Metadata for Regulatory Compliance and Personal Information Protection.
Metadata Describing Private Data
Ensuring that the private data stored by a business is adequately protected is increasingly the responsibility of a chief privacy officer (CPO). Typically, CPOs are responsible for ensuring privacy laws are complied with, identifying the data in a company that needs to be protected, developing policies to protect that data, and responding to any incidents that occur. Another common issue that must be dealt with is the changing definition of what information is regarded as personal, and therefore, needs to be safeguarded.
This cannot be accomplished without metadata management!
The Basel II Accord, also referred to as the “New Capital Accord,” created a set of compliance requirements that provide risk management guidelines to banks around the world. Developed by an International Banking Committee based in Basel, Switzerland, local regulatory agencies will enforce these guidelines.
The accord has a direct effect on the amount of reserves that banks need to set aside for handling unexpected losses. If a bank’s risk management practices comply with the Basel II guidelines, the bank can keep less in their capital reserves and thus have more capital available for revenue generation.
But banks only realize that benefit if they can prove they have a trustworthy risk management system that does valid risk-related calculations that can be authenticated and traced in an audit. They must also maintain a transparent system that allows customers, investors, and other interested parties to evaluate the efficacy of the bank’s risk management practices.
While Basel II makes no references to metadata, banks can only meet key requirements in the accord if they effectively capture and preserve metadata and Basel requires a history of metadata.
- Sarbanes-Oxley (S-OX) includes among its many requirements, “Internal controls and procedures for financial reporting,” which require CEO’s and CFO’s to:
- Certify the contents of their corporate reports.
- Provide an assessment of internal controls for all systems used to generate and deliver financial reports.
- Not only document internal procedures, but demonstrate adherence.
SEC rules mandate “policies and procedures in addition to the control environment… including adequate safeguards over access to programs and data files.” Auditors will tell you that rules that apply to data also apply to metadata (information about information), and business rules making a controlled, auditable process for metadata management, a critical business imperative for public companies.
Metadata for Compliance Points to Ponder
- When it comes to data quality and information integrity, information about the data (metadata) is as important as the data itself. Metadata plays a key role in how people generate, store, track, retrieve, report, and deliver information. Including information within financial statements.
- Metadata provides the underlying definition and audit ability that defines how information flows.
- As such, metadata touches the complete family of sources (documents, spreadsheets, databases and applications) that are used when compiling financial reports.
- Oversight represents a best-practice and critical-to-quality element, which should be reviewed during an IT system audit.
- One urgent, aspect of Sarbanes-Oxley compliance involves enterprise-level control of metadata.
- Inconsistency produces comparison problems or errors in reported data. If you think of structural and business metadata as the underlying definition of the information structures themselves, then what’s needed is a metadata repository that supports reconciling metadata across heterogeneous environments; and helps resolve interoperability problems: which can consume 30-50% of integration time and effort.