Over the last 18 months or so, I’ve spent a lot of time reading about the General Data Protection Regulation or GDPR. If you don’t know about it, you live under a rock, are a very old school dba, here’s a reference to the law itself. If you’re working as a data professional, I’d strongly recommend you read through it to understand how it may apply to your work. There are a great deal of implications for data management, from how to deal with backups, to security, to provisioning non-production systems.
There are also a lot of other laws and rules that you might want to look over:
- The Public Company Accounting Reform and Investor Protection Act also known as Sarbanes-Oxley or just SOX for short.
- The Health Insurance Portability and Accountability Act, HIPAA.
- Payment Card Industry Security Standards Council, PCI
- California Consumer Privacy Act, CCPA
- Stop Hacks and Improve Electronic Data Security, SHIELD, from New York state (cute law names should be illegal)
I’ve been reading and studying these things in detail in order to better understand what exactly is going to be required of me as a data professional. I think you should read them too. Some of you are thinking, “A little late to the game Grant, I’ve been studying this stuff for years.” Others are thinking, “Wonder what leftovers are in the fridge, I’m hungry.” Still others are thinking “Hey, I’m not a lawyer. I don’t have to read all that crap. I just have to do what the business tells me.” It’s those last people I want to talk to.
You’re right. These laws, rules and regulations are first and foremost a business issue that will have to be addressed by management and legal. No question. However, do you seriously think that your best approach to an oncoming set of new requirements focused on how you manage your data is best dealt with by sticking your head in the sand? You’re going to let the legal department and the business just tell you how to manage the data and you’re not going to provide input? And what if they tell you to do something that just isn’t even remotely possible, physically? Then are you going to get involved?
Maybe we’re different, but I like to take a proactive approach to my work. I want to understand why I’m being asked to do something, not simply do what I’m told. Further, if I understand why something is being requested, and the thing being requested isn’t possible, I’m better positioned to offer alternatives. I’m not left scrambling to try to satisfy requirements that may not be possible. What’s more, I can anticipate what’s needed and do research ahead of time to help ensure that I’m ready when the requirements land in my lap.
I know that there are still plenty of data professionals who have the attitude, “It’s all 1s and 0s. It doesn’t matter what the business does. I just manage the data.” There are hundreds, thousands, of reasons why this approach is flawed, if not dangerous. I may not be a lawyer, but that doesn’t mean that some understanding of the law is not a part of my job. Knowing that one or more (and trust me, it’s more) of these privacy and protection laws will impact me, my job and my organization, I can better prepare to handle the situation to help ensure that my organization is in compliance.
