More so than other components of data readiness, the requirement that data be compliant is an ongoing exercise. Because compliance not only must account for continual changes to how customer data is safeguarded and used – based on changing preferences and updated regulations, it also differs from industry to industry, region to region, and from one company to another.
What is compliant data? In essence, it is data accountable to any and all regulations and to the subject of the data, e.g., a customer.
Data compliance must satisfy many masters. Company mandates that may account for reputational control, internal security or certification requirements. Customer requirements having to do with preferences and permissions – with permissions broadly including how data is shared and how it’s controlled for any number of different use cases. And then there are regulatory requirements including HIPAA, GDPR and CCPA that are continually updated in terms of what data may be collected, with changing rules for how data is used and protected.
Compliant Data, a Checklist
To satisfy the requirement for compliant data as the sixth pillar of data readiness, companies need to ensure that they have the right metadata, have sufficient controls in place to ensure that access is granted to the right people, and have data set up in whatever the security and control mechanisms (i.e., data governance policies) that are approved by the IT organization.
Parameters for data governance controls may include whether data must be kept at rest when on-premise, whether calculations must be performed exclusively in the cloud or may be combined with cloud and on-premise data, procedures governing authentication and authorization, for auditing, lineage and history. All fall under the compliance umbrella.
Compliant Data Complexity
For a sense of the complexity involved with ensuring data is compliant, satisfying GDPR requirements is a good place to start, particularly with the “right to be forgotten” policy. Compliance requires that companies document and confirm each request for erasure by a consumer, inform a consumer whether the organization will honor the request and explain any reason for noncompliance, decide what information needs to be erased and how to erase it (archived, deletion, etc.), remove the information, notify internal systems and external partners, and record each of the erasure steps taken.
The steps are complicated in part because the right to be forgotten under GDPR is not an absolute right, but rather spells out when an organization’s right to possess someone’s data (and for how long it may keep it) overrides the right to erasure – such as when it is being used to comply with a legal ruling.
Compliant Data and Methodology
Ensuring data compliance is as much methodology as it is technology. A data readiness platform that gets data right and gets data fit-for-purpose might check all the boxes in terms of making sure that data is complete, accurate, timely, actionable, trusted and compliant, but methodology accounts for the nuances of what being fit-for-purpose means for various industries, or for different use cases. The key is for your data readiness platform to properly support and adapt to an individual organization’s approach.
The Six Pillars of Data Readiness: Compliant
Methodology in the context of compliant data, for example, might include the knowledge for how to match a customer record when a regulation prohibits you from saving credit card information in a point of sale (POS) system. Instead, you retain and match the zip code with another unique identifier. Or, lacking the zip code of the customer who made the purchase, you use the zip code of the store to set a geographic boundary and compile a list of possible matches within the boundary using other data points.
While the zip code workaround is effective in retail, the point is that there is a different methodology for every industry that stores and uses customer data. A data readiness platform should have the flexibility to account for industry type, intended use cases, and other important variables.
Compliant Data and Trusted Data
While trusted and compliant data are both pillars of data readiness, they are distinct and serve different purposes. Compliant data adheres to external requirements — regulations, legal mandates, and contractual obligations. It’s about proving that you are managing data according to the law and to standards defined outside the organization.
Trusted data, on the other hand, is earned. It reflects the organization’s ability to consistently use data in a way that is accurate, transparent, and respectful of customer expectations. It’s customer-facing and experience-driven, and it helps foster long-term relationships through responsible data use.
The two are interconnected – you can’t build trust without compliance, but compliance alone doesn’t guarantee trust. A data readiness platform must support both: ensuring regulatory alignment and the ethical, transparent handling of data that inspires confidence.
Compliant Data and Data Governance
Just as data quality is part of a holistic approach to data readiness, data quality is incomplete without data governance. A strong data governance program goes beyond privacy and security to include master data management and metadata management. Data governance helps connect all the dots for what it means to have compliant data, but a complete program will not just have policies and procedures in place, it will also establish ownership and define roles and responsibilities – which gets to the heart of having a methodology in place.
Coming next, we will turn our attention to data readiness specifically as it applies to AI.
