Technology has always moved faster ahead of legislation – although it’s a never-ending race. However, when data is involved, this isn’t a case of “win at all costs”. After all, without the necessary data governance procedures in place, the costs of non-compliance soon add up, in the form of fines and reputational damage.
Instead, gaining a competitive edge requires organizations to develop and apply innovations responsibly – while also safeguarding data. This data-driven regulatory drive is coming from governments, as more countries adopt or extend data protection legislation.
“By 2024 three-quarters of the world’s population will be covered by data protection laws.”
Gartner
The US is a major example of this trend. A previously patchwork approach, differing state by state, looks set to be aligned by the American Data Privacy and Protection Act (ADDPA). There’s still some way before the bill’s various protocols and processes are enacted. However, its federal nature means its impact is likely to be as far-reaching as the EU-wide GDPR.
Elsewhere in the world, there have been similar moves to align and control data access, privacy and governance. China’s Personal Information Protection Law (PILP), the country’s first properly comprehensive data privacy law, came into effect in November 2021. Japan’s 2021 amendments of its Act on the Protection of Personal Information, were enacted some months later. India has also made data privacy proposals in 2021, in the form of the personal Data Protection Bill.
Of course, amid these evolving policies for data protection, organizations also have to find a way to realize data’s value. So it’s about adapting to accommodate new laws, and applying a form of Digital Darwinism to survive (and thrive). This means removing silos, and orchestrating access across the business. Freeing users from worrying about breaching regulations, and letting data flow freely to the fingertips, screens and dashboards of those who need it.
This move calls for careful balance. Between encouraging innovation and evolution, while also mitigating security threats and non-compliance risks. It also involves looking at traditional data architecture, where priorities were primarily around collection, storage, processing, and protection. And then understanding where the gaps are, and how best to evolve to a more streamlined ecosystem.
The first stop on this forward-looking journey is looking at role-based and attribute-based approaches to data governance.
Data access & governance beyond roles and attributes
Role assignment, role authorization and permission authorization – three relatively simple and straightforward principles for Role-Based Access Control (RBAC). For smaller organizations operating centrally, this approach may be sufficient. Even if it means system administrators manually intervening whenever there’s a change or increase in roles.
However, the rise in cloud-based infrastructure and distributed workers has taken businesses beyond the traditional security perimeter. Online collaboration – and sharing of sensitive data – is now an integral part of ensuring business continuity. It’s also essential for meeting expectations of employees who favor a hybrid or remote-first working environment.
This shift to cloud is only going to continue, even for industries with legacy infrastructure, such as finance.
“Fortune 500 financial institutions alone could generate as much as $60 billion to $80 billion in run-rate EBITDA in 2030 by making the most of the cost-optimization levers and business use cases unlocked by cloud.”
McKinsey
Alongside the multi-billion-dollar benefits, there are 20 million risks. That’s how many files are open to employees at large financial services organizations. This level of attack surface represents not only risks to security, but also to compliance. Yet CDOs and CISOs are also tasked with mobilizing and democratizing data, by ensuring appropriate access controls are in place.
Current work-based platforms offer a variety of controls designed to manage this new reality. From limiting file sharing among internal users and setting expiry dates, to AI-based sentiment analysis and threat detection. However, these still involve plenty of manual management and monitoring. For organizations to implement these controls at scale, an automation-based alternative would seem the obvious solution.
While ABAC offers automatic permission updates based on attributes, this attribute-based form of access control is also highly complex to set up.
Multiple policies require multiple attributes when defining access controls. As a result, scalability is often limited. Particularly for international organizations with workforces operating across borders, where risks and governance vary by jurisdiction.
“Data governance faces new challenges that the usual data governance objectives and activities don’t address. What’s needed? A new data governance (2.0) that’s more agile and operational depending on business models, with new objectives and activities to meet business concerns.”
Forrester
Data Protection Policy: Stages for success
The data lifecycle now exists at a crucial and evolving intersection – between offering maximum access with minimum risk.
As a result, businesses require a source of constant monitoring and updates. Based on internal and external rules to support safe and secure sharing.
This new reality calls for a similarly new concept: The Data Protection Policy (DPP). Where policies and regulations can eventually be built into a single source of truth – a data protection policy catalog.
Naturally, the DPP will be different for every company, industry and legislative requirement. For example, consider a typical business workflow with data successfully flowing through the business ecosystem.
At the start there’s initial data discovery, with data cataloging and tagging to build the data layer. Preparing the foundations so employees can understand what data is available.
Then it’s the data democratization stage. Where employees, including those from non-technical functions, can make self-service access requests. So that data can flow to the right parts of the business at the tight time.
The workflow execution stage involves authorization and automation. Data access governance processes have to be as adaptable as the business use cases. Taking into account factors including the type of data, users, and sectors. After all, while governments align data regulations at national level, natural divergence will still exist across highly regulated areas such as healthcare, BFSI, telecoms, education, and utilities.
Self-service also has to be at the heart of this type of ecosystem. Users or machines can initiate requests to access relevant insights from data catalogs. Approvals can then be made based on the DPP’s business rules, regulations and best practices.
For departments tasked with growing the business, data access relies on similarly 360-degree vision. Plus, speed and agility – slower manual approvals can render insights and decisions out of date.
Meanwhile, policies have to be complex to reflect the complexity of modern organizational needs. The business requires a source of constant monitoring and updates. Staying ahead of changes, ensuring policies are enforced and continuously improved. It’s a long way from traditional and more static policy control and management. That’s why organizations need this new concept of DPP – alongside similarly ground-breaking technology: AI.
AI for data protection, innovation & intervention
Streamlining the data access lifecycle is the only way to make all this possible. And that’s something requiring an AI-based platform that verifies, builds and maintains policies. Based on who, what, where, when and how access is granted.
Where data catalogs are aggregated, and policies are readjusted using machine learning. The result – the right data policies are created, maintained, and optimized.
Velotix is the only platform that gives you this, with end-to-end capabilities for governing, logging and controlling access. Offering orchestration across the full lifecycle. Powered by an AI-driven engine that acts continuously, to create and update your corporate data policies.
The Velotix AI-based access governance system ensures:
- Efficient application & enforcement of the right policy & the right access
This can be done in seconds and minutes, with automatic routing of requests to stakeholders for approval - Policy catalogs are accurate, up-to-date and deliver a single source of truth
Velotix makes policy management as dynamic as your datasets, with actions and exceptions adjusted based on evolving enterprise policy requirements - Detection of malware by running pattern recognition
Velotix’s AI helps organizations keep pace with today’s fast-evolving threats. Automatic restrictions on viewing data, including PII classification, adds even more protection and defense - Increased automation across the data governance process
Workflows can be configured to match the relevant use cases – fully automatically or with partly or fully manual involvement
Velotix’s architecture comes with a DPP repository. One place to manage, track and automatically maintain policies.
What’s more, its increased granularity can be configured in real-time. Changes to rules – and related access – can be managed in real-time.
The emphasis is on proactive management, rather than letting machines operate in opaque, risky, and potentially non-compliant ways. Instead, human intervention is essential.
Accelerating AI capability with the ‘human in the loop’
It’s a common phrase in cyber security: “You can’t protect what you can’t see”.
It’s the same for governance – legislators can’t legislate what they can’t see. That’s why applying AI for policy management also relies on human input, delivering audit-level transparency and visibility.
First, to avoid a “black box” situation, where unknown algorithms make it difficult to demonstrate efficient application and enforcement of the right policy.
Second, when it comes to interpreting the rationale for data policy decisions. While some are made by the AI, approvals and/or rejections still involve interventions from a human data controller.
Third, for solving the challenge around finding large datasets for realizing AI’s potential. Human knowledge and experience can bridge these gaps in training and testing algorithms. Data can be labeled during testing, to generate a feedback loop that helps the machine learn faster.
When applied to a DPP, this unlocks the door to improved policy creation and maintenance. Giving your business a platform that turns governance into a competitive advantage. At least, it does when you choose the Velotix platform.
Try Velotix and discover how patented symbolic AI and ML can build a modern DPP for a changing world. Explore how our platform gives your people secure and compliant access to the right data at the right time. Find out how to automate policy management, remove silos, and maximize your insights.