CDO, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Data Regulation is the New Reality

James Howard

On October 28th, the BBC’s Chris Baraniuk reported that recently, Tim Cook was in Brussels to address the International Conference of Data Protection and Privacy Commissioners.  In his remarks, Mr. Cook, referring to the misuse of “deeply personal” data, said data was being “weaponized against us with military efficiency”.  The BBC went on to report that Mr. Cook said “We shouldn’t sugar-coat the consequences,” and “This is surveillance.”

The speech reaffirmed Apple’s strong defense of user privacy rights, in contrast to competitors business model of driving advertising revenue by analyzing people online habits.   “The trade in personal data served only to enrich the companies that collect it, he added.”

Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR), and went on to say that other countries “including my own,” should follow the EU’s lead toward protecting personal data.

To be sure, economics are at the heart of the concern.  Given the string of events that have occured, where data is mishandled or exposed, companies are at risk of losing customer and stakeholder trust, and without that trust, it not clear how they can drive or thrive in the data economy.  So coming together in support of a GDPR-like framework makes sense; it raises the conversation to a global level, and can result in a safer and more efficient environment in which to conduct business. Companies that embrace the framework will have more flexibility and resilience, while those firms paying it lip-service will eventually themselves be at the center of their own data crisis.

And therein lies the rub.  Compliance is not the same as data protection, especially when the regulation is principles-based and not prescriptive.  If the objective in implementing a framework is to comply with a regulation, one is tempted to overlay one’s current operating model with the requirements of the regulation and address gaps.  While it may reduce the risk of data incident, it will probably do so by coincidence.

On the other hand, if companies went about handling information with the strongest possible ethics, where they routinely assessed and addressed risk, recognized and avoided moral hazards, then the incidence of breach and miss-use would naturally be much lower.

The obvious competitive issue is that the second scenario is more expensive and less flexible.  Moreover, if a minority of companies took this approach, they would be less prosperous, and economic darwinism would cause them to go extinct.  And suppose there were a major data “catastrophe”, and the market environment were made up of a combination of those that embrace a high degree of data ethics and those that don’t, the market may not recognize and reward the higher resilience of the highly-ethical-but-less-profitable.  Instead, what we’ve seen is the mainstream market reacts with shock and incredulity and – at the prompting of regulators – implement newly-penned frameworks meant to avoid future occurrences of those events.

While one might argue that black swan events are by definition unforeseeable, one can equally argue that waiting for them to strike before implementing any sort of protection strategy simply opens the door to more black swans, and when events do occur, they result in unnecessarily high impact.

Apple’s Tim Cook makes clear his view that status quo is unacceptable.  As an unquestioned highly credentialed leader and insider in the technology (and information) world, his use of words like “weaponized” and “this is surveillance” should not be taken lightly — he knows what he’s talking about.  No doubt more so than the rest of us.

So as with most things, a thoughtful balance must be considered.  The dilemma is how to balance among the following:

  1. The rapid growth the volume to data aggregated by companies, across the board from business-to-consumers, to business-to-business companies, and ranging from companies providing services to those providing goods — and the increasing overlap.

  2. As a subset of that, the increase in the volume of personal data stored online, and the ability to gather even more data about individuals – habits, interests, locations, views and opinions.

  3. The rapid evolution in the science of data analytics, and the ramp-up of technology able to manipulate and compute data on a mammoth scale.

  4. Coupled with this, is the increasing ability to combine and analyze datasets in ways that allow for the creation of new and credible data and conclusions.

  5. As the size and richness of the datasets grow, so do the consequences of an event (whether a breach, misuse, abuse or exposure).  These range from a sense of creepiness when personal data is exposed, all the way to the very real consequences of insidious manipulation of our views and opinions.

In short, how can companies derive benefit from data, while managing the risks?  Neither momentum is letting up — the momentum around utilizing the expanding datasets, or the momentum around data events and subsequent responses from regulators.

One realistic way is to embrace and build a culture around managing all aspects of data, in lock step.  This is built into a data management program, led by a Chief Data Officer, comprised of three interdependent functions:

  1. Data Leverage, focussed on enabling the business use of information,

  2. Data Protection and Compliance, focussed on addressing risk resulting from data leverage, in terms of misuse, loss or non-compliance with obligations

  3. Data Quality, ensuring that the data being used retains its accuracy and integrity

This model is coupled with appropriate oversight, in the form of:

  1. A steering group with senior stakeholders from across the company,

  2. Direct oversight by CEO or COO,

  3. Connectivity into other key functions, including the CIO, CISO, HR and Legal,

  4. Active oversight by the Board of Directors, to support business initiatives and agree with risk mitigations plans.

A standing filter for any and all data initiatives needs to be ethics, and a consideration for the consequences of the genie getting out of the lamp.  Is the company willing to handle the outcome, if an initiative goes wrong? What is the risk, how is it managed, and are the right people accepting the residual risk?

The discussion is reaching a fever pitch with leaders of the most influential technology companies adding their voices to the conversation.  Any company wanting to join the data economy should consider doing so with an appropriate data management framework. This will position them to accelerate as new opportunities present themselves, while being able to manage events as they occur and accommodate compliance requirements that arise.

 

Published by James Howard

As the former Chief Privacy Officer and Chief Data Officer at KPMG, I developed, implemented and led an Information Management Office, positioning the organization to leverage the transformative opportunities that data analytics, cognitive computing and intelligent automation present. In that role, I was responsible for the processes, tools and controls necessary to meet complex information handling requirements, enabling use while ensuring protection.

Leave a comment