Data is incredibly valuable and abundant. Anything from the personal information kept by an HR department to website traffic, to inventory information, or customer sales records. 

Data Privacy & Protection- Becoming a Good Custodian of Sensitive Data

The amount of data that exists, even for a single organisation, is astronomical. Data is somewhat of a vague term, and its size, given that with todays technology most of it is digital and non-material, is hard to grasp for the casual observer. 

It is everywhere and nowhere, it is extremely precise and materially opaque, we know that organisations collect and store immense amounts of data, but what does that really mean? And what are its implications?

Data is valuable, it tells a story. The more data, the more robust the dataset, the clearer the picture it can create. It is incredibly useful as a strategic indicator, a measurement of effect, and a resource to be leveraged.

A manufacturing company looking to make operational improvements begins with gathering data on its current state of operations and examining it for evidence of bottlenecks or operational inefficiencies.

Marketing teams can measure website traffic to see how effective various aspects of their advertising are, user interface teams can use similar data to determine how functional and accessible their resources are, both can contribute to sales. 

Most controversially, personally identifiable information, such things as names, addresses, banking information, are incredibly valuable. These can appear in all kinds of places and aren’t always as obvious as sales or account records.

The EU’s General Privacy Protection Regulation defines many less obvious forms of data that are often collected, but are less material to the average observer. The regulation broadly covers any data that itself or in conjunction with other data could be used reveal an “individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.” This includes the growing use of things like geolocation, biometrics, and mobile device ID information.

While data concerning a bottlenecked process or a website functionality that isn’t being used is par for the course in business strategy and is little more than evidence of a things functioning, personal data is just that, personal. Its needed, organisations need to know who works for them, who they work for, who is buying their products, and who they are buying from. This data has meaningful value strategically, and is often required by regulators to manage fraud, 3rd-party, export controls, and other trade related risks. But this data is still personal to those that provide it, and they trust those organisations that they provide it to, to be responsible custodians of it. This is not the information of machines or processes, but the names, addresses, banking information, benefits and salaries, and other very personal information. 

While this information can be used for strategic decision making, marketing, or leveraged in other valuable ways, protecting it and using it in a reasonable and discretionary manner is of vital importance. In the EU alone, fines due to the General Privacy Data Protection Regulation totaled $191.5 million between 2020 and 2021. Violations range from mismanagement of employee data, insufficient security leading to data breaches, and failure to give customers sufficient autonomy over how their data is used.

Data Privacy & Protection: Becoming a Good Custodian of Sensitive Data

Data is incredibly valuable and abundant. Anything from the personal information kept by an HR department to website traffic, to inventory information, or customer sales records.

The amount of data that exists, even for a single organisation, is astronomical. Data is somewhat of a vague term, and its size, given that with todays technology most of it is digital and non-material, is hard to grasp for the casual observer. 

It is everywhere and nowhere, it is extremely precise and materially opaque, we know that organisations collect and store immense amounts of data, but what does that really mean? And what are its implications?

Data is valuable, it tells a story. The more data, the more robust the dataset, the clearer the picture it can create. It is incredibly useful as a strategic indicator, a measurement of effect, and a resource to be leveraged.

A manufacturing company looking to make operational improvements begins with gathering data on its current state of operations and examining it for evidence of bottlenecks or operational inefficiencies. Marketing teams can measure website traffic to see how effective various aspects of their advertising are, user interface teams can use similar data to determine how functional and accessible their resources are, both can contribute to sales. 

Most controversially, personally identifiable information, such things as names, addresses, banking information, are incredibly valuable. These can appear in all kinds of places and aren’t always as obvious as sales or account records. The EU’s General Privacy Protection Regulation defines many less obvious forms of data that are often collected, but are less material to the average observer. The regulation broadly covers any data that itself or in conjunction with other data could be used reveal an “individual’s physical, psychological, genetic, mental, economic, cultural, or social identity.”

This includes the growing use of things like geolocation, biometrics, and mobile device ID information. While data concerning a bottlenecked process or a website functionality that isn’t being used is par for the course in business strategy and is little more than evidence of a things functioning, personal data is just that, personal. Its needed, organisations need to know who works for them, who they work for, who is buying their products, and who they are buying from. This data has meaningful value strategically, and is often required by regulators to manage fraud, 3rd-party, export controls, and other trade related risks. But this data is still personal to those that provide it, and they trust those organisations that they provide it to, to be responsible custodians of it. This is not the information of machines or processes, but the names, addresses, banking information, benefits and salaries, and other very personal information. 

While this information can be used for strategic decision making, marketing, or leveraged in other valuable ways, protecting it and using it in a reasonable and discretionary manner is of vital importance. In the EU alone, fines due to the General Privacy Data Protection Regulation totaled $191.5 million between 2020 and 2021. Violations range from mismanagement of employee data, insufficient security leading to data breaches, and failure to give customers sufficient autonomy over how their data is used.

Leveraging GRC to Manage IT Risk & Data

Data privacy has become a critical component for organisational success, not just on the regulator front, but in consumer reputational and investment fronts as well. Organisations simply cannot afford a lack of integrity in data custody.

Additionally, new US legislation is increasing the pressure on American markets to develop more complete data protection paradigms. As GRC concerns grow amid the pandemic, geopolitical conflict, and modern discourse, organisations are finding value in developing robust data protection and consumer friendly policy. Those who do not may suffer the consequences on multiple fronts. 

It is important then that organisations prioritize data protection and custody concerns, not just from an IT security perspective, but from an obligation of responsible and reasonable use, as well as accountability to the individuals whose data is kept. 

Organisations should work to unify and structure data custody responsibilities across the organisation. Different departments can house different sorts of data with different risks and liabilities.

To prevent siloed risk management and blind spots, leadership teams should work to identify, define, and unify data protections anywhere sensitive data could be found. This allows compliance and legal teams to understand and manage the risk more wholly. Next organisations should assess how their current data management operations align with the desired GRC goals and strategy and integrate their legal and compliance teams to become the pillar around which data protections will be built and maintained.  

Data protection can be complicated. Data is valuable, but not just in an operational or monetary sense, it is important to those to whom it concerns and identifies.

While it can be a very useful and necessary tool for strategic and regulatory purposes, consumers, regulators, and investors all seem to agree that it is important on a deeply personal level, and those organisations who wish to leverage it must do so with great responsibility. Those who demonstrate integrity and ability to responsibly access data earn both the ability to leverage it and the confidence of their customers, employees, and peers.