TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

Who Truly Owns That Data?

The ever-changing data privacy landscape in the United States is keeping enterprises worried. Is data privacy actually achievable?

• By James E. Powell
• November 5, 2018

As analytics and information technologies continue to evolve, individuals have lost control of the data they create in their personal and work lives. Despite the emergence of new privacy laws, Kon Leong, CEO of ZL Technologies, a specialist leader in information governance for large enterprises, is starting to question who is truly on the hook to protect the privacy of individuals.

For Further Reading: Opt-In Versus Opt-Out: The Big Question for Consumer Privacy 3 Fundamental Steps for Strong Big Data Security GDPR: Plenty of Nagging Questions Remain

Following the EU's General Data Protection Regulation (GDPR), states including California and Colorado are passing legislation to help protect citizens' data, begging the question: is this something that should fall to federal, state, or private organizations? Upside recently sat down with Leong to discuss the role of technology within privacy and who is responsible for implementing privacy measures.

Upside: How would you describe the current data privacy landscape in the U.S.?

Kon Leong: This is a complex question, but in short, the U.S. is lightyears behind the EU with regards to privacy. The U.S. hasn't lived through oppressive regimes in the way that Europe has, so we carry a sense of naivety about privacy that Europe has long lost.

We create an unimaginable amount of data in both our personal and work lives, and the insight that can gleaned from it is only growing. We're reaching somewhat of a breaking point that requires resolution before we proceed further. Technology will not wait for us to make up our minds about how we govern privacy.

In the U.S., who should be responsible for creating data privacy regulations?

Following the EU's comprehensive GDPR, certain states have followed suit with privacy regulations of their own. There are two initial issues I see. First, whether these regulations will become adequately enforced countrywide is yet to be seen. Second, we're creating a checkerboard of various regulations with unique requirements that make them very difficult to implement.

For example, a national organization will have to take enormous data sets and apply several sets of policies based on an individual's residence. This is a highly involved process when you look at the various data repositories large organizations handle. There is particular difficulty on the unstructured side (data created by humans for humans, such as emails and documents).

Ultimately, there will have to be a federal privacy regulation to ensure consistency. I will add, however, there will still need to be state involvement because I wouldn't advise trusting a single power to regulate privacy.

Even with a single U.S. regulation, international enterprises will still have to balance various regulations around the globe, requiring highly sophisticated data management capabilities at a level that few companies have. Therefore, consistency and standardization are advisable.

Is privacy actually achievable?

This depends on how you define privacy. There are two approaches that enterprises can take: know nothing and know everything. The first entails leaving personal information alone and hoping that no issues arise. In other words, "see no evil, hear no evil, speak no evil." Although this may not require any initial intrusion into personal information, it leads to complications because there's no way to ensure that personal data won't be accessed by someone in the organization (for instance, for analytics purposes), and if there's a breach, personal data can be left exposed.

The second approach -- to know everything -- involves intrusion into documents at the content level, allowing appropriate policies and access privileges to be applied. This allows an organization to remediate unnecessary data and ensure data is only being used for the purpose it was created.

As strange as it first seems, without insight into all enterprise data -- which might appear to be a breach of privacy to some -- it is very difficult to protect personal data. This logical progression leads us to an unintuitive conclusion: privacy is about control and therefore requires intrusion.

How have new and advanced technologies affected U.S. data privacy?

The problem is twofold: analytics technologies have advanced by leaps and bounds over the past several years, and we've somehow forgotten to govern all the information. Organizations are capable of knowing so much about you just by looking at your email and the patterns your messages follow. Just on the enterprise side, for instance: who's likely to quit? This can possibly be predicted before the individual even realizes it himself.

There are amazing capabilities that are just now possible. However, we're still waiting for the other shoe to drop: information governance. To ensure privacy and reel in the uses of analytics, enterprises need an incredibly involved governance layer. This requires synchronizing the various uses of data (analytics, recordkeeping, e-discovery, compliance, etc.) and managing the various data silos across the enterprise. If organizations are able to solve the governance piece, they will have also solved privacy.