International data governance: Managing data across borders

Having a solid data governance strategy is essential for ensuring data ​remains consistent, trustworthy, and doesn’t fall prey to misuse. Data governance will only continue to become more crucial as organizations are subject to new data privacy regulations and increasingly rely on data analytics to drive business outcomes.

From the COVID-fueled shift to remote work, to economic and geopolitical uncertainty, enterprises have done a lot of evolving and adapting in recent years — and so too have their data governance needs. As Gartner VP analyst Saul Judah put it, “Responding to varying levels of uncertainty in today’s world requires speed and agility, and traditional approaches to data governance are becoming obsolete.” Furthermore, “a typical ‘one-size-fits-all,’ command and control-based IT governance capability has neither the scope nor the agility to meet the needs of digital business.”

Data governance is particularly challenging for organizations that operate globally, and the vendors that support them. There’s an ever-growing need for software vendors to more deeply understand customers and their respective responsibilities. As a service provider, software vendors are entrusted with protecting customer data across borders. Should a security incident occur involving data that is protected within a certain region, vendors need to be clear on both theirs and their customers’ responsibilities to properly mitigate it.

In most cases, vendors stay compliant by following general best practices. From a data management perspective, a lot of information security hasn’t changed: Understanding data types, classifying and tagging data, and ensuring there are proper controls and management around data are traditional approaches that still work. The challenge now is doing this at scale, across a global landscape. Between the European Union’s General Data Protection Regulation, California’s Consumer Privacy Act, Brazil’s General Personal Data Protection Law, Canada’s Personal Information Protection and Electronic Documents Act, Japan’s Act on the Protection of Personal Data and more, there’s a lot to keep track of.

Here are top considerations for successfully governing data across international borders:

Maintaining a data inventory is key

At the most basic level, vendors must understand customer data if they want to govern it effectively. Most cloud and infrastructure service providers enable native tagging capabilities that help users understand their workloads. Additionally, data classification tools let users automatically discover data elements that are potentially protected within the databases or cloud services an organization already uses. By cataloging data in this way, organizations gain insight into where they may have exposure.

The discoverability and automation made possible by these tools also allows vendors to service requests for data removal, providing an increased level of confidence when it comes to auditors and regulators. Should data need to be deleted, they can do so effectively and verifiably. Today we see generative AI starting to play a role in helping vendors classify customer data on a large scale. Its ability to review content found in collaboration tools or in database tables and then determine its applicability against a very complex network of regulations to ensure compliance will be invaluable.

Distributed databases provide the best of both worlds

Distributed databases are an important tool for managing data across different regions at scale. When data must be protected or regulated based on a specific region’s requirements, oftentimes it makes the most sense to have that data reside within that region. For example, Germany’s data privacy laws are such that all data generated within the country must stay there. Similarly, Australian requirements around financial services data dictate that those workloads are best suited to reside in Australia. Essentially, distributed databases enable data sovereignty.

Other workloads aren’t subject to such strict requirements and can be distributed across the globe. In these instances, distributed databases let vendors balance workloads effectively and provide the best experience possible to the end user. Distributed databases offer the best of both worlds by keeping highly regulated data where it needs to be and also giving vendors the flexibility to move less-regulated workloads around freely to optimize user experience.

Tools are only effective if they’re actually doing what they’re intended to: Audit!

Once a vendor has the appropriate technologies in place, it’s critical to regularly assess how well those tools are operating within their environment. Governance, risk and compliance (GRC) tools do just that. According to Gartner, these solutions help with “evaluating and modifying compliance programs in near-real time, pressure-testing system operations, and together with management and the board, improving oversight processes.”

That same resource from Gartner also notes that adoption of GRC tools is expected to increase 50% by 2026 as new regulations continuously emerge and the need to stay compliant intensifies (and becomes more complex to navigate). Governance, in its purest sense, is simply ensuring that obligations and requirements are being met, and GRC tools let vendors verify that the technologies and systems they have in place are operating as intended.

Data governance at global scale certainly has its challenges. By considering the tips and tools above, vendors can ensure their customers are meeting regulatory requirements while simultaneously expanding their own global portfolio, and therefore unlocking new opportunities.

Dan Garcia is chief information security officer at EDB. 

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.