Regulatory Compliance

Data security and compliance weigh heavily on any organization handling sensitive, regulated, and high-value information. Regulatory mandates are nothing new, but in most organizations the pressure, cost, and effort required to sustain data compliance is reaching unprecedented levels. Depending on the industry, there are regulations that dictate which kinds of data need to be protected while there are also industry-specific metrics that an organization must produce to demonstrate thresholds of quality, compliance, or performance. As a result, compliance is both about protecting sensitive data to meet the interests of consumer/individual privacy as well as providing relevant data to external oversight bodies.

Given the vast number and variety of privacy and compliance regulations, organizations need to be able to apply industry-specific process and quality rules regardless of whether data resides on-premise, in the cloud, at the point of data collection, at various points during the data lifecycle, or even in archives. The Informatica platform contains a number of tools to assist with  compliance efforts.

Five Principles to Developing Compliance Capabilities

1. Ensure High Quality Data

Poor quality data can lead to inaccurate or inconsistent reporting and inaccurate triggers that events have occurred either in the form of false positive or false negative results. False positives can lead organizations to inaccurately count too many trigger events, ultimately creating noise around the true events. False negatives can lead to missing an event of concern. High quality data ensures that identifying compliance risk becomes easier and more accurate, reporting becomes more efficient, and results are more accurate. Poor quality data can also lead to missed aggregation results in analytics and therefore downstream decision-making processes.

Another aspect of high-quality data is eliminating duplicate data and finding the best source of truth for individuals, products, suppliers, etc. This ensures that when compliance reports are being created on a per subject basis, that all the necessary information is aggregated under that single mastered record.

To discover the quality of your data, Informatica Data Quality (IDQ) is used to profile the data and create scorecards. These scorecards can be integrated into Axon as part of the overall Data Governance visualizations and reporting. Axon can also be used to document the business definition of data quality rules which can then be integrated with IDQ and turned into executable rules.

Creating the best source of truth for individuals, products and suppliers can be achieved with Informatica’s Master Data Management (MDM) tools; Multi-Domain MDM, Customer360 (C360), Product 360 (P360), Supplier 360 (S360), and if transactional information needs to also be associated with the mastered subject, Customer 360 Insights (C360i). If transactional data needs to be included in the compliance report (e.g., medical records for patient requests Payer Risk Adjustment reporting for the Affordable Care Act, products purchased, membership club benefits consumed, call center interactions for Privacy Act reporting, etc.) then Customer 360 Insights (C360i) may be a better option for the registry of subject data.

2. Establish Enterprise Data Governance

To identify data that needs to be protected or reported, one needs to find it at any point in the data lifecycle. Data (and metadata) need clear, standardized definitions; and integrated information about data lineage needs to be available to business users who are responsible for assembling compliance reports. This will vastly reduce the time to achieve compliance and the level of effort involved.

The Axon data governance product is used to capture those standardized definitions as Glossary items and establish policies related to the data, systems, processes, and 3rd parties the data is shared with or sold to.

Metadata and lineage can be obtained with Enterprise Data Catalog (EDC) scans and that information can be integrated in Axon and tied to the Glossary definitions. 

3. Automation

Discovery and profiling are essential to knowing where data resides, who accesses it, how often it is updated and whether it’s valid -- not only for the data you know and are familiar with, but more importantly for the data you don’t know about. Data Privacy Manager (DPM) is an automated and AI-driven tool that can reveal where the data lives, what business processes it supports, who uses it, who controls it, how well it’s protected, and what risk it carries. The DPM protection information can also be integrated into Axon for a complete view of quality, lineage, and protection.

4. Reusability

If data is defined, standardized, or fixed in one system, those rules need to persist either with the data itself or in the systems where the data lives. Any updates should be reusable across any other data stores. And data should be standardized across the enterprise, thus making reporting more accurate and improving reporting efficiency.

Using Axon as the central place where the business defines the rules and integrating them with IDQ allows those rules to be reused across other applications such as Master Data Management (MDM), data movement tools such as Power Center (PC) and Informatica Intelligent Cloud Services (IICS).

Using Axon as the central place where the business defines data protection policies and integrates them with DPM, provides a streamlined mechanism for policy definition and enforcement.

5. Include Both Business and IT

Business stakeholders define the data and the processes the data is used in, translate the compliance mandates, and prepare compliance reports and analytics in Axon. IT supports the data management practices whereby data is ingested and travels across different applications and systems. IT applies data transformation rules via IDQ as defined by business users. DPM in conjunction with Test Data Management (TDM), Persistent Data Masking (PDM), Dynamic Data Masking (DPM), and Data Archive can automate many of the processes whereby data is protected or modified as needed by end-users, and eventually archived according to record retention schedules established by the business and legal/compliance teams. It is critical that IT understand the business reasons for knowing where the data is stored and how it moves during the data lifecycle. IT can provide visibility into the data lineage via either EDC or DPM information integrated into Axon, thus enabling business stakeholders to readily respond to compliance mandates.

While a full regulatory compliance initiative across multiple Informatica tools is always customer-specific based on an organization’s requirements, below is a possible outline of what capabilities can be implemented with each tool. Not all capabilities/tools are needed for every customer:

The above capabilities can each be implemented as standalone projects or as sub-projects in an overall program in parallel with each other depending on resource and budget availability. 

Once success has been achieved with each tool individually, they can be integrated together to provide a more powerful and automated compliance platform:

The final outcome in any regulatory compliance initiative is providing reports and dashboards that visualize the information of interest to compliance.