Governing data sharing activities can be a challenge – so how are organisations setting themselves up to overcome this and deliver benefits? | Deloitte UK has been saved
Covid-19 has driven unprecedented demand for data, in particular the need to share data between public, private, and voluntary organisations to protect those most at risk during the pandemic.
The desire to increase data sharing practices is echoed by both the government and ICO, who wish to improve organisations’ knowledge in responsible data sharing practices. Why? Data sharing can drive sizeable growth and innovation, for example the launch of Open Banking in 2018 has allowed customers to share their financial data with other organisations giving access to new services.
What constitutes a data share?
The ICO defines a data share1 as “the sharing of personal data between organisations that are controllers. It includes when you give access to data to a third party, by whatever means. Data Sharing can take place in a routine, scheduled way or on a one-off basis.”
What are some of the barriers to sharing data?
Our work across both public and private sector has given us first-hand experience of organisations’ ambitions to share data to improve services, innovate and benefit customers and citizens. On the other hand, we have also seen how sharing data can be fraught with several complex challenges that are often thought to outweigh the benefit such as legal and regulatory constraints, resource limitations, and fear of reputational damage or enforcement action.
What are the key considerations when assessing a data share?
Any decision to share data should consider a range of impacts including its Purpose, Legalities, Security and Operational Risk. Effective governance therefore requires a defined policy and evaluation process developed through engagement with multiple stakeholders.
Decisions to relocate an organisation’s data assets cannot be made ‘off-the-cuff’ without incurring high levels of risk or delay. A data sharing strategy, backed with a defined policy and case approval process, is key to maintaining delivery pace while mitigating risk. One option is to establish a governance forum, consisting of members from Data Protection, Security, Architecture, Legal and Data and Analytics who can review and approve requests using a risk-based approach, for example:
This risk-based approach can then be used to determine the level of governance required for a data share: low risk shares require the least governance, and high risk shares require the most. The following topics should be used to consider the risk level of a data share:
Based on these insights, what should your organisation be thinking about to better govern data shares and manage risk more effectively?
Consider the following key steps to enhancing the capability to scale data shares whilst maintaining governance and control:
Emily leads the Information Management Team for Corporate and Public Sector in Deloitte’s Data Risk & Analytics team. She helps organisations to establish governance, controls and organisational structure to treat data as a corporate asset, both by mitigating risks and driving value. Emily is an Information Management professional with over 15 years of experience.
Dom has 6+ years of experience in Information Management and leads the Data Strategy Capability as part of the Corporate and Public Sector team in Deloitte’s Data Risk & Analytics team. Prior to leading this capability, Dom led the Data Governance Capability within the same team. Dom has advised a number of large organisations, namely Government Departments, to address their information challenges including data strategy and the assessment, design and implementation of data governance capabilities.
Deirdre has 6+ years of experience in Information Management and leads the Data Governance Capability as part of the Corporate and Public Sector team in Deloitte’s Data Risk & Analytics team. Deirdre focuses on leading practice delivery of large scale, complex data driven transformations, supporting clients to understand how to overcome challenges enabling them tap into the true value of their data. Prior to joining Deloitte Deirdre became a qualified accountant working in management and risk consulting across Ireland and Australia. Deirdre focused on transformation projects around data management, process and control improvement and compliance within Financial services. Deirdre's was responsible for data analysis, data testing, leading workshops and managing projects.