data governance and compliance services firm based in Stamford, Connecticut. Teleran and Information Governance Strategies have recently inked a partnership to help companies address challenges in protecting their data from damaging data breaches, misuse and regulatory compliance violations.
Now, over the past four decades, Charlie has held a variety of global leadership positions in information governance and compliance, consulting, business transformation, information technology, sales and marketing. He has extensive global experience having led teams in the US, India, Brazil, Germany, the UK, Australia, Japan, and China, among others. Notably, he developed a comprehensive information governance strategy for one of the world’s largest telecommunications companies.
Most recently, Charlie held the post of IBM’s global head of information governance. Charlie led IBM’s global GDPR strategy, and compliance implementation there. He also established IBM’s global data privacy operations team, and developed and implemented strategies and business architecture to handle GDPR, Brexit and the California Consumer Protection Act (CCPA) in business units around the world.
Charlie, welcome. I’m thrilled to be speaking with you today. Why don’t we start our discussion with what is often the first step of any compliance project, and that is data discovery. What is data discovery?
Data Discovery and Classification Defined
Charlie Hill: So, Chris, first of all, glad to discuss this topic with you. And it’s an important topic because obviously, when you look around in the news, we see a lot of data breaches. And one of the first steps that you must take if you’re going to really try to protect your data, is to understand what that data is. And that’s where data discovery comes into play. Data discovery is determining where your data is. Many companies have a variety of different databases, applications, and it’s not at all unlikely that every data element is not known.
The process of data discovery is determining where that data is, where that data is used, what databases it’s housed in, what applications have access to it, so that you understand where your data actually resides. Now, following data discovery is what’s called data classification. Data classification is a more complex process because once you understand where the data is, now you have to understand what the data is. As an example, data classification goes into and looks at, is this data sensitive information? Is it personal information? Is it health information? Is it financial information? So, it’s really understanding what that information entails, because only by understanding what that information entails, can you determine how to protect it.
Chris: Well, terrific, thank you. So why is data discovery and classification so critical to establishing an effective protection and compliance program?
Why Data Discovery Is So Important to Mitigating Risks and Ensuring Compliance
Charlie: That’s a good question, Chris. So, first you can’t protect what you don’t know, right? And, if you’re going to be compliant with data regulations around the world, you have to know what type of information that you’re protecting. So, as an example, if you think about HIPAA regulations, which is focused on patient records healthcare, you have to understand if the data that you have falls under HIPAA regulations? If you are doing business in Germany or any other place within the EU, does it fall under GDPR regulations, or another example, Brazil’s new LGPD regulation, which is their regulation for the protection of personal information. If you are in a retail business, and you are processing credit cards, for example, you have to understand where that information is so you can comply with PCI DSS regulations that protect personal financial information. So it’s important to understand where the data is, how the data is being used, what that data is, so that you can be in compliance with the myriad of regulations that may impact your business.
Chris: Charlie, what are some of the most common pitfalls you’ve seen in organizations trying to identify their sensitive data and classify that data?
Common Pitfalls in Getting Data Discovery Right the First Time
Charlie: I think one of the biggest things I’ve seen is a lack of data standards. There’s a lack of process consistency, and let me tell you what I mean by that. You may be capturing information during the course of your business operations, and some people may use a comment field to capture, for example, date of birth, or driver’s license number, or some other piece of personal information that needs to be protected. But, because there are no firm data standards in place, there is no consistent process that’s being executed that allows for data to be captured in places where you wouldn’t expect it to be. So, that gives you more complexity about understanding that data. And again, if you don’t understand the data, it’s difficult to protect.
Metadata Is Key
Charlie: One of the things I think is really important for companies these days is metadata. So what is metadata? Metadata is data about your data. And, many companies don’t have data catalogs or data glossaries that really describe what that data is, the data that they’re capturing, and how it’s going to be used. So that’s another area where I find there are pitfalls as well. Another example is right now we’re all trying to utilize this data to a competitive advantage. So many companies have employed data scientists, they’ve employed data analysts, and they rely on those data scientists to create algorithms that can expand and analyze that data to gain insights.
Often when data scientists will create their own datasets. So they will extract a dataset that is separate and distinct from the data that’s used within your operations. And then they’ll use that to develop their algorithms. Well, now what you’ve done is that you’ve got an isolated pool of data here, an island of data that you’re not aware of, your IT department doesn’t know where it is, and that creates a risk exposure because once again, we don’t know what that data is, where that data is, and therefore we can’t protect it effectively.
Chris: Wow, terrific. That’s very helpful. So, what we’ve talked about in our podcast today is what is data discovery and why it is so important. And, it is foundational to establishing the most effective data protection and compliance project that you can.
Charlie: Not only is the foundational, Chris, it’s actually essential. This is the starting point. If you want to comply with regulations or if you’re not even subject to regulations and you want to make the best use of your data, you must start with understanding where that data is and what that data contains. So it is absolutely essential to any cybersecurity, or data privacy, or regulatory compliance around data.
Chris: Thank you so much Charlie. This has been very, very informative. We’ve been talking about data discovery, some of the common pitfalls, and how proper data discovery and classification establishes the foundation for the most effective data protection and compliance program that you can put together.
Charlie, thanks so much for joining us today.
Charlie: Thank you, Chris.
Chris: Stay tuned for our next podcast with data governance and compliance expert Charlie Hill. You’ll learn about what the biggest challenges are in understanding regulations that apply to your business.
Chris is VP Marketing and a co-founder of Teleran. He has over 30 years’ experience in helping companies manage, leverage and protect their business-critical information.