News, insights and resources for data protection, privacy and cyber security leaders

Not Just an IT Issue – Why Governance of Data Should Be on the Agenda of Every Board Director

In the digital age, every organisation – be it private sector, public sector or not-for-profit – is a ‘data business’ and effective data governance is of critical importance to realize its full value. This article discusses why board directors need to engage on governance of data and the risks and potential missed opportunities of failing to do so.

This article was first published in the March 2017 issue of Governance Directions, the official journal of Governance Institute of Australia. Since original publication the ISO/IEC 38505 series of data governance standards has been published.

 

Imagine for a moment that accounting standards required organisations to also take account of, and value, their data assets. In adding data to the balance sheet, many company directors would be surprised at the breadth of the data their companies hold, or that those data assets (which are often collected without payment or at a low cost) are valuable.

In misunderstanding the value of the data they possess, businesses may both ignore the opportunities inherent in those data assets and fail to adequately protect them. They may also fail to account for data available or accessible but not owned by the business. Any other asset owned by, or available to, a business is monitored, its value assessed and re-assessed against factors such as depreciation and market forces and risks to the asset identified and mitigated.

There is something, however, about the intangibility of data assets that causes businesses to fail to account for their value.1 This issue is compounded by the fact that the valuation itself is difficult. Data may arrive from different sources. It may have been collected without payment. Traditional ways of measuring asset value such as ‘market value’ and ‘historical cost’ may be a poor fit for measuring the future economic benefits of data holdings.2 Failure to fully understand the value of data may lead boards to allocate data management and oversight to IT and compliance personnel thereby missing the important role the board itself has to play in the strategic management of this asset.

 

The new business of data

And yet, we are in an age where data has never been so valuable, nor the opportunities for innovation so great, and the risks of data breach so high. The arrival of new business models – such as ride-sharing, homestay accommodation and GPS-enabled fitness apps – and the expansion of existing goods and services – to include, for example, real-time tracking of delivery or arrival times, integration with mapping and location-based technologies, monitoring and optimisation of product performance via sensors and the internet of things and the tailoring of products and services to user preferences – are evidence of the wealth of opportunities that await businesses willing and able to use their data assets effectively.

For example, Rolls-Royce is leveraging the value of data to move their jet engine maintenance programme from a focus on major engine overhauls to instead improve the efficiency of an airline’s daily operations – and to operate at the ‘clockspeed of the customer’.3 Similarly, Garmin was able to see the value of harnessing GPS technology to deliver personalised fitness information via wearable devices. It continued to build on data use opportunities by expanding its services to take advantage of the rise of social media, allowing its device users to choose to share fitness information with friends and participate in a virtual network of others engaged in similar activities.4

 

Governance of data vital to leverage and protect data assets

Of course, at some point, opportunity collides with risk – privacy and security considerations are an unavoidable part of the equation. So a key question, to use the words of the International Association of Privacy Professionals’ Publications Director, is ‘How do you combine traditionally compliance-focused activities like privacy and info-security with traditionally strategic and revenue-producing activities like using data to make marketing and product-development decisions?’5

His answer, and indeed the missing link, is data governance. Converging the different objectives of privacy, security, business strategy, product development and so on in a data governance framework can be challenging. Partly, the answer is ensuring that governance of data occurs or is driven at the board level. This helps reduce the inevitable ‘silo-ing’ of privacy, security and business goals and the corresponding risk that one of those goals is inadvertently prioritised over the others (resulting in a business that is unconsciously risk averse or unintentionally risky in relation to data it holds).6 Only at the director level, can a company get the necessary organisation-wide view of governance of data and align strategic business decisions with ethical and compliance considerations.

There is work underway to help organisations meet these challenges and embed better data management and oversight. A key tool for company boards and directors will be the new series of data governance standards currently under development by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). According to project-editor of the upcoming standards, Alison Holt, ‘The developing ISO/IEC 38505 series of governance of data standards is designed to provide guidance for boards who want to maximize the value, whilst addressing the risks, of participating in the digital economy. Boards that confuse data governance for a management activity, risk missing out on the huge benefits and economies of data driven business. These standards aim to address this common misconception and empower boards to develop and deliver strategies for growth.’

Annelies Moens

Deputy Managing Director at Information Integrity Solutions
Annelies provides strategic privacy advice and engages with clients to deliver a suite of privacy services. She is a widely recognised global privacy expert and thought leader, trusted by business executives, government and privacy professionals. Annelies presents at major local and international forums and writes on global privacy challenges. Annelies co-founded the International Association of Privacy Professionals in Australia and New Zealand in 2008, a membership organisation for privacy professionals in the region. She held elected roles during her Board term, including as President between 2011 and 2012.

Latest posts by Annelies Moens

    Leave A Reply

    Your email address will not be published.

    Subscribe and Get 50% Off 6-Hour Workshop Video

    PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

    Thanks for subscribing!

    Pin It on Pinterest

    Share This