Digital transformation can make organisations more agile, efficient and customer-centric. While these benefits are well understood, businesses that neglect the governance aspect of digital transformation risk contravening data privacy and security regulations – something no business can afford to do.
Just to complicate matters, regulations constantly change and many are region or industry-specific. To remain on top of things, governance leaders need to work with stakeholders from across the business to ensure that nothing is overlooked, while also ensuring they are up-to-speed on upcoming additions to the regulatory landscape.
Several upcoming regulations relate to cutting-edge technologies like AI and machine learning. While these tools can unlock huge benefits for businesses, in many cases they also come with a degree of risk. Governance leaders must therefore develop a broad understanding of them to address potential issues before they get out of hand.
It’s a lot to cover. But as the following advice shows, governance leaders that make these issues a priority will ensure that digital transformation programmes are compliant as well as competitively advantageous.
Stakeholder management
Governance leaders need to identify and work with a variety of stakeholders – such as IT teams, operational leaders, and financial and legal departments – to ensure compliance standards are met during digital transformation programmes.
“If the company has a chief compliance officer, chief privacy officer, chief risk officer or data privacy officer, these are the figures required for a company to meet their compliance challenges,” says Robert Meyers, channel solutions architect and fellow of information privacy at One Identity. “But these must not be the only people that get involved in governance, compliance or privacy.”
Brian Kane, co-founder and COO of privacy compliance company Sourcepoint, agrees that every team, from marketing to IT, needs to be engaged and aligned with an organisation’s approach to privacy. “The accumulation of data that accompanies digital transformation initiatives, be that external or internal data, means that all stakeholders must be adequately trained not just on internal processes, but on basic privacy principles,” he says, adding that privacy must become the “guiding principle of the company.”
That should extend to the board level too. “There should be one person on the board who is responsible for compliance,” says Nigel Jones, co-founder of the Privacy Compliance Hub and ex-associate general counsel and head of legal for Google in Europe, the Middle East and Africa. “A governance leader such as the data protection officer needs to report directly into that board member and compliance regularly needs to be on the agenda of each board meeting.”
He describes this as “managing up” and says: “A successful governance leader needs to set expectations with the responsible member of the board and explain that without their support on the board and throughout the organisation, any compliance programme will fail.”
Changing regulations
Regulations are constantly being updated and new ones introduced, not least when it comes to data privacy and security.
How can governance leaders keep up with all this change? Or better yet, stay ahead of upcoming regulations? “Get involved,” says Meyers. “If you are sitting on the sidelines it is hard to keep up.”
He advises governance leaders to sign up for the International Association of Privacy Professionals and for security ISACA (formerly known as the Information Systems Audit and Control Association), as they train the auditors for cybersecurity and governance.
“Additionally, I’d start listening to some podcasts and follow certain dedicated Twitter feeds to keep up with the latest news and changes in legislation,” he adds.
George Ioannou, managing partner at Foolproof, a Zensar company, also advocates for forging stronger working relationships with regulating and standardisation bodies. “This could lead to the co-creation of future compliance standards and policies that are underpinned by a greater understanding of the details and objectives behind digital transformations.”
For Jones, keeping up with a constantly evolving regulatory landscape is as much about having the right culture in place as anything. “The practical reality is that governance leaders need to be comfortable with the fact that they cannot keep up with every change,” he says. “That is why they need to have the right culture in place, kept in place by a regularly maintained compliance programme.”
This ensures that the important things are dealt with. “There is no point in knowing that the data retention period for tax returns in Austria has recently changed if none of the employees in an organisation have been trained on the simple steps they can take to keep data safe in their digital workplace,” he says.
The role of technology
Technologies such as AI and robotic process automation (RPA) are becoming increasingly mainstream across a range of industries and business functions. But that doesn’t mean bots can simply be left to their own devices.
Fairness and bias issues can arise from the use of AI. “RPA at its core is a scalable, cost effective replication of human decision making, which means it can reinforce some of our unconscious biases in certain instances,” says Dr Michael Kollo, chief economist at Faethm AI.
“AI and RPA-based systems are scripted in nature and therefore more open to regulatory scrutiny,” he adds. “So compliance’s job is to make sure their algorithms are executing in an unbiased manner, and if not, prevent small biases from being scaled across the organisation and creating more structural issues.”
Many AI solutions are “black box” solutions, which means “it is difficult, if not impossible, to understand how decisions are made and thus if decisions and recommendations are compliant to policies,” says Dr Lars Rossen, CTO of Micro Focus. “On the other hand, you can actually use AI techniques to help find and pinpoint compliance issues in an organisation, by, for instance, using AI to find information that requires GDPR attention in unstructured data.”
Kollo adds: “Certain elements of compliance roles are very data-driven; typically they involve collecting data and comparing it to transactional benchmarks to establish whether something is compliant or non-compliant. These tasks can be automated to a great extent by systems like RPA, which collect large volumes of data and generate rules-based outcomes for a compliance professional to assess, saving them a great deal of valuable time in the process.”
Could compliance professionals be put out of the job by the bots? Kollo says: “There are also many elements of compliance that relate to more strategic risks that require human management rather than immediate identification and elimination. In other words, a different skill set that is much less likely to be automated in the near future.” For now, the future looks to combine the best of people and technology.