The Challenges of Data Access in Highly Regionalized Organizations

While localization can be a huge strength when it comes to adapting to market variables, it makes data accessibility challenging.

As an information architect and business partner who’s served regional to global organizations in industries that include manufacturing, supply chain, advertising and marketing, SaaS, and information accessibility, I understand the challenges of working in highly matrixed and highly localized organizations only too well.

In this article, I’ll highlight the importance of focusing on business goals and offer a pragmatic take on the role of data in driving value. I’ll emphasize the challenges of data accessibility across broad organizations and how challenges are further amplified by highly regionalized privacy laws. I’ll go on to outline the fine-grained access controls and supporting structures required to deliver safe self-service access to data. Finally, I’ll discuss the cost savings that common-sense accessibility and privacy guidelines can deliver and how organizations can implement them within the legal and ethical constraints of their industry and geographic locations.

Evaluating the Value of Data

Most organizations don’t care about data, per se; they care about the questions that data can help answer. Regardless of how they’re framed, organizations ask these questions about people, technology, processes and policies because they want to drive profits through cost savings. Data is a cipher for the real-life phenomena we manipulate to get those profits. That means that accessibility is as much about what data means as it is about getting at the values in a table. Many data and technology practitioners, myself included, believe that data have intrinsic value. However, to create real value, it’s vital that we focus on business goals; there’s always something that can be isolated, accomplished more readily, or improved with access to the right data.

It’s not about how data yields value; it’s about the kind of business value that you want to drive and the levers you need to pull. When data maturity is high, we have easy, democratic access to data and are able to make quick judgements about whether or not certain data comprise a useful lever; we can also engage in sophisticated historical and other combinatorial analyses. When data maturity is low, we spend a lot of time finding, contextualizing, and otherwise wrangling data so that we can get to an informed lever judgment. And the more matrixed an organization gets, the more likely it is that maturity will vary within the organization. The overall data maturity of an organization needs to rise for the perceived value of data to follow suit. And for that to happen, data and technology groups need to get laser-focused on business goals.

Why Complex Organizations Struggle with Data Accessibility

Our data tends to represent our organizations faithfully, whether we like it or not. Globally-oriented or deeply integrated businesses tend to have more globally-accessible data, whereas locally and portfolio-oriented businesses tend to have locally-intelligible data. Local orientation has advantages: these organizations respond to customer-side changes and market fluctuations in an agile way, and local users experience fabulous data accessibility. However, the moment you’re on the outside, data accessibility can be incredibly difficult.

Then there’s the regionalization and, increasingly, sub-regionalization of privacy rules and regulations to consider. The hyper-local nature of privacy law conflicts directly with global accessibility. And it’s not a problem with a simple solution. At the time of writing, even the United States Department of Commerce, the part of the US government that’s responsible for helping businesses apply federal law in letter and spirit, hasn’t got concrete guidance around the most recent updates to GDPR and the EU-US Privacy Shield. The rest of us are bound to struggle, if the lawmakers themselves don’t have an answer.

While most medium-to-large, mature organizations have regulatory and compliance teams, privacy counsel, and architecture groups, when looking to drive profits, doing the right thing in a local context may constitute a roadblock in a global context. One key issue is funding; organizations with a broad product, service or customer spread often have differences of opinion regarding which questions matter and, therefore, which data are important. In addition, local teams can be incredibly reluctant to use their budget to promote global accessibility and drive global value when they don’t see material gains from doing so.

The Difficulties of Enabling Fine-Grained Access Control

Immediate self-service access to data is fundamental for any organization engaged in analytics, digitization, or process optimization. To do that legally and safely, it’s vital to enable fine-grained access control and mask or redact data at discretion. Of course, that’s easier for a locally-situated user who doesn’t need data from all over the organization. Fine-grained access control requires robust, descriptive metadata on the business data as well as the internal user data and very granular and business-centric role-based access (RBAC) as well as discretionary access control (DAC). The technology part is often simple; there’s a heavy lift on what exactly people need to, and may, access and who arbitrates those decisions.

Hyper-localized businesses are often closer to zero-trust because heavy localization often implies businesses that rely heavily on personal relationships. I’ve met sales and service teams at multiple organizations that are so committed to protecting “their” customers that they keep paper notes and are reluctant to share metrics on internal platforms! I realize that this kind of zero-trust may not be the kind readers are envisioning; it’s not the kind that I envision most days, either. The spirit, however, is right on: if our customers can’t trust that we are doing the right thing with their personal information, they will go elsewhere.

Calibrating Data Privacy Guide RailsGuiderails for Your Organization

Global access to data confers a great deal of advantages in analytics and whole value-chain spaces, but it must be accomplished with respect to regional privacy laws and the constraints of the product, service, or customer portfolio. Because there’s such diversity in these laws, and even professional legislators struggle to interpret them, businesses should work with regulatory and compliance, counsel, and architecture to do the fine-tuning. Data privacy guardrails should include a variety of levers for businesses to pull at the intersection of goals and legal and ethical commitments. This should include, but not be limited to, an expanded view of personal information (biometric, country of residence, personal and professional commitments, etc.), retention policy, deletion or restriction policy, access schemes, and a holistic metadata policy that makes sure what business phenomena, precisely, are represented by the data people want to access.

If we take the time to fine-tune common sense guardrails like these to specific locations in our portfolios, we have the opportunity to deliver indirect cost savings during planning and design activities because we show up understanding our business data and access patterns well enough to prototype meaningfully. Just like business goals, common-sense data privacy guardrails keep us on target and cut down on painful discovery phases, analytics expeditions, and runaway consulting fees.

The Importance of Working Together

Practitioner-leaders working in data accessibility and privacy need to realize that we’re not alone. We’re all struggling to define strategy in an emergent field, and we all manage stakeholders (and inner critics) who expect economies of scale everywhere and who want technology to come and take away all our problems. One thing we can always do is to talk to each other. By having safe and ethical conversations about the tactics we’re using to deal with these challenges, we stand a much better chance of finding the right solutions. After all, we’re all someone’s customer and someone’s user. The security and privacy of our data depend on us working together.

About the author: Mara Inglezakis Owens is a practicing information architect and business partner with deep expertise in helping people solve real problems in data, information, knowledge, and process. She’s worked in manufacturing, supply chain, advertising and marketing, SaaS, and information accessibility.

From the Privacera team (Please note, Mara Inglezakis Owens is not employed by Privacera, and their piece does not imply an endorsement).

To learn how to simplify data access policies across your entire data estate, click here.