Limited functionality available
Throughout the 1980s and 1990s within the European Union, there were vast surpluses of butter, of wine and of milk due to years of government intervention in farming policies, coupled with low prices. Referred to as butter mountains and milk and wine lakes, these descriptions were used to try and quantify just how serious and sizeable these surpluses were. In 2019, we are using the same terminology to describe the sheer amount of data being produced, collected and stored – data lakes.
The exponential growth of technology and therefore of the amount of data we collect and store, and what we can do with it, has overwhelmed governments, regulators and organisations. We are playing catch up in a space where the speed of change and developments is increasing daily. But perhaps most frustratingly, in the rush towards compliance and security, we are failing to see the data boom for what it could be – a huge opportunity. And good data management requires good privacy management.
Keeping afloat in a data lake
Good data management and in turn good privacy management isn’t just a compliance issue – it’s a way to better understand your customers and provide better service to them, it means less mistakes with data, it means better business opportunities and revenue and all these things help to build trust in your brand. Good data management and good privacy is a virtuous cycle and having best-in-class capabilities in these areas should be the number one priority for any business that wants to extract value and provide value from the personal information that they hold.
Good governance is key
Much like keen foodies looking for the food provenance on the menu of the latest trendy restaurant, what’s hot right now in the privacy space is understanding your data lineage. By that I mean, where did the personal information come from? This is fundamental to understanding what consent you have collected to process personal data and who it belongs to. If you don’t know where it came from and who it relates to how could you possibly know what you’re legally or ethically permitted to do with it?
There’s no point implementing privacy controls on questionable data management and governance foundations. For controls around areas like consent, disclosure, use all the way through to destruction to be effective – in other words the entire information lifecycle – you need to know what personal information you have, where it came from, who it relates to, what you can do with it, why you collected it in the first place and how long you’re allowed to have it.
Two of a kind
There are definitely risks for organisations who don’t look at data and privacy as interlinked issues. Key for me is the risk of data breaches, particularly within an organisation. Most organisations have operated on the understanding that data breaches occur when data is lost, stolen or accessed by unauthorised people outside of their organisation. But under the provisions of the privacy act, you can still meet the threshold for a notifiable breach when people inside your organisation access data that they are not authorised to access and which could lead to a risk of serious harm. This being the case, many organisations have a lot of work to do to ensure that personal information can only be accessed by staff and related third parties that have a need to know that information. Many enterprise wide systems in organisations are open to all staff and there also isn’t a great understanding of, or control over, the type of data that goes into those databases. Many organisations are sitting on notifiable breaches right now, given the lack of access controls, ability to determine who has accessed what and lack of control or understanding what is in those systems, and they don’t know it. This is probably the most misunderstood, or misidentified, privacy risk right now and one that would be fixed with appropriate identity and access management controls across key enterprise databases in most organisations.
Where to next?
Data is the oil that lubricates business, and like the fossil fuels before it, data can create amazing energy but also lots of pollution. Data governance, privacy and security come together - they are a package. Organisations who manage to effectively and efficiently use their data to extract value and maintain trust are winners in the reputation economy as both regulation and societal expectations increase.
The extent of the challenge means all hands are needed. Any employee in this new age of data can identify both risks and opportunities in the data they see being collected.
For more information on how to turn risk into rewards, talk to Deloitte’s Risk Advisory team