April SQLChat on DataGovernance (on Twitter)

by Apr 19, 2018

This week I had the honor to host the #SQLChat on Twitter on the topic of Data Governance.  Here's some quick highlights from hour long conversation:

Q1) How do you define data governance?

My response: 

Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.

Others responded with:

  • A set of processes and rules that define how data is entered into a system to ensure that a company makes the most of its data and those the data is about are protected.
  • Security and rules pertaining to sensitive data
  • I believe it to be the managing of ALL the data in my environment(availability, security, etc). As a DBA, I think of myself as the GateKeeper or "Governor" of the data.
  • Availability and security of enterprise sensitive data

Q2) What skills or knowledge do you think are most important to making a Data Governance strategy a success?

My response:

You should know how your data is:

  • stored
  • mapped
  • archived
  • backed up

Make sure that you are considering ALL of your data:

  • Marketing Demographics and Analytics
  • Product Information
  • Regulated Information
  • Operational Data
  • Financial Data
  • HR Data
  • Legal Data

And, you should know:

  • what you intend to do in the case of a data breach
  • what regulations apply to your data

Others responded with:

  • At previous companies we had a council that created procedures, and made plans on how to execute those procedures. I am a HUGE fan of policy/procedures and find they add so much value and a sense of security for any issues.
  • You should always have a plan of "What if a breach occurs?", how do we react, what measures do we take, etc. In this day and age, this type of preparation is key to minimize damage, and keep business continuity IMO
  • Define business processes to spell out the steps necessary for handling data breaches
  • What we think is critical data is often not ALL the data that is critical.  We need to broaden our scope and minds. 
    • Data that is critical to one person is different that the critical data to another.  Kendra Scott Jewelry cares a lot more about jewelry than other companies
  • I think compliance rules in some places would dictate a lot of this. For others, the strong desire to protect all the data and taking the steps to do that.
  • I'm am sure "skills" are necessary, but an intimate understanding of the data and passion to keep it secure. understanding encryption techs, regulations

Q3) How should a company protect itself from Data Breaches and other threats?

My response:

  • Companies can use Security tools (like SQL Secure) to lock down access to their data to limit the ability to breach their systems
  • Companies can use Compliance Auditing tools (like SQL Compliance Manager) to detect breaches as they are happening
  • Companies can use Business Process diagrams (like ER/Studio Business Architect) to build out plans for breaches
  • Companies should have an emergency plan in place to address data breaches

Other Responses:

  • Firewalls, encryption, etc. are a beginning – there needs to be education. In many cases, people are the weakest links when it comes to data.
  • Always prepare yourself for worst case scenarios. Many breaches that I have seen personally have not been from a software flaw, but from a personnel level, IE. sending sensitive information to a party that should not have it
  • Simple data models, well documented and clear, global policies of how data is entered and secured. Ensure that you have the processes, auditing, the leadership groups and policies in place to keep it up.
  • Start with the assumption you will be breached. Plan for it. After that a good start is only granting security that is required to the individuals that actually need it.
  • Never send anything outside the company without extreme encryption, if you must send it at all. The principle of lease privilege

Q4) How do you think different generations view data privacy?

My response:

  • Generally, Boomers tend to be more private with their data and therefore very concerned about Data Privacy
  • Generally, Millennials have lived in an Open Data world and believe that everyone has access to their information anyway
  • Generally, Gen X has grown up with data and tends to have a healthy level of cynicism in regards to who is accessing their data

Other responses:

  • I think older generations have no true feel for the amount of data being collected (with the exception of IT professionals of course). Younger groups have a better grasp on the volume of data, but less grasp on the importance of protecting it. IMHO
  • Older groups were more used to privacy. The expectation of privacy was built into our culture. Younger generations have grown up with a "share everything" mentality.
  • From my standpoint as a father, I don't think younger generations think about it too much, and that is scary. Social Media makes the world so much smaller and Data Privacy seems less important. I hope that I'm wrong
  • I believe the older generations are more private with their data. My FIL for example is a stickler for giving out ANY personal information to anybody. Newer generations know how much data is out there, but has less of a worry besides SSN, and CC numbers.
  • The scary part is, most don't know how many are sharing data. I surprised my Dad when I pulled all his data from our system because he donated blood.
  • Babyboomers think SSN, GenX think medical and professional history, Millennials are thinking Internet…all the while, all the techies are thinking ALL THE DATA!! ARGH!!!
  • I've had conversations with teens and my parents that let me know they are not grasping what is actually going on
  • It's been interesting to observe some of the Facebook questioning by Congress. Clearly there are a lot of (usually older, but all ages) people that just don't understand data privacy, and the fact that anything you post anywhere online is no longer private

Q4) Follow Up: Based on these different perceptions, how does your organization view data governance? How might data governance views change across generations?

Responses:

  • I believe most don't pay attention until it nips them in the bud TBH. Kind of "the scary monster doesn't exist if I don't look under the bed" I have been fortunate that with my clients I currently work with, they take it very seriously, but as tech professionals they
  • Doesn't this get back to being educated consumers? Even when the product is free, you get what you paid for and know what they're getting for it…My data is mine, then I don't go there.
    • Yeah, but a lot of people flocked to Facebook because they just wanted to see pictures of the Grandkids (Boomers). Or they have never thought much about business models (Millennials).
  • Most people don't think about it too much…until they are directly affected by a data breach and they have CC charges that are not theirs or their bank account has been emptied.

Q5) Facebook is getting into a lot of trouble right now for allowing their data to be harvested. Do you think data harvesting is as bad as data breach? Why or Why Not?

My response:

I think public perception is that data harvesting is as bad as data breach because their data was used in places that did not have permission to access it

Other responses:

  • CA (Cambridge Analytica) took advantage of the FB API and created a quiz. Never take an online quiz! Ever!
  • This is a GREAT topic! IMO it depends on how the data is used. If its used for purposes of "how many liked this ad?" I am not too concerned, but if its more "Here is this man's contact information, you can use it to try and reach out and sell your product" I get upset
    • But how do you really know how it will be used? Even reading terms and conditions it's purposely left vague.
    • True, I guess that is a great point to discuss as well. Not sure how to follow up on that except with, I never use my real address, name, phone number, personal email for those types of things?
  • IF you are on a site that is free for you to use and there are companies out there, you need to understand, you aren't the customer, you are the PRODUCT. There is a cost to everything, especially when its free.
  • That's a really hard question. I'm not sure I see anything wrong with collecting data in aggregate. If someone says "400 people chose this, 700 chose that etc" I'm not sure I see a problem. It's when the information can be tied to an individual I see it as a problem.
  • It's tough to be online these days and not leave a "harvestable" trail. Also, we agree to the TOC while signing up with most vendors. It's scarier when data is harvested by entities not authorized by us, and we don't know the purpose or the scale of the operation. A breach certainly shows a lack of information security planning, implementation and training. Letting someone harvest user data from an app shows lack of thought to privacy concerns in the app design. Both are bad.
  • If data harvesting is done furtively, then it is *worse* than a data breach. It's willful violation of user trust (vs accidental violation of trust).
  • This is a great "it depends" question. It depends on what data. Also, most don't read the agreements when they are agreed to. Google does it all the time when I search for something on Amazon. Why is Facebook Different?
  • One key issue is that we all agree to these user terms for the various sites, but how often do we really read them to know what we're granting access and approval for? Data harvesting is to be expected, but data selling is the bigger concern

Q6) Now that you're aware that Facebook Apps might be harvesting your data, how does this change your approach and/or digital life? Does it change it at all?

My response:

I consider myself TechSavvy and have already used the Facebook remedies to lock down the information that I don't want publicly known. Although, honestly, there's nothing on Facebook that I would really need to have hidden (except from Internet Trolls)

Other responses:

  • I already was doing regular sweeps, clean up and lock down of the my FB account. Very little is out there that anyone can grab unless they are directly FRIENDS with me and my important info is locked down. It's a good habit to have.
  • I was always hesitant about "login with Facebook/Twitter/Google/LinkedIn". Absolutely not doing that ever now.
  • I actually created a "burner" email account when I created my FB account back in the day.I check it normally, but its mainly to stay in touch with family/friends.I never was one to use their apps/games,but I was always nervous with providing personal info to any site
  • Prior to the Facebook fiasco, here are some precautions I've taken:
    • Never use an "app" when a browser can be used.
    • Use some privacy controls w/ your browser (ad blocker, Ghostery, etc.)
    • Use tools like Tor to try to anonymize digital communication.
    • Use a VPN.
    • FWIW, I deleted my FB account back in 2011
  • It should, but I'll be honest to a certain extent I've given up. I'm sure my data is out there & even if it isn't it will be. Not that that keeps me from taking certain common sense precautions. Changing passwords regularly, keeping certain information offline etc.
  • maybe a little, but not much As others have mentioned, nothing is truly free. I have become more reserved about what I post to social media and the information that I share, but it really had nothing to do with the Facebook thing

Q7) How liable do you think an organization should be for data once it leaves the system?

My response:

If I give you my information, I expect it to be handled properly and only used for it's obvious intent

Other responses:

  • Organization's liability is during custodianship and transmission. Can't do much if it is breached at the new custodian, except notify customers promptly and advice on next steps to mitigate risk/damage.
  • Again, it depends. How did it leave the system? A company is very responsible for who they GIVE the data to. Less so when it's stolen. It's no different than if someone steals something from a storage locker. You should be notified, and the company should be responsible for providing some protection from the data being used against you, but if they used reasonable effort in protecting it, how is it their fault someone broke in?
  • That is what GDPR is about though- you must justify WHY you need data. If you go through the apps from FB and see what they say they need or want, you have to ask yourself why??
    • That's certainly part of it. But once you are past that point, if you've taken reasonable steps to protect your data & your customer's data then you shouldn't be faulted for someone being better at it than you are.

Q7) Follow Up: How are you tracking your data lineage currently? Based on your answer to Q7, do you think you need to reevaluate your data lineage / governance program?

My response:

Other responses:

  • I had my identity stolen before it was a term and had someone hijack my online persona at one point, so I audit and have software that checks my data/credit lock down/etc. You are your data.
  • Can't be too specific coz NDA but in general it depends on domain and willingness of the org to allocate resources. At minimum, track outbound stuff, content, mode of transmission and recipients. Internally, track privileges and review/clean-up periodically.
  • I use software that monitors my credit/PI that I pay a monthly fee for. It's caught numerous attempts to clone credit cards and such that could of ended up costing me alot more money then the yearly subscription fee.
  • I worked at a self insured company. The health management company wanted to collect info and provide us with coaching opportunities. I refused as there was no clear data protection that my company wouldn't end up with the info.

Q8) Do you think it is more important to follow your executive team's perspective on Data Privacy or the perspective of your customer base?

My response:

I think it's important to educate your executive team on what your customer base thinks. Although, ultimately business decisions could change the direction and regulation may define it for us anyway.

Other responses:

  • I would need to know the goal of the executive team? I also need some clarification on this question. I'm not one to follow anyone anyway.
  • I'd lean more towards the exec team. Most should have an informed, ethical perspective. (But then again, there's Facebook, Panera, etc) I find customer bases usually follow along without many questions. But occasionally you encounter a customer that's very data savvy
  • I'm not sure that following either is a great idea. Sometimes we think data is important, and it is not. Data Privacy means intimate knowledge of the data IMHO
  • Neither really know how to secure data like we do. Now, they may have a perspective, which in turn morphs in to a requirement, which in turn we implement.
  • Tricky. Need to understand where they intersect and diverge to make the best call. Customers don't always understand all the implications, but companies often collect more data than they need.

Some other interesting Data Governance Trivia that was thrown out there:

  • Over 90% of all the data in the world was created in the past two years – IBM
  • There are five types of data
    • BIG DATA – Predictive Analytics
    • FAST DATA – Information that can be quickly analyzed (e.g. coupons upon checkout)
    • DARK DATA – Information that you can't easily access (e.g. information in videos)
    • LOST DATA – Information that is collected but never reviewed
    • NEW DATA – Information that you could have but you aren't harvesting
  • Around 100 hours of video are uploaded to YouTube every minute and it would take you around 15 years to watch every video uploaded by users in one day – YouTube
  • Google alone processes on average over 40 thousand search queries per second, making it almost 4 billion in a single day –
  • The number of Bits of information stored in the digital universe is thought to have exceeded the number of stars in the physical universe in 2007. – Computerworld
  • 78% of people claim to be aware of the risks of unknown links in emails, yet click on those links anyway
  • 95% of breached data records in 2016 came from: Government, Retail and Technology
  • 43% of cyber attacks targeted small businesses
  • Over 75% of the health care industry was infected by malware in the last year
  • 70% of US oil and gas companies were hacked last year

What are you thoughts and comments on this topic?

Thank you for your valuable contributions to the chat: