Using the DAMA Wheel to Build a Data Privacy Action Plan

Executive Summary

This webinar discusses the importance of data privacy and management for businesses. It covers a range of topics, including potential data privacy risks for a 100-year-old company, privacy laws and evidence admissibility in court cases, data privacy and ownership, managing privacy and data flows within organisations, data management and governance, and more. The webinar also highlights the significance of continuous data management, IT data management and privacy, extracting value from data, adapting language to the audience, using data maturity for compliance, setting target ratings, certification and compliance, risk management, standardisation, and communicating business concepts. The webinar emphasises data privacy and management’s critical role in today’s business environment.

Webinar Details

Title: Using the DAMA Wheel to Build a Data Privacy Action Plan
Date: 11 April 2022
Presenter: Caroline Mouton, Graeme Cartwright and Howard Diesel
Meetup Group: Data Privacy & Protection with Caroline Mouton
Write-up Author: Howard Diesel

Data Privacy and Risk Evaluation for a 100-year-old Company

Graeme speaks of a client who engaged his services just two months before the implementation of the Protection of Personal Information Act (POPI Act) at the company. The client held sensitive personal information in various data pools. They requested a popular readiness evaluation to assess their preparedness but suspected they were not fully ready. To manage the information efficiently, the head of enterprise architecture proposed initiating a data architecture practice. Additionally, a data governance committee was suggested to evaluate the client’s existing practices and determine their maturity and coverage levels. A data risk model revealed potential areas of exposure, as discussed in data privacy, that extended beyond POPI-related issues, indicating general data governance vulnerabilities.

Figure 1 Background for example

Figure 2 Data risk metamodel

Potential Exposures and Data Privacy Implications

Graeme discusses the importance of addressing potential exposures and data privacy implications when moving to the cloud. He shares his experience of being contacted by a previous client to review the data maturity of all business units. The client had previously relied on a popular site for data management recommendations and implemented the suggestions and guidelines provided by the site. However, a popular readiness expose made the business areas realise their lack of understanding and control over personal information. Graeme emphasises the relevance of their recommendations for GDPR and other data privacy laws.

Figure 3 Surprise Comeback

Figure 4 Data Management Maturity

The Importance of Data Management and Privacy

Effective data management and privacy are critical in protecting sensitive information. Risk-based data management principles should be applied universally, regardless of location or customer nationality. Financial transactions are considered personal information, and it is essential to ensure data security. Change management and cultural shifts are necessary for effective data privacy within organisations. Sub-projects can help identify necessary changes within business units, and system-based controls are easier to implement than changes in mindset. Notably, a grocery store incident involving a customer’s membership card and a lawsuit highlights the need for data privacy before it becomes a significant issue.

Figure 5 The Issue

Privacy Laws and the Admissibility of Evidence in Court Cases

The webinar focuses on instances of personal data being used as evidence in court cases. Graeme discusses a court case where a plaintiff’s purchase history was used to suggest they may have alcoholism, raising questions about their state of intoxication at the time of the incident. The importance of privacy laws in protecting against breaches of trust and ensuring data is used for its intended purpose is emphasised. The webinar also mentions new laws such as GDPR and POPI, which could impact similar situations and make evidence obtained through privacy violations inadmissible in court. The purpose and intent of recording personal information, such as purchases, is crucial when evaluating the admissibility of evidence. A similar case in Maryland is also highlighted, emphasising the importance of providing notice regarding the use of surveillance footage and specifying its purpose. Caroline Mouton highlights the significance of data collection’s state of purpose in determining its relevance and admissibility in court.

Data Privacy and Ownership

Graeme discusses the concept of data ownership and privacy impact within a business. He highlights the need for employees to be aware of data privacy and not treat it as a mere token requirement. Graeme emphasises the importance of implementing change controls when accessing and using data to ensure safety. Additionally, he brings attention to the shift in attitudes towards privacy among newer generations and the potential risks of employees sharing data without regard for privacy. Graeme highlights the challenge banks face with younger employees who value data access over privacy.

Managing Privacy and Data Flows in Organizations

Managing privacy and data flows are crucial aspects of business operations. Internally revamping controls to manage privacy, discussing ethics and philosophy of privacy, and including DAMA and data maturity in managing personal and sensitive company information is essential. Data flows can include not only personal information but also sensitive company information. Understanding data flows for all information is necessary to discuss personal data flows. Measuring and quantifying data flows is necessary to identify risks in each process. Finally, generic discussions can help understand the broader issue of privacy management.

Importance of Data Management and Data Governance in Business

Graeme highlights some key challenges the company faces in data management and governance. The company tends to engage external individuals for assessments instead of conducting internal ones, despite the availability of maturity assessments. Compliance with data management controls was initially seen as a one-time effort, but the company now realises it is a continual business requirement. Lack of skills and technical expertise in master data management has created challenges for implementation. Executives were unprepared for data governance and management’s broad and ongoing impacts. It is worth noting that data management and governance should be driven by compliance and seen as a business value-add. Finally, everyone with a data-oriented mindset faces data management challenges.

Figure 6 The Selling Point

Importance of Continuous Data Management in Business

Graeme outlines the importance of prioritising continuous data management in business operations. Many organisations fail to understand the advantages of ongoing data management, which can lead to data accumulation without proper organisation. He emphasises the need for businesses to invest in effective data management to optimise data quality and relevance. The discussion focuses on which organisations excel in this area and highlights the consequences of improper data management. Using the analogy of a plumber, the speaker stresses the importance of focusing on data quality and relevance rather than just data collection to ensure business success.

Figure 7 Important questions and discussions

The Importance of Data Management and Privacy in IT

Data management and administration are two distinct processes that should be separated to ensure better business operations. While small businesses can easily achieve this separation, it may come with a cost overhead and compliance forces. Accountability is crucial for lawful processing and privacy, starting with the information officer for POPI and the data protection officer for GDPR. The person accountable for privacy ensures data quality is addressed, but data ownership is still an issue in the IT industry. Thus, maturity in data management and privacy is essential for business success.

The Importance of Data Management and Information Assets

The King 4 code highlights the importance of managing information assets separately from technology and emphasises the need to manage risks associated with information. However, many companies view data and information as part of the technology landscape rather than integral components of their business strategy.

Some companies have successfully embraced the significance of data to their business and have restructured themselves to focus on data products and services. Doug Laney is set to publish 200 use cases of such businesses, illustrating how they have maximised their use of data. Laney also engages with companies to help them realise their potential as information businesses and provides services to bridge their thinking gaps.

Extracting Value from Data and the Importance of Data Management

The webinar discusses the importance of finding value in data beyond its status as an asset. It highlights different types of benefits that can be derived from data, such as efficiency uplift and trading agreements. Using use cases is presented as an effective way to analyse how businesses are obtaining necessary benefits from data. Compliance is seen as an outcome but should be transformed into a driver for action within the business. It is suggested that the marketing manager or director should own privacy programs as they deal with customer relationships. The discussion proposes to focus on what the data represents rather than considering data management as generic and lacking specific focus. An example is a company that conducted a master data management project for procurement, resulting in cost savings through globalised purchasing.

The Importance of Tailoring Language to the Audience in Data Management

Effective communication is vital when discussing data with different audiences. It is important to use the appropriate language based on the technical knowledge of the audience. Technical terms should be avoided when communicating with non-technical individuals, and financial terms should not be used with technical personnel.

Some executives have criticised data management maturity assessments as a way for consulting firms to make more money. However, these assessments can be used to drive action and change behaviour concerning data management. To facilitate data privacy, a quick and customisable maturity assessment tool has been developed for corporate and individual use.

Figure 8 Data Management Advisory Apps

Utilising Data Maturity for Data Management and Compliance

Howard Diesel emphasises the importance of scoping the data privacy risk model to reduce the number of deliverables from 169 to 97. He discusses the stepwise improvement of data maturity to data management and compliance. Compliance is achieved when data strategies, policies, procedures, and data flows are well-defined. Howard suggests that progress can be made from level three to level five regarding data management. Setting a timeline for achieving compliance is crucial, as moving from absent to defined takes time and effort. The webinar provides an example of scoping data privacy using deliverables such as a data strategy and data privacy policy.

Figure 9 Data Maturity Assessment

Figure 10 Data Privacy DMMA (Data Management Maturity Assessment) Scope Settings

Figure 11 NDMO Data Management Domain Compliance

Setting Target Ratings for Data Management

Data management compliance is an essential aspect that needs to be reviewed regularly. Some areas are within scope, while others are out of scope. Organisations should avoid immediate optimisation and instead set target ratings gradually. It is essential to build a strong foundation for data management to increase the chances of success. Setting target ratings at a reachable level, such as becoming repeatable, is crucial. Gradual improvement in data management credibility within the organisation is valuable. Exporting analysis results can help create graphical representations of expected and target ranks, which can be useful.

Figure 12 Further Scope Settings – By Deliverable

Figure 13 Further Scope Settings – By Deliverable Continued

Figure 14 Data Privacy Requirements – By Deliverable

Figure 15 Data Privacy Maturity Analysis

Using Maturity Assessments and Risk Analysis in Data Privacy

Howard covers several points related to maturity assessment. Firstly, a minus one score is considered abnormal in the maturity assessment. Rolling up knowledge areas is essential for a complete view of data privacy maturity. Conducting risk analysis helps identify risks associated with the maturity assessment. In contrast, a risk is considered only if the maturity level is two or more levels away from the desired level. Lack of communication at level three is a problem and poses a challenge. Similarly, individuals’ skills, requirements, and desires can be assessed. Two launching pads allow assessment of both organisational and individual aspects. The DAMA wheel is a tool used to measure and create a roadmap for achieving targets, and the level of risk can be assessed based on the gap between current status and targets. Communicating the relevance of maturity assessments to senior management can be challenging, and the frequency of maturity assessments, like annually, needs to be determined. Finally, compliance requirements in Saudi Arabia must be met by the end of the year.

Figure 16 Data Privacy Maturity Analysis Continued

Figure 17 Data Privacy Professional Assessments

Importance of Assessing Data Management Maturity

Howard highlights the importance of reviewing data management progress quarterly to avoid setting unrealistic goals. The timing of implementing data management depends on the organisation’s readiness and the need to comply with regulations. Privacy concerns are a key driver for organisations to adopt data management practices, such as the NDMO in Saudi Arabia, and papaya has influenced a change in perception towards data management. The frequency of maturity assessments may vary depending on the project’s scope, and failing to reach maturity targets can provide valuable insights for improvement. Marketing managers can use maturity levels as a sales tool to motivate action. Tech startups prioritise privacy discussions around marketing and product integration. Privacy can be leveraged as part of a brand strategy to enhance customer engagement and productisation.

Certification and Compliance in Data Privacy

The organisation has received inquiries about its official rating and certification in data privacy. Per GDPR, a regulator issues corporate certifications for data privacy. A tech company has requested the certification to market its level of compliance. Certification ensures consistent application of a standard with measurable outcomes. The international privacy standard, ISO 27701, is audited by a body that sets a baseline for minimum requirements. Compliance with data privacy laws can be open to interpretation and evolves with case law. The definition of a responsible party or controller can change based on court cases. There should be a minimum checklist of capabilities for data privacy compliance. Outsourcing processing doesn’t absolve responsibility; the processing party must also have the necessary capabilities.

Compliance Risk Management and Data Outsourcing

Compliance management is an ongoing risk management exercise that requires constant monitoring due to evolving standards and interpretations. It is important to note that advertising technologies are being scrutinised more, requiring greater attention to compliance. Outsourcing data or privacy management is prohibited, as it does not guarantee fraud prevention. CEOs initially aim to eliminate compliance problems entirely but eventually realise they must go through the process. Successful compliance testing can be achieved by emulating the Enterprise Independent Testing Group at a major US bank, which assessed tests conducted by other departments and performed statistical analysis to ensure compliance.

The Importance of Standardization, Compliance, and Risk Management in Data Privacy

Cherry-picking when testing records and choosing only a select few can raise concerns regarding standardisation, which is a key factor in ensuring data independence and compliance with minimum standards in data acquisition.

Privacy management includes various aspects such as data management, governance, compliance, risk management, internal audits, and quality management. Organisations must comply with GDPR and other local regulations, especially regarding cross-border data transfer limitations. The DAMA Wheel offers guidance on managing data and complying with privacy requirements. Finally, prioritising actions based on their potential risks is central to effective risk management.

The Importance of Communicating Business Concepts

The webinar highlights the importance of linking writing to the business perspective to address capabilities, development, and customer value delivery challenges. The writing process should be guided by risk assessment and privacy concerns. The Compliance Institute of Southern Africa offers a Generally Accepted Compliance Framework (GACF) framework, which benefits both large financial institutions and small companies. Caroline emphasises the need for a multidisciplinary approach, learning from existing frameworks like the DAMA Wheel. Effective communication with the target audience is achieved by translating technical language into business language.