With big data in the picture, the amount, and the complexity of data has grown beyond what it was in the days of transactional systems of record (SOR). These new types of data from new originating sources, coupled with the various ways in which organizations are transforming data into something else, present unique challenges to compliance practices in privacy, security, and safekeeping.
In a CSO post in February 2015, attorney Michael R. Overly wrote: “The challenges of [big data] compliance with this ever increasing morass of laws, regulations, standards, and contractual obligations can be overwhelming.” Overly is a partner in the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices in the Los Angeles office of Foley & Lardner LLP.
Here’s more from Overly’s post: “Even if no personally identifiable information is at risk, businesses have obligations to implement appropriate security measures to protect other highly sensitive information relating to, for example, their trade secrets, marketing efforts, business partner interactions, etc. All too often, businesses become fixated on a single tree or branch in the forest of laws, regulations, standards, and guidances and fail to appreciate, or even see, other nearby trees and their relationship and, certainly, seldom step back a sufficient distance to gain an overall view of the compliance forest.”
This big data compliance forest is a multi-species forest; data that lives there comes in from videos, photos, audio records, machines, and third-party vendors. Data analysts perform data cleanups and mashups to get to the bottom-line analytics answers that business leaders want. During this process, data begins to get transformed into new forms of data. The totality of these activities makes it difficult to perform compliance functions when the data is constantly morphing into new forms.
Overly argues that the only way for companies to get a handle on the big data compliance challenge is to formulate a corporate framework for dealing with big data compliance. The framework addresses the data, as well as the systems where the data resides, who has access to these systems and whether the data can be relied upon as accurate.
Additional big data compliance concerns to consider include assessing the various types of big data for risk, the protection of intellectual property, and the proper legal disclosures and promises made to stakeholders and customers. When assessing these areas and developing policies, organizations should look to outside legal counsel and/or auditors for advice and best practices.
The message for IT managers and others leading big data initiatives is that it’s not too soon to think about big data compliance and to do something about it. You should establish a compliance framework around big data that can scale and that all stakeholders understand. Here are three steps that big data and analytics managers should take beyond securing systems and data access.
1: Assess your big data compliance efforts
A majority of companies have barely started their big data compliance plans; they are using IT guidelines for data safekeeping, privacy, and security that have been used for transactional SOR, and they are publishing annual privacy and security statements to stakeholders and customers. Unfortunately, this doesn’t really address the uniqueness of big data and big data transformation. For instance, John Doe at 1234 Doe Street might become an “anonymized” male in zip code 99999 who is a middle-aged Caucasian with colorectal cancer.
There aren’t many policies that address privacy, security, and ownership of this data if the company elects to sell the data. In this continuum of data transformation and repurposing, organizations must determine the points at which compliance is enforced and how and why it is enforced.
2: Review how your organization secures and protects its documents
In many cases, isolated business departments have paper records, but they have also been digitizing and adding to these records. Some of this information is highly sensitive and includes patient health and financial records and possibly company trade secrets and patent designs.
Standard security measures including limiting room and system access likely are in place, but what if your big data strategy determines that some kind of meld of this data with other SOR or third-party data is important? When the lines between traditional data repositories that have their own compliance rules begin to cross, compliance needs to be revisited.
3: Define new strategies for managing big data compliance
In the old days of relational databases with structured data, it was easy to identify and retrieve sensitive data because data searches were straightforward. That’s not so much the case with big data, which can be totally unstructured and unpredictable, and difficult to search for sensitive data that requires protection under regulatory guidelines. This is why it’s important to define new strategies for managing big data compliance.
Keep up with the latest in big data compliance
There are many other aspects to big data compliance, including emerging compliance measures that are specific to big data. IT decisions makers and others responsible for big data should keep their ears to the ground as these new aspects develop.