CDO, CPO, IAPP, Information Management and Governance, Information protection, Privacy

Looking Ahead: The New Operating Model for Business

COVID-19 has had a horribly disruptive effect on almost all people and aspects of society.  This paper starts a dialog around an admittedly tiny aspect of that and a view to the future.  It in no way should be seen to marginalize or trivialize the pain and suffering endured by the millions of people directly impacted by the pandemic.

On May 1st, CNBC published this article that discusses how some businesses are re-evaluating their need for physical office space in light of their experience with a majority of their workforce working remotely.

The rapid shift to work-from-home has served as a catalyst for change.  Many years ago, when video conferencing first became available, companies started to invest in equipment that was office-bound, hoping to reduce business travel. That never happened because the technology was temperamental, brands didn’t interoperate very well, there were never enough facilities, and the equipment required expensive point-to-point T1 lines.

Since then, there were advances in the technology along many orientations, including high speed internet to homes, corporate adoption of laptops, smartphones, and importantly, audio conferencing.  This enabled a shift toward work-from-home, and corporate shared office space – “hoteling” (universally adopted by consulting firms and hated by employees), smaller offices/cubicles sold euphemistically as “open concept” workspaces.  But many were still reluctant to use video (Dilbert summed it up well with a series of comics depicting people “working from home” taking video calls wearing their bathrobes).  Workers were far more comfortable with audio conferencing than video, but it still did a lot to get companies and workers more used to remote working.

The needle moved further toward remote workforce with the dramatic increase in off-shoring, leverage of contractors which in itself lessened the feeling of permanence of employment, and perhaps contributed to workers feeling more comfortable as individual contributors working from anywhere.  Paradoxically, there was a simultaneous shift toward urban living, as the number of young people wanting to drive or commute went down, which one might have thought would shift them back to offices.

Powerful Disruptor

All these shifts were gradual, and the net result was tidal shifts in the work model.  Leave it to nature to provide a dramatic disruption, which has resulted in remote working suddenly accounting for 95+% of non-essential workers.  The points raised in the CNBC article are not at all surprising, given how the experts are bracing for periodic reemergence of Corona, but are also supported by:

  • The high cost of commercial real estate and the need to manage costs
  • The remarkable advances in technology enabling remote working
  • The quality of life impact of time-wasting commutes

A shift to predominantly remote working has immediate benefits, including the opportunity to hire the most qualified workers without regard to their physical location, which helps address challenges businesses have faced hiring the right talent.  It also has consequences, such as the inevitable glut of empty office space.  The sudden reduction in the concentration of office workers has a significant impact to businesses relying on them – restaurants, shops, laundry, shoe-shine, even metropolitan transportation – as large portions of their customers stop coming.


In the past, there have been dramatic disruption to business leading to the shrinkage or elimination of entire industries.  Yet over time, business comes charging back.  Before Corona, unemployment was at record lows, and companies were clamoring for skilled workers.  This is after gloomy predictions of unemployment after waves of off-shoring everything from manufacturing to call centers to highly skilled workers.

What has to happen for remote working to become as effective as working from a managed location?

Physical space: Many people don’t have home offices and take over the dining room table instead.  This isn’t sustainable, since asking people to shift from a company managed location to home involves a level of disruption and the only financial beneficiary is the employer.   Wouldn’t it make more sense for the employer to provide each employee a remodeling budget (funded by savings resulting from reduced commercial real estate costs)?  Small contractors could build-out home offices based on guidelines or specifications defined by the employer.

Technology infrastructure: When someone works in an office, the employer provides a laptop and a portfolio of business applications, but also the infrastructure to provide access to those applications – physical connectivity, wi-fi, deskside support.  They establish standards that they are able to support in a cost-effective fashion.  This needs to be replicated in some fashion at home, at least for a portion of the workforce.  It’s not realistic to expect the worker to solve all their home technology issues and not impact their efficiency.  Solution?  A ramp-up of home technology service-providers (e.g., Geek Squad) who set up and support home offices.

Improved wireless: There is a race underway to roll out 5G infrastructure and public wi-fi 6 that promise high-speed performance that rivals (or beats) home-based/cable internet access.  This may be a boon for remote workers and their employers because it simplifies the support model by eliminating the so-called “last mile” connectivity to the individual house in favor of a more controlled infrastructure using transmitters on towers in public spaces.

Comforts and conveniences: As people get used to working remotely, their appetite for convenience goods and services will likely return.  This means the retail services that had been located near office buildings will cater to home-based workers.  To be sure, it won’t look the same, given that the density of customers is different.  There will be more home delivery or curbside service.  Will it be the same in terms of volume?  Probably in an overall sense, but the concentration will differ.  But it seems reasonable that the businesses that can cater to distributed remote workers will benefit.

Challenges – Privacy and Data Protection – a tiny slice

There is no doubt that as with any fundamental disrupter, there will be challenges to be met before we move to equilibrium – the so called “new normal”.  Among many others, information protection and privacy faces challenges.  Some years ago, a colleague authored a prescient paper entitled “Privacy in a Pandemic” that explored the reasonable tradeoffs to be made when balancing individual rights against the needs of society, famously captured by Spock as he sacrificed himself believing “the needs of the many outweigh the needs of the few… or the one”.  But the new equilibrium has implications for privacy and data protection in a more corporate setting.  While privacy regulation accommodate these priorities, privacy and data protection programs will have to re-calibrate their risk assessments and place new weight on risks made more prominent by the shift away from office-based workers, to one where the line between personal life and professional activity is blurred to the point where you can hardly tell the difference.  Clear desk policies went from being a constant real and philosophical debate to now being completely unenforceable, and therefore mostly moot.  Implementing sound technical controls that don’t disproportionately interfere with the ability to work will take time, and likely require new technology deployments.

Understanding purpose: A key enabler to pivoting data privacy will be a mature data governance program.  Making assumptions around higher level enterprise controls is no longer safe.  Instead, knowing the nature and location of data is far more important in order to protect while enabling use.  Providing more discrete permissions around the use of data will help lessen the risk of loss and unauthorized disclosure.  Understanding the purpose behind proposed use of data will enable assigning more discrete permissions.  Since preserving privacy is a lot more than just ensuring protection, the philosophy of understanding purpose also helps ensure appropriate use of data.

Fundamentals: Implementing new controls will take time and carries the risk of creating more frustration and confusion that benefit until the edges are smoothed out.  Privacy leaders should step back and consider the full breadth of their programs, leveraging all techniques to manage risk while avoiding unnecessary disruption.   An effective awareness program, for example, can go a long way to encouraging people to make safe decisions when handling data.


COVID-19 has created havoc in unprecedented ways, and has affected the lives of billions of people.  The human toll cannot be measured, and the suffering by so many should not be swept aside.  Experts are working through the optimal medical strategies while economists are still trying to model the short, medium and long term impacts to business.  Entire books will be written and college classes will be structured around the Coronavirus pandemic.  This paper has taken a very narrow slice of that and will hopefully start an open-minded dialog around how to help enable the future operating model for business.  The dialog can and will continue in months and years to come.

CCPA, CPO, GDPR, IAPP, Information Management and Governance, Privacy

How effective are privacy programs?


In September 2019, A group of 100 data leaders from respectable NY financial institutions were asked whether they’d heard of the General Data Protection Regulation (GDPR – the far-reaching European law governing how EU citizen’s personal information is handled around the world); 5 hands went up.  When asked a follow-up question: how many had heard of the California Consumer Privacy Act (CCPA), 2 hands went down.

On December 26, 2019, CNN published a story explaining why consumers are all of a sudden receiving so many privacy notices, which goes on to summarize CCPA, including the activity that triggered it.  The article explained – at a high level – the events that led legislators to pass the law. 

Over the summer, a small group of CFOs were interviewed and felt that GDPR is a mess, readiness was a waste of money, and that compliance is being addressed by “someone else”. 

Problem statement: 

Companies want to increase the degree to which they store and process personal information, but in an effort to protect the rights of individuals, law-makers are seeking to reduce the number and severity of incidents by imposing regulations.

Companies are making big investments in initiatives to take advantage of the transformative potential of data.  This covers an incredible array of opportunities, from simply using data and analytics to enrich their products and services, all the way to inventing algorithms to mimic human thinking to improve the lives of millions.  

The initiatives all have one thing in common: they depend of high quality data.  Vast amounts of it.  Increasingly pertaining to people.  Companies are building systems that pull together and combine data from a myriad of sources – internal and external. 

Breaches are happening – bigger and more impactful.  In 2019, records containing personal data were being stolen at a rate of over 15,000,000 per day.  The consequences to organizations are significant – financial and reputational.  Regulators are stepping up their actions, conducting investigations, and imposing fines.  Companies are having to pivot to correct issues and address new requirements reactively because many have failed to implement a data management framework efficiently adapt to regulatory changes.

Many companies don’t have a prominent leader assigned responsible for privacy – a Chief Privacy Officer (CPO) or equivalent.  Privacy is managed by legal or compliance groups as an adjunct to operations.  As a result, the people doing the day to day business of the company are not aware of their privacy responsibilities.  So is there any wonder why companies are mishandling personal data?

It’s time to act

More to the point, it has been “time to act”, but the regulatory requirements around data privacy are not going to get simpler, and companies should consider implementing an operational framework, with appropriate tools, enabling them to adopt new requirements in a time and cost effective manner.

An effective program to enable business to use data while also managing risk and ensuring compliance must reflect 3 interlocking components: Privacy, Data Governance and Risk Management.  Together, they can protect an organization while serving as a catalyst to accelerate forward.


Most companies have a Privacy compliance program.  However, the informal poll referenced above revealed that privacy compliance is not embedded in the data programs.  This gap is very significant, since provisions of the laws speak very specifically to plans data scientists are pursuing,  The result is certain initiatives will have to slow down or get re-tooled.

And it’s not just data science teams who are dangerously disconnected.  Data science is probably a key area where data is being handled outside the boundaries set by the regulations (kept and processed for purposes beyond why it was collected, for example), but the breaches are mostly tied to weak controls on the operational side of companies – ranging from how and where it is tracked and stored, to how it is processed or disclosed for business purposes.

“Privacy by design” has eluded organizations since it was first envisioned in 1995, in part because it is frequently promoted by an under-resourced parallel organization, trying to apply one-size-fits-all techniques.  It doesn’t have to be like this.  Privacy programs can be structured to bridge to data users in an foundational sense, where privacy obligations are taken into account through-out project or operations lifecycles.  Risk goes down.  

Addressing the challenge begins by assessing the current state of the privacy program against a privacy template or framework, such as the latest draft NIST Privacy Framework, and creating a gap analysis.  The framework is useful because it breaks down the objectives of a privacy program in a way that aligns in with both regulations and the way organizations use data.  To be fair, the full Framework can be overwhelming for many companies – especially those not familiar with the NIST Security Framework, on which the Privacy Framework is based.  But this can be addressed by first distilling the NIST framework down to a more manageable version that still preserves the key elements. 

The gap analysis forms the basis for discussing how to enhance existing privacy efforts to achieve compliance, in a deliberate, sustainable, pragmatic way.  If done right, it can be scaled – whether down to a small privacy team of, say 2-3, or up to a full enterprise-level team.  This also allows a more focused approach to address specific pain points, including:

  • Compliance with GDPR or CCPA, which might range from early stage assistance, to specific process solutions (e.g., data subject access requests, data inventory upkeep, privacy-by-design, training and awareness, etc.)
  • Consideration for placement of the program, to integrate into company culture; companies are struggling with where to assign privacy, if not in Legal, and it’s landing with the CISO, who often needs help getting ramped up
  • Operationalizing Privacy, making the program resilient and sustainable, incorporating activities such as: 
    • Strategic oversight and stewardship, including obtaining executive and Board support
    • Monitoring for legislative changes, 
    • Updating and implementing policy,
    • Risk assessment, 
    • Process and control documentation and testing, 
    • Integration with business and IT change management, 
    • Incident management, escalation and resolution, 
    • Vendor management, and 
    • Contract review.

Data Management

Data programs are high priority for CEOs – over 95% believe that leveraging data is key to continued success and to defend against external disruption.  Yet Gartner concludes that 85% of data projects fail.  How is this possible?  Oftentimes, data initiatives are launched without implementing basic management and governance techniques.  Objectives are not defined at the outset, C-levels and the Board aren’t clear in what they are asking for, and may not understand the path to get there – or the cost.  

Introducing data management and governance discipline to create the data equivalent of “scientific method” can dramatically reduce risk and increase the chance of success.  Many companies – especially those in regulated industries – have records management programs that can be adapted to provide a management framework for data to be leveraged for monetization or through analytics or AI initiatives.  

The value proposition is to implement sufficient management and governance activities to

  • Provide transparency and accountability in to the program, including ethics and legality,
  • Ensure that data is handled in a way that doesn’t violate compliance obligations, whether contractual or regulatory
  • Provide shared-service capabilities, including inventory, procurement, tracking and disposition.
  • Create logical interface and touch-points into privacy, security, internal audit, compliance and legal programs
  • Triggers and objectives are to close the gap between CEO expectations and the practical success rate of data projects.
  • Expose the relative value and sensitivity of data to enable proper risk and threat management, in collaboration with others, such as a Chief Information Security Officer.

Information Risk Management

In a metaphorical sense, data programs are taking the jewels out of the safe and passing them around.  Handling high value assets definitionally increases the risk of theft or breach, when compared to keeping them locked up.  But they must be handled in order to derive value.  Many companies have built information risk or IT risk management capabilities over the last several years; the question is how well are they tied into data initiatives or aligned with the way data is used?  Given that 15,000,000 records are breached every day, one might suggest “not very”.  

In the context of the increased use of data for market-facing benefit, Information-related risk needs to be assessed in a more focused way.  As a discipline, IT RM has created a good foundation, however it frequently aligns with core IT process like strategy, architecture, change management, and security, and not to data.  

Information risk management can provide a critical interface between a data leverage program and a privacy/compliance program.  The techniques used to assess information risk result in key insights into the nature, relative value, uses and threats to information.  This helps direct risk-mitigation resources to align with the risk.  Specifically, it helps to recognize whether risk can be mitigated through, say, security controls, or whether the employee community needs tools that better align with their jobs (obviating the need for them to find their own solutions to business problems), or whether increasing awareness can help people make better judgements.  

Companies should consider identifying, categorizing and managing risk by looking at initiatives through an information lens – as opposed to a technology lens.  This changes the dialog with business stakeholders, which increases their understanding and appreciation of what could go wrong, what is acceptable residual risk, and the steps needed to bridge the gap.  

As indicated, IT RM in the marketplace has achieved a level of maturity, and there exists opportunities to adjust the scope and approach to more effectively identify and manage information-related IT risks, which arguable, can help manage overall financial, regulatory and brand exposure for companies.


Companies are increasing their use of data at a tremendous rate – and they should.  The opportunities to gain competitive benefit are exploding.  But the risk and consequences of missteps are growing as well.  By implementing data governance and integrating risk management and compliance in a pragmatic way, organizations can continue to explore the ways data leverage can provide benefits, while taking proportional measures against events that can impede progress.  

CCPA, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Does Privacy Need Disrupting?

Executive Summary

When it comes to the use of data in a business context, there are a few absolute truths: (1) business will continue to gather and process more and more information about people to meet their goals. (2) We will continue to see larger and more far-reaching data events involving personal information.  And (3) regulators will continue to respond with increasingly complex requirements around the handling of personal information.

This paper reflects on the trajectory data-use is taking within the business environment, and explores some challenges the privacy profession is facing trying to keep pace.  The combination points to the inevitability of catastrophic data incidents.

But like so many other industries, modern technology may hold the answer to managing the risk.  This paper goes on to discuss that through the measured deployment of disruptive technologies, the privacy profession may find a way to support the acceleration of data use in the business, while managing risk and pursuing compliance.


The thing about black swans is that they are both predictable and unpredictable – you know they are going to happen, you just can’t anticipate when and the form they will take.  In the period of one week in December, over 600 million records containing PII (Personally Identifiable Information) were breached. For perspective, that’s more than every man, woman and child living in the US, UK, Canada, Australia and Russia combined.  

With the increasing volume of PII being collected and processed by organizations around the world, it was inevitable that something like this was going to happen.  Moreover, it will happen again – and bigger – from triggers and vulnerabilities on which the risk community is not focusing. And no global organization wants to be named in a headline that talks about hundreds of millions of records being compromised.  

About data

We live in an age where information is emerging is a truly leverage-able resource for companies around the world, enabled by the incredible pace of change in technology and analytics capabilities.  The opportunities to improve customer experience are growing exponentially. To be sure, customers now measure their own satisfaction – and loyalty – based on capabilities offered by service-providers that were not even possible a few short years ago.  And companies are doubling-down investment to outpace their competition, or in many cases – in the face of disruptive startups – ensure their very survival.

Much of the data at the heart of the most promising innovations is in some way tied to individuals — whether traditional PII or PHI or new data around people’s movements, tastes and behaviors, spun off from IoT sensors, new analytics technologies or apps used by individual consumers where they are knowingly or inadvertently contributing data.

We also see that as some companies push the boundaries, or in the aftermath of high profile data incidents, lawmakers are reacting by implementing far-reaching legislation to protect the rights of individuals.  Complying with those is a challenge and imperative for all organizations but especially forward-looking global organizations, as they navigate uncharted waters and as regulations emanating from different jurisdictions overlap and conflict.  

Given the pace and trajectory of developments in technology and data, and the scale and frequency of data events, it’s reasonable to predict that there will be more breaches in the future – both larger in scale and more impactful.   Moreover, the increasing number and complexity of regulatory requirements – many triggered in the aftermath of data breaches – will place increasing burden on businesses, increasing internal tension between those developing new and innovative products and services, and those tasked with managing risk and ensuring compliance.  Finally, the potential ramifications of a breach, including the very significant fines, lost business or damage to the brand, can have lasting negative consequences to any organization.

Risk and privacy activity today

Today, risk management and privacy are heavily manual.  Risk management and privacy groups are relatively compartmentalized, often viewed as necessary but imposing layers of bureaucracy, addressed late in the process and after the business requirements are met; risk and privacy requirements are often viewed as disruptive and costly.   

Whereas “Privacy by Design” seems like an obvious enabler, and has been a holy grail of sorts, passionately embraced by privacy practitioners, it’s often down-played (or ignored) by business development groups.  

The basic process around risk and privacy include the following:

  1. Privacy Policies that reflect requirements — whether legal, contractual, ethical, professional or industry parameters.  This establishes the inward- and outward-facing posture and serves as the foundation and basis that drives every meaningful aspect of the program.
  2. Process documentation: business processes that handle PII are documented and analyzed to identify risk and to ensure that controls mitigate the risk and align with policy requirements.  
  3. Data and application inventories: as a supplement to process documentation, knowing what data is on hand and what applications process it is important to help ensure that appropriate controls are in place
  4. Trigger points within processes – IT or business processes – around changes or data events requiring action; certain activities such as developing or changing an application that stores or processes PII should trigger a Privacy Impact Assessment to determine what risks exist and what controls are needed.
  5. Consultations and approvals where SME’s respond to inquiries and use research and professional judgment to provide recommendations.
  6. Risk assessments take place periodically to determine what’s changed and whether controls are aligned with risks to PII.
  7. Controls are tested periodically to ensure they are functioning as intended
  8. Control weaknesses or failures are documented in findings reports requiring action by control owners

The process is largely manual

The key point in providing this list is to highlight the fact that all of these are manually intensive and are at best supplemented or enabled by tools such as GRC applications.  And while the enabling tools and applications help, these processes are only linearly scalable – meaning, increases in the number of in-scope processes and applications require a proportional increase in resources — people — to accomplish the risk and compliance activity.   Moreover, while the most effective privacy programs distribute the activity across the business constituents, and can gain some leverage and economies of scale, the costs fundamentally increase fairly linearly.

Most organizations face challenges in trying to increase their bench of Privacy SMEs, since they require in-depth understanding of their organizations, as well as privacy expertise, and need to exercise consistent and similar judgment.  So maintaining consistent quality around advice provided by SMEs is a risk and challenge in itself.

So in summary, the technology, data, business and regulatory environment is evolving rapidly, getting more complex, and more critical for the continuing success of the organization.  Traditional privacy risk and compliance practices are heavily manual, reactive, burdensome and difficult to scale. In combination, it’s clear that costly and damaging issues will continue to arise, and the tension between the execution of business strategy, managing risk and maintaining compliance will become even more pronounced.

What is changing…

In order to become better embedded and get ahead of business developments that leverage data, the privacy function needs to understand how the business plans to gather, manipulate and store PII, and overlay the risk and compliance requirements for its treatment and handling – which should result in certain adjustments to the business strategy.  

The privacy team has to understand all aspects of information risk management (leveraging an auditor’s playbook) to judge sufficiency of control, and be able to interface with the business, IT, IT security, legal, audit and compliance stakeholders, as well as with regulators.  

An important dimension of this is to have a framework for accepting residual risk.  This framework has to resist the “group-think” temptation to be either blinded by competitive pressure or the promise of fantastic profits, or lured into the “risk elimination” mode.  Instead, it should allow for the analysis of risk, mitigating effect of controls, and a transparent mechanism to accept residual risk that escalates upwards through leadership, depending on the overall risk/benefit balance.

But as discussed above, data “events” are bound to happen — whether breaches, losses or abuses — and privacy professionals too often are reactive.

Fundamental and disruptive change – leveraging Artificial Intelligence

Business, technology and data science will continue to accelerate, events will happen and regulations with come into effect.  The result is an increasing tension between opposing forces, where the resistant compliance side of the equation will almost always lose.

It’s time to take a fresh look at the model.  Increasingly, companies are recognizing the disruptive effect that data and analytics (including AI) will have on their business – the very action that increases the risk of privacy events discussed in this paper.

Privacy compliance can benefit from disruption.  

Ultimately, many aspects of privacy compliance will benefit from the disruptive use of AI and cognitive algorithms.   Given that privacy compliance combines documentation, analysis and judgment, there are opportunities to design and train algorithms to assist analysis, which will increase the timeliness and reach of the program.


First and foremost is the recognition that intelligent automation and leveraging AI is a journey – not a destination – and benefit is gained incrementally.  Focus begins on the more basic and mechanical aspects of the program, allowing more analyst time to focus on more sophisticated and complicated issues.

The privacy activities are then broken into categories which helps to drive priorities:

  • Routine daily tasks that need to be monitored for compliance, and where certain events trigger action, and
  • Change involving new applications, data, business ventures or data use cases
  • New requirements, such as new regulations, risk factors or data use restrictions

As the process matures, more aspects of the program can be automated, leading to a state where increasingly sophisticated tasks are processed automatically and the SME is engaged at certain thresholds where, say, more judgement or specific approval is needed.  If properly implemented, the algorithms are trained methodically (“crawl, walk, run”) and logged to ensure consistency.

Example activities that are candidates for automation:

  1. Process review comparing to policy – using an algorithm to determine whether a proposed process might violate a privacy policy
  2. Access monitoring – data stores containing information pertaining to people can be monitored for access and AI can analyze access for anomalies, and trigger responses
  3. Data access requests – routine operational transactions, such as requesting access to certain data, can be vetted and handled through Intelligent Automation
  4. Transaction monitoring – AI sensors can be tuned to monitor a wide range of structured and unstructured transactions guarding against inadvertent use of private information
  5. Privacy event analysis/DLP – Data Loss Prevention (DLP) sensors can capture thousands of potential events on a daily basis.  AI can be used to risk-assess the events based on a variety of rules, and flag those exceeding a predetermined risk threshold for further investigation.  
  6. Control analysis and testing – privacy programs often include a periodic testing cycle.  AI can be used to evaluate the results of testing to assess severity
  7. Data discovery and inventory – All organizations have large volumes a unstructured data stored (and often forgotten) on network file servers.  AI can be used to traverse the file stores and build meta-data tables around the data, and can be tuned to identify sensitive data, helping to ensure compliance
  8. Data psudonymization – AI can be used to implement psudonymization techniques on a large scale, and can test whether the data can be re-identified.
  9. Contract review – often times additional specific data handling terms are embedded in contracts with large clients.  AI can be used to extract those terms and correlate them to specific data in the environment to help comply with the client’s requirements.
  10. Regulation review – AI can be used to highlight applicable sections of regulation based on ingested company policy documentation, which accelerates implementing compliance activity
  11. Risk analysis – Algorithms can be trained to detect data use-cases that are in conflict with policy.
  12. Residual risk assessment – Quantifying residual risk is very important for determining whether risks are sufficiently mitigated to meet corporate risk appetite, and whether a value proposition is still valid.  AI can help with the determination.
  13. Customer inquiries – Intelligent automation can be used to handle customer inquiries around where data is, requests for erasure or transfer.  This can be extremely burdensome for companies with large numbers of individual customers.


All these use cases are within the capabilities of existing technology, and the decision to pursue any combination is based on specific circumstances.  However, the overriding point is that they pave the way toward much more flexibility and scalability of a privacy program that is coming under increasing pressure to perform.  So the benefits are:

  • Greater flexibility
  • More scalability and leverage of resources
  • Lower risk of non-compliance
  • Less impact and burden to the business
  • Managed cost


At a high level, the risks are that the tools fail to detect or prevent an unauthorized use or disclosure of information pertaining to individuals.  This can be because the algorithms don’t work as intended or are not properly implemented. These are project and operational risks and should be managed through normal risk management processes.

But by keeping in mind the current state and the trajectory business is on, the reality is that leveraging Intelligent Automation and Artificial Intelligence makes sense.  It’s going to happen.


When it comes to the use of data in a business context, there are a few absolute truths: (1) business will continue to gather and process more and more information about people to meet their goals. (2) We will continue to see larger and more far-reaching data events involving personal information.  And (3) regulators will continue to respond with increasingly complex requirements around the handling of personal information.

Many industries are being disrupted by the creative and innovative use of data.  The privacy profession — increasingly in the spotlight, yet dependent on manual processes — is quickly becoming a good candidate for reinvention.  People will benefit, as it will open avenues for business to provide new products and services designed to make their lives better, while at the same time lowering the risk to them for participating.

CDO, CPO, Information Management and Governance, Information protection, Privacy

CDO’s Role in Managing Data Breaches

In the span of a week, we’ve see data breaches affecting 600 million people.  For perspective, that’s more than every man, woman and child in the US, Russia, Canada, Britain and Australia combined.  And the damage may not be done, as scammers and other bad actors frequently take advantage of the widespread confusion that follows these sorts of incidents.

Moreover, as the investigations unfold, we will begin to see the breadth and depth of what went wrong, who did what, and what steps must be taken to prevent this from happening in the future.

The risk manager in me says this will happen again, just as it’s happened before.  Data experts know all too well the challenges in implementing controls proportional risk, and counter-balancing every data initiative with the right set of controls — starting with asking whether the proposed data collection or use benefits are worth the downside risk.

So what does this mean to a Chief Data Officer?  In a word, everything. Why? Because data is at the center of every breach, and the CDO should be looking at the full picture around both data use and data risk.  The emerging role of the CDO in business positions them as a key executive in helping to reduce the risk of breach as well as to navigate the aftermath, protecting the organization’s brand.

Before a Data Incident

In the normal course of business, the CDO should be executing against the company’s data strategy and vision, and maintaining an inventory of critical data assets.  The inventory should include key meta-data — ownership, obligations, location, permissions, value, uses, etc — which forms an important part of a periodic risk analysis.  

The risk analysis considers threats, vulnerabilities, obligations and relative value of the data to conclude on appropriate protections.  The more progressive CDO’s will construct a holistic threat analysis that answers the question, “what could go wrong?” or “how might information be breached?” taking into account behavior of personnel, company culture, key business activities and positioning of the company in the marketplace.  Typically, such an analysis covers the spectrum from the seemingly mundane (accidents caused by carelessness or poor judgment), all the way to industrial espionage targeting company data, with a total of 5 or 6 categories in between. This analysis serves as a sounding board to validate the range of control activities, which includes everything from policy, to business practices, to training, to technical controls, and some instances where certain risks have to be accepted, insured against, or perhaps transferred elsewhere.

The CDO should provide business requirements to the CIO and CISO for appropriate technical measures to provide protections, which – depending on the sophistication of the company – could range from providing data classifications, to which the CISO or CIO react, all the way to explicit requirements for, say, encryption and access control.  

The inventory shines a light on whether all data on hand is truly necessary, or whether some can be disposed of.  Moreover, the CDO’s analysis of business processes using data can also question whether all data being collected is necessary.

The Board of Directors, senior executive leadership and internal audit should – to appropriate degrees – be aware of how the company is using data as well as the CDO’s assessment of risk and mitigating controls.  This will allow them to understand the risk/benefit around data use, and weigh in whether the business opportunities related to data use are sufficiently compelling.

The CDO maintains relationships with counsel to understand the legal aspect of obligations, and obtain sign-off on the sufficiency of the compliance programs.  The CDO should understand their regulators’ expectations and requirements around handling data, making sure their protection controls meet regulator expectations.  These steps are key, because most breaches — especially where regulated data is involved — will result in legal or regulatory exposure, and having transparency with counsel and regulators with streamline investigations.

The CDO should own (or be a key stakeholder in) the data incident management process. This is the process whereby data incidents — data loss, possible breaches or exposures — are logged, analyzed and investigated.

During a Data Incident

Sometimes, a target organization is aware of a data incident as it’s occurring.  Many companies have processes to respond in this event, which may focus on containment, interruption, or other priorities (allowing an attack to proceed in a controlled way may help law enforcement with their investigation).

The CDO should be available to help answer questions about the nature and location of data that may be accessed, as well as to begin preparing post-incident planning. Some data owners (e.g., Federal Government) have explicitly defined time frames to report data incidents, the CDO can get ahead of these requirements.  

Following a Data Incident

Companies should have a crisis management plan that includes defined procedures to be followed in the event of a cyber attack, data breach or exposure.  The details of these plans are tailored to each company, and generally emphasize damage control and protecting the brand — which in itself may follow one or more tracks, based on the nature of the incident.  

Stakeholders include senior leadership, legal counsel (sometimes supported by outside counsel), the head of security, the CIO and CISO, and often on-call cyber security consultants.  The overall objective is to understand what happened, how it happened, who perpetrated the event, what data was affected, overall impact, and how to repair the damage and prevent the same thing from happening again.  

Along these lines, the CDO should help assess the impact of the loss, in terms to cost to the company — defined as asset value, or competitive impact, or brand damage to the organization.  The CDO can be a resource to analyze the nature of the data to determine whether external notifications are required, and – in conjunction with counsel – whether there is a regulatory impact.  Who owned the data? Do regulators, customers, vendors, partners or clients need to be notified? Is there a timeframe requirement for notification and is there a specific process to be followed?  Do affected parties need to be offered – or are they likely to demand – compensation?

The CDO can help analyze what went wrong, by having an understanding of the processes and policy around data use.  Was there misuse of data or was it stored, processed or transmitted in ways it shouldn’t be? Was there a control failure, or absence of control?

This analysis concludes with a reassessment and remediation of processes and controls.


Most corporate leaders recognize the near-inevitability of a breach or hack.  This is due to a variety of factors, including the increased complexity of information systems, coupled with the expansion of data-rich cognitive and robotics initiatives, many of which rely heavily on data.  Data sets themselves are growing at a dramatic pace.

Companies are appointing CDO’s to try and coordinate the activities around the leverage of data, and increasingly, they are assigned responsibility for assessing and managing risk around data.  This is not a bad thing at all, since it helps keep risk management activities proportional to risk and the nature of the data.

CDO’s should approach the challenge with a plan, emphasizing transparency and engaging appropriate stakeholders.  Whereas today, Boards often look to the CIO and CISO to understand how data handled and protected, going forward they will increasingly look to the CDO.


CDO, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Data Regulation is the New Reality

On October 28th, the BBC’s Chris Baraniuk reported that recently, Tim Cook was in Brussels to address the International Conference of Data Protection and Privacy Commissioners.  In his remarks, Mr. Cook, referring to the misuse of “deeply personal” data, said data was being “weaponized against us with military efficiency”.  The BBC went on to report that Mr. Cook said “We shouldn’t sugar-coat the consequences,” and “This is surveillance.”

The speech reaffirmed Apple’s strong defense of user privacy rights, in contrast to competitors business model of driving advertising revenue by analyzing people online habits.   “The trade in personal data served only to enrich the companies that collect it, he added.”

Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR), and went on to say that other countries “including my own,” should follow the EU’s lead toward protecting personal data.

To be sure, economics are at the heart of the concern.  Given the string of events that have occured, where data is mishandled or exposed, companies are at risk of losing customer and stakeholder trust, and without that trust, it not clear how they can drive or thrive in the data economy.  So coming together in support of a GDPR-like framework makes sense; it raises the conversation to a global level, and can result in a safer and more efficient environment in which to conduct business. Companies that embrace the framework will have more flexibility and resilience, while those firms paying it lip-service will eventually themselves be at the center of their own data crisis.

And therein lies the rub.  Compliance is not the same as data protection, especially when the regulation is principles-based and not prescriptive.  If the objective in implementing a framework is to comply with a regulation, one is tempted to overlay one’s current operating model with the requirements of the regulation and address gaps.  While it may reduce the risk of data incident, it will probably do so by coincidence.

On the other hand, if companies went about handling information with the strongest possible ethics, where they routinely assessed and addressed risk, recognized and avoided moral hazards, then the incidence of breach and miss-use would naturally be much lower.

The obvious competitive issue is that the second scenario is more expensive and less flexible.  Moreover, if a minority of companies took this approach, they would be less prosperous, and economic darwinism would cause them to go extinct.  And suppose there were a major data “catastrophe”, and the market environment were made up of a combination of those that embrace a high degree of data ethics and those that don’t, the market may not recognize and reward the higher resilience of the highly-ethical-but-less-profitable.  Instead, what we’ve seen is the mainstream market reacts with shock and incredulity and – at the prompting of regulators – implement newly-penned frameworks meant to avoid future occurrences of those events.

While one might argue that black swan events are by definition unforeseeable, one can equally argue that waiting for them to strike before implementing any sort of protection strategy simply opens the door to more black swans, and when events do occur, they result in unnecessarily high impact.

Apple’s Tim Cook makes clear his view that status quo is unacceptable.  As an unquestioned highly credentialed leader and insider in the technology (and information) world, his use of words like “weaponized” and “this is surveillance” should not be taken lightly — he knows what he’s talking about.  No doubt more so than the rest of us.

So as with most things, a thoughtful balance must be considered.  The dilemma is how to balance among the following:

  1. The rapid growth the volume to data aggregated by companies, across the board from business-to-consumers, to business-to-business companies, and ranging from companies providing services to those providing goods — and the increasing overlap.

  2. As a subset of that, the increase in the volume of personal data stored online, and the ability to gather even more data about individuals – habits, interests, locations, views and opinions.

  3. The rapid evolution in the science of data analytics, and the ramp-up of technology able to manipulate and compute data on a mammoth scale.

  4. Coupled with this, is the increasing ability to combine and analyze datasets in ways that allow for the creation of new and credible data and conclusions.

  5. As the size and richness of the datasets grow, so do the consequences of an event (whether a breach, misuse, abuse or exposure).  These range from a sense of creepiness when personal data is exposed, all the way to the very real consequences of insidious manipulation of our views and opinions.

In short, how can companies derive benefit from data, while managing the risks?  Neither momentum is letting up — the momentum around utilizing the expanding datasets, or the momentum around data events and subsequent responses from regulators.

One realistic way is to embrace and build a culture around managing all aspects of data, in lock step.  This is built into a data management program, led by a Chief Data Officer, comprised of three interdependent functions:

  1. Data Leverage, focussed on enabling the business use of information,

  2. Data Protection and Compliance, focussed on addressing risk resulting from data leverage, in terms of misuse, loss or non-compliance with obligations

  3. Data Quality, ensuring that the data being used retains its accuracy and integrity

This model is coupled with appropriate oversight, in the form of:

  1. A steering group with senior stakeholders from across the company,

  2. Direct oversight by CEO or COO,

  3. Connectivity into other key functions, including the CIO, CISO, HR and Legal,

  4. Active oversight by the Board of Directors, to support business initiatives and agree with risk mitigations plans.

A standing filter for any and all data initiatives needs to be ethics, and a consideration for the consequences of the genie getting out of the lamp.  Is the company willing to handle the outcome, if an initiative goes wrong? What is the risk, how is it managed, and are the right people accepting the residual risk?

The discussion is reaching a fever pitch with leaders of the most influential technology companies adding their voices to the conversation.  Any company wanting to join the data economy should consider doing so with an appropriate data management framework. This will position them to accelerate as new opportunities present themselves, while being able to manage events as they occur and accommodate compliance requirements that arise.