December 15, 2020
Most organizations suffer from a compliance gap when it comes to data: how they say they manage data frequently does not align with how they actually manage data. This gap poses significant and sometimes catastrophic risk to organizations—from regulators, courts, and competitors as well as malicious actors looking to exploit data vulnerabilities.
The most common data-related compliance gap is records management. Nearly all organizations have a records retention schedule that dictates how long corporate records must be kept, but rarely do they dispose of those records systematically and consistently when their retention period is past. This non-compliant over-retention exposes organizations to elevated costs and risks from litigation, data breaches, and regulatory actions.
However, the records management compliance gap is not the only data-related compliance gap—and it is far from the riskiest. The Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), and the European Union’s General Data Protection Regulation (GDPR), all impose monetary penalties that can reach millions of dollars for failing to manage data in accordance with the controls they require. Despite the risk of significant fines (and the very real public relations fallout associated with them), many organizations retain terabytes of unmanaged health and consumer data on their systems in direct violation not only of these regulations, but of their own corporate policies as well. And organizations in all industries face risk due to unmanaged employee data as well as unsecured, often rogue intellectual capital.
In general, organizations do not intend to operate with data-related compliance gaps and face the very real risks and costs doing so presents. Until organizations are able to complete a data map—and understand what data they have, what kind it is, where it’s stored, and who owns it—they will be unable to effectively manage corporate data in accordance with compliance requirements like HIPAA, GDPR, and CCPA.
The Data-Related Compliance Gap
Ankura has developed a data mapping methodology that has been used by over 100 organizations across industries to better understand their data and support their compliance efforts. It combines top down and bottom up mapping to enable organizations to compare what is supposed to be happening with corporate data to what actually is happening.
Ankura Data Mapping Methodology
Our methodology enables organizations to do more than simply establish “check the box” compliance through the minimum controls needed for a given regulation. Instead, this approach enables effective management of data according to risk and value, whether to support privacy, cybersecurity, legal, records management, information technology, or line of business requirements. It supports good data hygiene by enabling organizations to purge data after no longer legally or operationally needed. Finally, it enables organizations to identify, quantify, and remediate data risk from an enterprise perspective, rather than from departmental, functional, or application silos.