Category: Privacy

CDO, CPO, Information Management and Governance, Information protection, Privacy

Role of a CDO Supporting Boards of Directors

James Howard

Executive Summary:

Companies are increasingly looking to leverage data as a new revenue stream or a way to increase efficiency.  However, risks related to data breach continue to figure prominently on Board agendas. A Chief Data Officer acting as an advisor can help Boards and Executive Leadership understand the risks and opportunities around data, which in turn, helps Boards fulfill their responsibilities to the organizations they oversee.

Introduction

Boards of Directors have an important and challenging role.  Among other duties, they are responsible to stakeholders for the performance of the organization they oversee.  This includes not only helping to enable business directions and objectives, but also ensuring Management properly identifies, manages and mitigates risks.

Two areas stand out among the ways that information and data figure prominently:  First, business opportunities created by rapid developments in data science and related computing platforms, and second, risks relating to data breach and loss, often under the heading “Cyber risks”.

Business opportunities

Business opportunities tied to information are becoming more important to companies.  Specifically, the significant increase in the role information re-use, leverage and monetization plays in many companies’ strategic plans, increasingly tied to AI and Digital Strategy.  These are outlined in terms of leveraging data science and the abundant range of available data to:

  • Create net-new products and services, including monetizing data, or
  • Enhance and augment existing products and services, or
  • Enrich management information to drive efficiencies.

These initiatives are not trivial, and the potential benefits are huge, whether as new revenue streams, or optimizing operations; many organizations view leveraging information at the strategic level as critical to their continued success – a matter of survival.  Paraphrasing George Orwell, “whoever controls the data, controls the future.”

And momentum is building at a remarkable rate, both in terms of the volume and breadth of usable data, as well as the sophistication of the tools designed to analyze and leverage data.  

Information risks and obligations

Information-related risk presented to Boards and senior executive leadership are often grouped together under the broader topic of Cyber.  These are generally risks related to breach of systems, theft or unauthorized disclosure of data, intrusions, threats to the integrity of systems and data, and the risk of system outages and disaster recovery.  Many recent incidents are where data is exposed on the internet and where the company realistically has no idea whether an actual loss has occurred.

A second category of information risk is also rapidly emerging with increasing consequence, and that relates to compliance with privacy-related information handling obligations and regulations.  These include, for example, the recently enacted EU GDPR (affecting the handling of personal information belonging to EU citizens), HIPAA/HITECH (affecting the handling of health information), and California’s CCPA (affecting the handling of personal information belonging to residents of California).  

Beyond the regulations, there are increasingly explicit requirements for handling data belonging to other stakeholders, spelled out in contracts or other “data use agreements”.  

Consequences for violating information-handling obligations include,

  • Financial: lost productivity, loss of customers, loss of competitive positioning, etc.,
  • Regulatory: fines or other measures imposed by regulators, if the company was at fault.  In the case of GDPR, fines can be as much as 4% of revenue.
  • Brand: loss of customer trust and confidence in the company’s ability to deliver, or to protect information entrusted to them.

Key questions

When evaluating company’s use of data, Board members and executive leadership should ask themselves certain key questions around how data is being leveraged and managed.  These include:

  • What approach is the company taking to leverage data?  What is the vision? The strategy? Is governance a component of the strategy?  Many companies are racing to implement data leverage plans, and in their haste to make headway, many have been hiring data scientists in leadership roles to drive tactical plans ahead.  As a result, governance is often overlooked. However, without proper governance, it will be hard to create a credible strategy reflecting the needs of the business, as well as identify all the opportunities, priorities, costs and risks.
  • Is the data leverage team (“data scientists”) following elements of the Scientific Method?  Many people calling themselves Data Scientists are proposing initiatives where they requisition increasing volumes of data so they can see what opportunities they can come up with.  By itself, this approach introduces risk, since the company may not have a clear idea what they are getting for their investment in big data. By analogy, pharmaceutical companies wouldn’t fund researchers to “play” in the lab letting them see what new drugs they can invent.  Companies pursuing plans to leverage data should do so following some formal methodology which includes articulating and testing hypotheses.
  • Has a data inventory been performed?  What obligations are tied to the data?  Most companies have sizeable volumes of data on hand, and many are asking how they can monetize and leverage the data.  An inventory is critical if the company is going to leverage or monetize data, and knowing obligations is key to understanding what you can do with data and structuring protections.
  • What is the most valuable data and where is it?  Most data classification schemes are very basic — only 2 or 3 classifications.  While these are simpler to implement for security purposes, they aren’t useful for determining relative value of data or what data is key, and can interfere with otherwise appropriate use and access.
  • Who has access to data, and is that access appropriate?  Without proper data governance, you can’t reliably know whether access to data is appropriate.  Being able to answer this question is required under certain privacy and banking regulations.
  • Is it available to the people who need it, and are safeguards appropriate?  Leveraging data requires that the right people can gain access to the data.  But even while its being processed, certain safeguards still need to be in place, and these may be different than for data “at rest”.
  • Have risks to information been assessed along IT and non-IT lines?  Risks should be assessed based on the business processes that manipulate data — not just IT repositories holding data, or applications touching data.  People are the biggest cause of data incidents, and are responsible — in some way — for most “insider threat” incidents.
  • If information were lost, stolen or exposed, how would you know?  Most companies invest in preventing theft or misuse of data, but its extraordinarily difficult to know when data has actually been breached.  Most of the time, companies find out when an outside agency — such as law enforcement, the press, or a “hacktivist” group tells them. Proper data governance and inventory can help reduce the risk of data loss, and allow the company to focus protection efforts on more important data assets.

Step back

Many enterprise risks concerning data elevated to the Board focus on the technology aspects of the risks.  This is often because that is how the company is organized — anything loosely connected to “data” is directed to the CIO and CISO.  Digging into the risks, however, often reveals that the underlying concern is data: it’s use and the consequence of an incident. Taking a step back, if the concern is data, it may be helpful to separate the data from the IT platform it sits on, and from there, zero-in on the issues – both opportunities and risks.

The role of CDO

Increasingly, companies are appointing CDO’s — Chief Data Officer — tasked with implementing governance over the data initiatives, and aligning activity to execute data strategy.   The responsibilities of the CDO vary across organizations, but in general, they should be looked to by the Boards to help understand and navigate data-related matters.

A good CDO focuses on all aspects data – opportunity, risks and obligations.  They are conversant on the technology tools that process, store and transmit data, and can help the Board members understand the topic with clarity so they can engage with executive leadership.  Board members should consider seeking support and advice from experienced CDOs to help them navigate data-related matters in the organizations they oversee.

Conclusion

Data has always been critical to organizations.  In recent years, its increasingly being recognized and treated as an asset that can be leveraged to provide added benefit to organizations, whether through increased revenue or operational efficiencies, and that benefit is tied to the rapidly evolving field of data science as well as the incredible growth in available data.  With the increased prominence of data at the strategic level, Boards of Directors and Senior Executive Leadership are expected to understand and provide direction around the use of data and management of related risks. CDO’s can serve as a valuable resource to help Boards in fulfilling their responsibilities.  

Contact me at james@jhoward.us

Information Management and Governance, Privacy, Uncategorized

HBR and RSA’s Paper on the Impact of GDPR on Business

James Howard

Earlier this year, the Harvard Business Review published a paper prepared by RSA that discussed the impact of GDPR on business, and how companies can thrive under the rules.

The paper provides advice for companies getting started, and what needs to be in place for them to comply.  It also reflects on the “new normal”, and how companies will have to adopt new practices across the organization in order to remain compliant (e.g., Sales and Marketing will need to collect and maintain opt-in’s for the names on their mailing lists).

The final paragraph says:

Data privacy and security of personal data, then, are likely to become ever higher priorities for government as well as individual corporate customers in the years ahead. At the same time, both government and consumer demands on data—for access, mobility, and analytics—will only increase. This creates a tension, especially for large companies that manage large amounts of data, because “minimization—only collecting what you need and keeping it only as long as you have a legitimate reason—is at odds with innovation,” observes Skivington.

The route to successfully navigating between these two objectives starts with knowing the data you hold and providing notice to all EU data subjects to whom it belongs. The rest follows.

By articulating the opposing tension between the market demands for creative use of data, against the requirements to minimize data collected and retained, RSA correctly highlights one of several ways in which the strategic direction organizations want to pursue (with respect to data use) is increasingly at odds with the rights ascribed to data owners.  They don’t recognize that reconciling these opposing forces is central to the CDO’s responsibility and demonstrates the need to closely align the CDO and CPO.  And while the RSA paper focuses on GDPR and the rights to privacy of individuals, it is clear that the obligations imposed by all data owners will follow the same trajectory – especially as data is increasingly regarded as a leverage-able asset by more and more organizations.

The proverbial trains have left the station – one on the data-as-an-asset track and the other on the data-obligations track.  Both are equally important and must be reflected in the CDO’s vision and strategy.

Contact me at james@jhoward.us

 

Information Management and Governance, Privacy, Uncategorized

Bringing the C’s Together

James Howard

The Chief Data Officer is in a unique position because they bring together the ever expanding catalog of available information and opportunities to bring value to their organizations. To be effective, they need to look at information objectively, realizing the upside potential, while managing risk and acknowledging their handling responsibilities.

An “I” in PII stands for INFORMATION

The range of information can and should include all the sources that can help achieve the desired objective, including information about people, such as Personally Identifiable Information (PII).  After all, PII is just a class of information, which in many cases can enhance the quality and value of products and services.

But PII is unique in that because it pertains to individuals, it is increasingly subject to a wide range of obligations, whether regulatory, contractual or ethical.  The Chief Privacy Officer is tasked with implementing the policies, procedures and controls around how PII is handled within an organization.

Since the scope of a CPO’s role is to manage compliance for information tied to individuals, and the CDO’s responsibility is around governing and managing the full body of enterprise information, it follows that the CPO responsibility is a subset of the CDO’s responsibility.

Bringing the CDO and CPO together

Traditionally, the CPO sits in the legal and compliance area of organizations, which positions them well to focus objectively on the treatment of the information, looking at it through a legal lense.

In last several years with the rapid growth of data science, there has been a significant refocus on how information is used in organizations, with the increased recognition of the benefit information leverage can bring. Organizations have responded by hiring data scientists and appointing CDO’s located within the business side to focus on leveraging information as an asset.

Having the CDO be organizationally separate from the CPO increases the challenges to have them collaborate, and raises compliance risk. Instead, having the CPO within the Office of the CDO — or even be the same person — provides the opportunity to leverage information with compliance built in, with clear accountability to operational leadership.

Why is this better?

Merging the CDO and the CPO roles provides organizational clarity around the commitment to pursue the opportunities data provides, while highlighting and recognizing the importance of respecting the compliance obligations.  The CDO should be equally conversant in business goals, and the data vision and strategy as they are in the data privacy program.

In addition to the positive optics around emphasizing the importance of privacy, this model embeds privacy in the fabric of operations, not as an after-thought.  It enables the goal of implementing Privacy By Design, and a Privacy Impact Assessment (PIA) becomes a “punctuation mark”, not a major activity.

Checks and balances

To be sure, colleagues (in Risk and General Counsel’s offices) would point out that a benefit of separating the CPO from core business operations is that it helps ensure organizational objectivity and independence, supposedly reducing the chances that privacy requirements can be deprioritized relative to revenue objectives.  But I would argue it happens anyway, in part because the separation raises the risk for privacy to be an afterthought. And implementing privacy requirements as an afterthought (or even just later in a project) greatly reduces the chances of success, while increasing cost and extending timelines.

So there are two key relationships that need to be in place to help ensure the effectiveness of the Privacy program:

  1. Counsel: Privacy is a legal concern, so the CPO/CDO should have a strong relationship and connection to Counsel.  Even the largest organizations rely on outside counsel to supplement the skills of in-house counsel. This is a great idea and should be formalized.
  2. Internal Audit: The CDO/CPO should work with internal audit to make sure data handling is included in the scope of the audit plan.  If there is an ERM (Enterprise Risk Management) plan, data risks and mishaps should figure prominently.

Organizations that are pursuing data leverage, whether as a source of new revenue, or a way to improve products and services or as a way to optimize management decision-making, should consider the significant benefits of merging the data management and privacy capabilities, as it may lead to a stronger – and safer – program, more aligned with the business.

Contact me at james@jhoward.us