In the digital age, every organisation – be it private sector, public sector or not-for-profit – is a ‘data business’ and effective data governance is of critical importance to realize its full value. This article discusses why board directors need to engage on governance of data and the risks and potential missed opportunities of failing to do so.
This article was first published in the March 2017 issue of Governance Directions, the official journal of Governance Institute of Australia. Since original publication the ISO/IEC 38505 series of data governance standards has been published.
Imagine for a moment that accounting standards required organisations to also take account of, and value, their data assets. In adding data to the balance sheet, many company directors would be surprised at the breadth of the data their companies hold, or that those data assets (which are often collected without payment or at a low cost) are valuable.
In misunderstanding the value of the data they possess, businesses may both ignore the opportunities inherent in those data assets and fail to adequately protect them. They may also fail to account for data available or accessible but not owned by the business. Any other asset owned by, or available to, a business is monitored, its value assessed and re-assessed against factors such as depreciation and market forces and risks to the asset identified and mitigated.
There is something, however, about the intangibility of data assets that causes businesses to fail to account for their value.1 This issue is compounded by the fact that the valuation itself is difficult. Data may arrive from different sources. It may have been collected without payment. Traditional ways of measuring asset value such as ‘market value’ and ‘historical cost’ may be a poor fit for measuring the future economic benefits of data holdings.2 Failure to fully understand the value of data may lead boards to allocate data management and oversight to IT and compliance personnel thereby missing the important role the board itself has to play in the strategic management of this asset.
The new business of data
And yet, we are in an age where data has never been so valuable, nor the opportunities for innovation so great, and the risks of data breach so high. The arrival of new business models – such as ride-sharing, homestay accommodation and GPS-enabled fitness apps – and the expansion of existing goods and services – to include, for example, real-time tracking of delivery or arrival times, integration with mapping and location-based technologies, monitoring and optimisation of product performance via sensors and the internet of things and the tailoring of products and services to user preferences – are evidence of the wealth of opportunities that await businesses willing and able to use their data assets effectively.
For example, Rolls-Royce is leveraging the value of data to move their jet engine maintenance programme from a focus on major engine overhauls to instead improve the efficiency of an airline’s daily operations – and to operate at the ‘clockspeed of the customer’.3 Similarly, Garmin was able to see the value of harnessing GPS technology to deliver personalised fitness information via wearable devices. It continued to build on data use opportunities by expanding its services to take advantage of the rise of social media, allowing its device users to choose to share fitness information with friends and participate in a virtual network of others engaged in similar activities.4
Governance of data vital to leverage and protect data assets
Of course, at some point, opportunity collides with risk – privacy and security considerations are an unavoidable part of the equation. So a key question, to use the words of the International Association of Privacy Professionals’ Publications Director, is ‘How do you combine traditionally compliance-focused activities like privacy and info-security with traditionally strategic and revenue-producing activities like using data to make marketing and product-development decisions?’5
His answer, and indeed the missing link, is data governance. Converging the different objectives of privacy, security, business strategy, product development and so on in a data governance framework can be challenging. Partly, the answer is ensuring that governance of data occurs or is driven at the board level. This helps reduce the inevitable ‘silo-ing’ of privacy, security and business goals and the corresponding risk that one of those goals is inadvertently prioritised over the others (resulting in a business that is unconsciously risk averse or unintentionally risky in relation to data it holds).6 Only at the director level, can a company get the necessary organisation-wide view of governance of data and align strategic business decisions with ethical and compliance considerations.
There is work underway to help organisations meet these challenges and embed better data management and oversight. A key tool for company boards and directors will be the new series of data governance standards currently under development by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). According to project-editor of the upcoming standards, Alison Holt, ‘The developing ISO/IEC 38505 series of governance of data standards is designed to provide guidance for boards who want to maximize the value, whilst addressing the risks, of participating in the digital economy. Boards that confuse data governance for a management activity, risk missing out on the huge benefits and economies of data driven business. These standards aim to address this common misconception and empower boards to develop and deliver strategies for growth.’
Effective governance of data creates opportunity
Effective governance of data gives organisations a framework for understanding the exact nature and extent of an organisation’s data assets and how to utilize them and protect them. In a recent information security survey, only 51 percent of organisations reported having an accurate inventory of employee and customer data and how that information was collected, transmitted and stored.7 A governance framework also allows organisations to assess the value (or potential value) of data assets and map information flows, so that new business models and strategies can be evolved potentially. Importantly, it also enables organisations to assess new and existing data use against ethical and compliance considerations, to identify and mitigate risks and to establish controls and lines of accountability.
All too often, it is weak or non-existent data governance that garners attention. And indeed, when things go wrong, the impact on company directors themselves is brought into sharp focus. A serious data breach sustained by Target in late 2013 resulted in the resignation of Target’s CEO and CIO – it was reportedly the first time the head of a Fortune 500 company was ousted due to a cyberattack.8 A similar thing occurred when New Zealand’s Personal Accident Insurer, Accident Compensation Corporation, sustained a data breach in 2011 involving highly sensitive health information of 6,748 clients with a number of board directors losing their positions.9 There is also the real risk that a data breach will significantly affect business and shareholder value (or even result in the closure of a business)10.
However, when organisations effectively address and mitigate security and privacy risks through strong governance processes, wider opportunities can be grasped. New business models that leverage the value of data can pose a competitive risk to not just traditional businesses, but whole industries.
Governance of data is a board responsibility
Governance of data is of critical importance not only to protecting data but also to making decisions about how a business will use data to add value for its stakeholders – including its suppliers and customers. A strong governance framework ‘governed from the top’ puts organisations in the best possible position to harness the benefits of the digital age while fostering an ethical and compliance-focused corporate data culture. Boards need to be involved. Relegating data governance to IT or compliance personnel is to fail to fully comprehend the strategic value of data and puts organisations at a disadvantage when navigating strategic business decisions involving data.
1 Juergen Sidgman and Malcolm Crompton, ‘Valuing Personal Data to Foster Privacy: A Thought Experiment and Opportunities for Research’ Journal of Information Systems: Summer 2016, Vol. 30, No. 2, pp. 169-181, 2016.
3 Tom Palmer on data driven aviation, Rolls Royce.
4 Privacy statement for Garmin Connect and Compatible Garmin Devices
5 Sam Pfeifle, ‘Getting proactive with data use governance’, The Privacy Adviser, International Association of Privacy Professionals, 13 September 2016.
6 Take for example Mattel’s wifi-enabled Barbie doll a case in which ‘product innovation’ was not adequately tested against privacy and security considerations, see ‘Hello Barbie, Goodbye Privacy? Hacker Raises Security Concerns’, Huffington Post Australia, 1 December 2015.
7 Survey cited in PwC, ‘Monetizing data while respecting privacy: how data-use governance can unlock business value and mitigate risk’, 2016.
8 Kevin Lonergan, ‘Don’t let a data breach destroy you: a history lesson’, Information Age, 14 September 2014.
9 See ‘ACC boss resigns amid political pressure’, Dominion Post, 13 June 2012; ‘Murray Hilder resigns from ACC board’, New Zealand Herald, 19 June 2012; and Malcolm Crompton, Privacy governance: A guide to privacy risk and opportunity for directors and boards, Australian Institute of Company Directors, 2014, p 13; see also Information Integrity Solutions and KPMG, Independent review of ACC’s privacy and security of information, 22 August 2012, pp 50-52.
10 See for example, ‘Case study: When a hacker destroys your business’, CIO, 3 March 2015; see also ‘Verizon wants $1B discount on Yahoo deal after reports of hacking, spying’, New York Post, 6 October 2016.