We are seeing organisations finding out about data repositories they didn’t even know existed until an investigation is underway. The explosion of new technologies, such as artificial intelligence (AI) and large language models (LLMs) is presenting its own set of challenges. With businesses collecting growing volumes of data – against a backdrop of increasing cyber attacks – losing visibility and control of sensitive data is leaving organisations exposed to potential extreme risk.

Increasing class action is being taken against organisations that have failed to establish adequate steps to protect the data they hold. And with an evolving regulatory and legislative landscape around data holdings – and heightened risk around third-party data – it’s no surprise data governance is inching its way up the corporate agenda.

However, despite growing awareness of this problem, there is a significant lack of understanding about how to tackle it.

Business leaders do not know which questions to ask to get conversations around this issue started. Is this, first and foremost, a technology problem, where they need to start by looking at their oldest legacy systems? Or is this a legal problem, with a lack of understanding of the data they hold?

Tackling the information void is overwhelming.

Less is more when it comes to privacy

The adage of “data is the new oil” is wearing thin as companies realise having large volumes of data available isn’t necessarily useful, and potentially holds greater risk than benefit. Business leaders need to start focusing on data minimisation where possible.

VIEW ALL

As a first step, organisations should home in on the technology problem, by scrutinising legacy systems and reassessing the retention period around backups. This ensures a leaner, more efficient data infrastructure. Another challenge lies in the visibility of unstructured data – often scattered across multiple platforms like spreadsheets, shared drives, and team collaboration tools. Managing this dispersed data is essential for maintaining control and security.

Thorough oversight needs to be taken to third-party security and privacy controls; whether it’s external vendors or partners accessing organisational data, stringent protocols must be in place to safeguard sensitive information.

With an ever-changing cyber and regulatory landscape, it’s crucial to map the data organisations hold against relevant regulatory frameworks to implement necessary operational controls effectively. This is more easily done by establishing a process of classifying the records a business holds, understanding their retention needs and implementing disposal mechanisms.

By systematically managing the end-to-end data life cycle – from classification to disposal – businesses not only ensure compliance but also mitigate the risk of legal repercussions.

Preparing your data and design security controls

Businesses must take a multidisciplinary approach involving IT, legal and business stakeholders to understand data usage, the technological support required and legal obligations.

Without a clear grasp of your asset landscape, you cannot really determine the information you hold. It’s crucial to map your asset sources, delving deep into the business infrastructure to unearth valuable information assets and sources, be it structured or unstructured.

Moreover, understanding the function of data repositories – its sensitivity, purpose, and relevance – is crucial to aid in identifying potential risks and elements that need to be maintained, not just the overall asset, but each individual piece of data.

Businesses should look to leverage technology-assisted diagnostics to understand the structural intricacies of business assets, providing a helicopter view of the system architecture and pinpointing areas of heightened sensitivity. Through stringent risk assessment, data sets carrying substantial risks, such as personally identifiable information, can be established and prioritised for enhanced protection measures. The aim should be to start across data holdings with the most sensitive risks first, understanding those systems, what data is held, who accesses it and how it’s generated.

Regulatory alignment should serve as a guiding principle, ensuring that data mapping efforts seamlessly adhere to compliance mandates. Cataloguing and classifying data controls are essential steps towards fostering business awareness of the operational context. Implementing, which is arguably one of the hardest steps, needs to go beyond privacy by design to encompass regulatory data hygiene to uphold critical governance processes and compliance standards.

Going from awareness to action

Encryption protocols, retention policies, and stringent data hygiene practices fortify an organisation’s defences against potential threats. The reality is that the more sensitive the data, the more organisations tend to want to hold onto it. Organisations need to keep data to a minimum required for business purposes.

Proper third-party management and insider threat mitigation strategies can further bolster the resilience of data governance frameworks, ensuring holistic protection across all fronts.

Central to this is appointing a data owner to oversee data quality and adherence to regulatory requirements. Businesses can also consider appointing a data protection officer to be embedded into the organisation. This is a new type of frontier in terms of roles and responsibilities and the mandate to manage the data minimisation and governance process.

By embracing these foundational principles, businesses can navigate the complexities of data governance with confidence and resilience.

Brenton Steenkamp is a partner at Clayton Utz.