Information Management and Governance, Privacy, Uncategorized

Bringing the C’s Together

The Chief Data Officer is in a unique position because they bring together the ever expanding catalog of available information and opportunities to bring value to their organizations. To be effective, they need to look at information objectively, realizing the upside potential, while managing risk and acknowledging their handling responsibilities.

An “I” in PII stands for INFORMATION

The range of information can and should include all the sources that can help achieve the desired objective, including information about people, such as Personally Identifiable Information (PII).  After all, PII is just a class of information, which in many cases can enhance the quality and value of products and services.

But PII is unique in that because it pertains to individuals, it is increasingly subject to a wide range of obligations, whether regulatory, contractual or ethical.  The Chief Privacy Officer is tasked with implementing the policies, procedures and controls around how PII is handled within an organization.

Since the scope of a CPO’s role is to manage compliance for information tied to individuals, and the CDO’s responsibility is around governing and managing the full body of enterprise information, it follows that the CPO responsibility is a subset of the CDO’s responsibility.

Bringing the CDO and CPO together

Traditionally, the CPO sits in the legal and compliance area of organizations, which positions them well to focus objectively on the treatment of the information, looking at it through a legal lense.

In last several years with the rapid growth of data science, there has been a significant refocus on how information is used in organizations, with the increased recognition of the benefit information leverage can bring. Organizations have responded by hiring data scientists and appointing CDO’s located within the business side to focus on leveraging information as an asset.

Having the CDO be organizationally separate from the CPO increases the challenges to have them collaborate, and raises compliance risk. Instead, having the CPO within the Office of the CDO — or even be the same person — provides the opportunity to leverage information with compliance built in, with clear accountability to operational leadership.

Why is this better?

Merging the CDO and the CPO roles provides organizational clarity around the commitment to pursue the opportunities data provides, while highlighting and recognizing the importance of respecting the compliance obligations.  The CDO should be equally conversant in business goals, and the data vision and strategy as they are in the data privacy program.

In addition to the positive optics around emphasizing the importance of privacy, this model embeds privacy in the fabric of operations, not as an after-thought.  It enables the goal of implementing Privacy By Design, and a Privacy Impact Assessment (PIA) becomes a “punctuation mark”, not a major activity.

Checks and balances

To be sure, colleagues (in Risk and General Counsel’s offices) would point out that a benefit of separating the CPO from core business operations is that it helps ensure organizational objectivity and independence, supposedly reducing the chances that privacy requirements can be deprioritized relative to revenue objectives.  But I would argue it happens anyway, in part because the separation raises the risk for privacy to be an afterthought. And implementing privacy requirements as an afterthought (or even just later in a project) greatly reduces the chances of success, while increasing cost and extending timelines.

So there are two key relationships that need to be in place to help ensure the effectiveness of the Privacy program:

  1. Counsel: Privacy is a legal concern, so the CPO/CDO should have a strong relationship and connection to Counsel.  Even the largest organizations rely on outside counsel to supplement the skills of in-house counsel. This is a great idea and should be formalized.
  2. Internal Audit: The CDO/CPO should work with internal audit to make sure data handling is included in the scope of the audit plan.  If there is an ERM (Enterprise Risk Management) plan, data risks and mishaps should figure prominently.

Organizations that are pursuing data leverage, whether as a source of new revenue, or a way to improve products and services or as a way to optimize management decision-making, should consider the significant benefits of merging the data management and privacy capabilities, as it may lead to a stronger – and safer – program, more aligned with the business.

Contact me at james@jhoward.us

Uncategorized

Data Literacy and the CDO

I attended a CIO Event in New York today and there was a great session focused on Data Literacy, presented by Jordan Morrow from QlikView.

Simply put, Data Literacy (in a business context) is a person’s ability to read, understand, analyze and communicate data as actionable information, including using data to support an argument or a proposal.  Jordan conveyed that only ~20-33% of those surveyed (including senior executives) considered themselves Data Literate. At the same time, 80% of senior executives see leveraging data as an asset will be critical for continued success and growth.  

Responsibility for increasing the data literacy falls to the CDO, and should be a high priority, as it is a prerequisite for an organization achieving maturity in the data leverage space, and is a springboard for data innovation.

The benefits are clear.  If an organization achieves a higher level of data literacy, they will:

  • Be able to define a vision that more closely aligns with overall mission
  • Develop a strategy that aligns with culture and is more implementable and focused on achievable objectives
  • Distribute the execution across the organization with more stakeholder buy-in
  • Include data as a basis for decision-making
  • Improve professional skepticism around quality of data

If people are sensitive to the nature of data, they can be expected to incorporate risk-awareness when deciding how to handle data – for example, knowing they are handling PII may cause them to exercise better judgement around it’s treatment, or ask an SME for guidance.

It’s a tall order, especially given the acknowledged low current state of literacy, but can still be approached in a pragmatic way.  There are a number of methodologies out there for increasing Data Literacy that can be adapter to an organization.  Here are some thoughts on approach:

  • The CDO should chair a leadership-level steering committee with representation from all business areas, which sanctions the CDO’s agenda and champions the program;
  • Data Literacy should be on the agenda as a core element and critical-success-factor;
  • Steering committee members should become data literate;
  • Careful thought should go into how the literacy program in rolled out:
    • Culture is hard to change (and requires ongoing messaging and overt steering committee/senior leadership support)
    • Training triggers eye-rolling, especially if it’s not closely tied to a person’s day to day responsibilities
    • Raising literacy is iterative, and should be tied to roll-out of capabilities or products, so awareness and training is relevant and just-in-time.
    • Wins should be celebrated.
  • Since richer datasets might incorporate regulated data, Data Literacy training/awareness should cover appropriate data handling, based the nature of the data.  This has the added bonus in that if it’s delivered just-in-time, it will be more relevant to the use-case being introduced.

I came away from the CIO Event reminded that even though CDO responsibilities are growing on the market-facing side (e.g., data monetization), they should also be responsible for ensuring everyone in the organization is realizing the benefits of the “data economy”.

Contact me at james@jhoward.us

 

Information Management and Governance, Uncategorized

The Case for a Broad Scope CDO

Information exists is all forms, spread across organizations, and available throughout the marketplace. Forward-looking organizations are identifying and categorizing information assets with a view to leveraging it – perhaps by enhancing existing products and services, by creating net-new revenue opportunities, optimizing business or financial operations, or to more effectively manage risk.

Treating Information Like an Asset

Like with any asset, and as a responsible business person, the Chief Data Officer (CDO) establishes the vision and goals for information use, and implements strategies to achieve that vision – whether they are monetization, product/service-enhancement or business optimization.  As a responsible steward, the CDO governs the information through its lifecycle, and manages risk in a way proportional to the threats, and in consideration of the value of the asset and stakeholder expectations.  

Handling techniques are aligned with the nature of the information and take into account the way the business wants to use information; 

Depending on how the information is stored, transmitted and processed, threats and vulnerabilities may run the gamut of cyber – from traditional hacking all the way to sophisticated industrial espionage schemes – as well as non-technology based threats, such as physical loss, destruction or theft. 

Depending on the nature of the information, it may be subject to a variety of obligations – contractual, GDPR, PCI, HIPAA/HITECH, GLBA, client expectations, etc., many of which include principles-based and/or prescriptive handling requirements, with a wide range of legal, financial, and/or brand damage consequences in the event information is mishandled, lost or breached.  

Stepping Back

So taking a step back, we’re describing a business environment where

  1. The market is demanding a greater degree of data use,
  2. Data science is providing ever expanding opportunities, and
  3. The range of vulnerabilities/threats/obligations are more complex than ever.  

Everyone seems to be focusing on information, and the opportunities and stakes are huge.  Responsible organizations wanting to lead their industries will exploit information assets, meet compliance obligations and manage risks proportionally – and as a result, derive value. 

Role of CDO

It is difficult to see how to manage information in a balanced way in a traditional organizational structure where the revenue/leverage focus of information is separate from the protection focus, which is further separate from compliance focus.  It would seem unrealistic to expect to be fast-moving, nimble, risk-aware and compliant, if data leverage, protection and compliance are all managed in parallel organizations, often with different success criteria and subject to different measurements.  

Organizationally, this suggests building the Office of the CDO by pulling together:

  1. Data vision and strategy: interfacing with senior and business-line leadership, establishing a vision for data use, and defining the strategy to achieve the vision;
  2. Data Governance and Management: designing, building and operating processes and controls for handling information throughout its lifecycle;
  3. Obligations compliance: monitoring and respecting the rules and expectations; and
  4. Information protection: understanding threats and vulnerabilities, and ensuring they are addressed in a proportional way.

Among business trends, information leverage is seen as having the highest potential to deliver maximum value back to organizations.  To derive that ROI, the CDO needs to have the organizational authority to influence and/or drive activity across the enterprise, whether it’s to enable existing product lines’ information ambitions, or to cut through organizational politics and roadblocks.  To achieve that they need to report to the highest levels of the organization, accountable to the management committee and Board. 

Advantages

This model has a host of advantages:

  • It enables senior-level visibility and buy-in for information-related initiatives, 
  • It focuses talent on exploiting and managing a critical corporate asset as a primary objective,
  • It forces the protection efforts to operate in a way that’s proportional to the value of the assets being protected, and the risks to which they’re exposed,
  • It aligns compliance to the way an enterprise wants to use information, and the relevant aspects of the obligations,
  • It raises the profile and creates focused awareness around the information assets,
  • It provides for career opportunity and satisfaction for the participants, because they are more closely exposed to the revenue cycle of their employer, and
  • It aligns investments more closely with objectives and return.

Information is increasingly viewed as the new natural resource. It presents opportunities that can be exploited along with risks that can be managed.  And the pace of change is increasing. Organizations should lay the groundwork now to position themselves for the new Information Age. 

Contact me at james@jhoward.us

 

Information Management and Governance, Uncategorized

Innovation and Data

Data Explosion:

As a benefit of advances in technology, the volume and availability of data is increasing exponentially, including the ability to collect rich data as collateral from operational transactions.

Sensors permit the increased gathering of data, some of which can be procured commercially – performance data from jet engines, weather data around seasonal storms, wrist band data from families visiting amusement parks, patient data from medical devices, etc.

Key Advances – enabling data innovation:

Advances in algorithms enable more sophisticated analysis of data – intelligent automation, cognitive –  creating the ability for automation to become more seamlessly integrated into the user experience. Most – if not all – are hugely dependent on the quality and availability of data.

Advances in cloud platforms enable the analysis of larger volumes of data, more opportunistically with on-demand, cost-effective scaling.

Within organizations, data can be classified into the following:

  1. Marketable data– data-oriented products or services that have market value, whether in raw or refined/aggregated form
  2. Management data– KPI information gathered from business systems, used to inform decision makers
  3. Transactional data– information generated from an organizations business activities, whether banking transactions, audits, sales activities or IoT logs
  4. Operational data– Presentations, R&D activities, thought pieces, brochures, client data processed by employees

Opportunities for Innovations:

The evolving discipline of data science is imagining new, innovative and creative ways to combine data, extract “signals” and drive value – whether its from anticipating possible outcomes (mortgage defaults as a function of weather patterns and number of computers), identifying lost revenue (hospital networks providing costly diagnostic services, but losing higher margin treatment revenue), or identifying interesting correlations (consumer buying patterns following summer storms)

Each of the above classifications of data present opportunities for innovation:

  1. Marketable data is the holy grail: with appropriate governance, harvesting and deriving revenue from data available as collateral from business.  Innovation drives things such as, how can the data be refined or enriched to increase value to licensor?  How must it be anonymized to meet regulatory requirements?  How to achieve fair share of downstream revenue?
  2. Enriching management reporting and optimize processes by introducing additional data e.g. road construction plans influencing product delivery routes or performance of local sports teams affecting snack sales;
  3. Transactions can be mined to optimize performance, contribute to regulatory or management reporting and can be refined with robotics and intelligent automation
  4. Operational data can be cataloged, leveraged – avoiding re-creation – and tracked for compliance with regulations or client expectations, or disposal

Contact me at james@jhoward.us