Posted by Daragh O’Brien on Jan 19, 2017 10:06:22 AM

As organisations begin to wake up to the power and value of the information they can and do process on a day-to-day basis, there is a parallel evolution of regulatory responses and compliance requirements. However, law and regulation always lags behind the evolution of technology, and the potential upsides of new tools are often sold without adequate consideration of potential downsides.

challenges_organizations_business_face_in_keeping_pace_with_regulations_compliance_adaptive_experts.jpg

As businesses, financial institutions and governments begin to adopt increasingly “data driven” business models and models of operation, a range of potential impacts emerge. These include the impacts on personal privacy, economic impacts of monopolies in technologies, and the social and societal impacts when the data used to drive these ‘information-driven’ decisions is of poor quality or is poorly understood.

In this context, regulatory interventions are often necessary to ensure that the negative impacts of excessive processing of personal data, dominance of a single service provider, or a range of other factors are constrained or mitigated.

Of course, this isn’t new. We have seen regulation brought to bear in a range of areas where a failure to do so would lead to negative impacts for society as a whole. From the level of lead in the paint on a doll’s house, to the quality of rubber used in a car tyre, to the way in which the pump in your petrol station counts the litres of fuel you are putting in your tank, standards and laws for information exist in a variety of contexts and have done for millennia (the Babylonian scribes we met in an earlier post probably had defined standards for how big a “bushel” was).

What is new is the pace of change and the increasing lag between technology innovation and legal/regulatory response. As the Babylonian example shows, it is easy to see the relationship between a bad thing happening and the need to standardise the size of bushels of grain. It is often a lot harder to foresee the impacts of a new, and potentially beneficial, technology. Like free email (negative: privacy impacts, monopoly effects), or internet search engines (negative: privacy impacts, monopoly effects), or fitness trackers (negatives: privacy impacts, application in medical contexts for which they may not be calibrated, etc.)

Add to this the increased internationalisation of businesses and business models and the number of jurisdictions that an organisation might need to operate across, and the spider’s web of potential challenges becomes increasingly complex, with both positive and negative impacts. What is acceptable in one region might be illegal or frowned upon in another. What is seen as a valuable addition to your brand in one market might be perceived as contrary to public values or public interest in another. What is the minimum standard of compliance in one market might be a clear brand differentiator in another.

different_standards_compliance_rules_regulations_for_global_markets_need_for_metadata_management.jpg

Finally, regulations and standards can take a long time to develop and become finalised. This can often lead to tight timelines for the implementation of changes to bring the organisation into compliance with the new legislation. For example, the General Data Protection Regulation in the EU will have taken almost six years from scoping to coming into force, but surveys consistently show a decided lack of readiness on the part of organisations in the EU to meet their new compliance obligations.

How can an organisation keep on top of all of this? And how can an Information Management professional such as the CIO get ahead of any of this?

Ultimately, the answer to that question is that the organisation doesn’t. But the organisation does need to engage with appropriate experts who can keep on top of things for them and provide relevant input, insight, and advice. Organisations do this all the time already when seeking to sell physical products into a market or when considering the economic value case for how they manage their tax affairs across different jurisdictions. With data it should be no different.

Of course, such expertise is sometimes difficult to find and expensive to acquire. So, professionals in organisations are usually well advised to seek out “secondary sources” of information and advice. Examples of where you can look for information include:


Information Source

Comment

Industry Conferences

Increasingly Data Privacy and Information Ethics are appearing as topics at conferences internationally. Other ‘traditional’ Regulatory topics are also covered frequently. Attending is a good way to learn, and to build contacts with relevant experts who might be able to help.

Industry publications and websites

Increasingly there are articles on the practicalities of data-related legislation and regulation in different countries appearing in different forums. We can also see the emergence of practitioner communities around different areas of Regulation, such as www.dataprotectionforum.eu

Industry Professional bodies

Organisations such as DAMA International (www.dama.org) and the IAPP (ww.iapp.org) regularly provide information and commentary on emerging trends and practical challenges, and often they can help connect you with relevant industry expertise.

Commercial Whitepapers and similar publications

Law firms and consultancies often publish whitepapers or other marketing materials that contain research and perspectives on the role of information management in Regulatory compliance. Technology vendors such as Advanced Metadata also publish similar papers.

Guidance  and Advisory notes from Regulators or from Legislative bodies

These are very useful as they give an insight into the thinking of Regulators or the legislators on how the legislation will evolve or should be interpreted. It’s important to remember however, that the guidance is applicable only in the context of that Regulator, but might represent an instance of “good practice”.

Academic Papers and Conferences

While perhaps not as immediately relevant to people working at the coal face, quite often academic papers contain unbiased views on the potential issues, risks, challenges, and opportunities in applying Information Management practices such as Metadata Management and Data Governance to meet Regulatory challenges.

Social media such as Twitter or LinkedIn can also be a useful source of information or content to review. It’s also (potentially) a method to get in contact with relevant experts for more detailed advice.

The problem is that once you have all this data, you need to have some way of cataloguing and classifying it. Ironically, what you need is some form of metadata to associate with each source, and effective management of that data so that you can quickly assess the validity or otherwise of the information you are being presented with.

For example, a vendor may put a particular ‘spin’ on one aspect of a Regulatory challenge because that is the aspect their product conveniently addresses. Or a law firm might place a heavier emphasis on the horrendous penalties if things go horribly wrong so you’ll hire them for expensive advice. Without some way of classifying the data you are gathering so you can put it in context, you will run the risk of information overload.

Another type of metadata that you might want to apply to these external sources is metadata about the regulatory principles or data management disciplines being discussed. For example, I might tag an article on the use of metadata repositories to support automated data retention schedule execution as being related to “Principle: Retention”, “Practice: Metadata, Database Operations, Content Management”.

Ultimately, the challenge facing an information management professional dealing with Regulatory issues is simple:

 

How do I translate this into specific things that we need to do for, with, to, or about the information we are processing?

 

Trusted experts can help translate the regulatory drivers into actionable information strategy and governance requirements. Failing that, applying a robust metadata-driven approach to finding, qualifying, and classifying the various sources of information you use to research potential issues and risks is a very good way for you to develop expertise and understanding.

By walking the talk of data lineage (understanding the source of the information you are reading), data classification (categorising the source, and categorising the content), and other fundamental principles of metadata management, you can build a robust knowledge base in your personal library.

Topics: Data Governance, metadata management solutions, metadata management, irish metadata management company, data management, importance of metadata management, regulatory compliance, data regulation, regulations and compliance

Subscribe to Email Updates

Posts by Topic

see all