Ravi Krishnan
Director - Analytics & Decisioning Transformation
TransUnion
MODERATOR
Linh Nguyen
Director, Enterprise Data Governance
Edward Jones
PANELIST
Laté Lawson
Senior Director, Customer Information Design & Operations
Grainger
PANELIST
OCTOBER 2020
Data privacy is nothing new. Where previous concerns were rooted in access to data, new concerns have propagated from the pandemic; and while those existing privacy issues haven’t disappeared, they have been augmented by a heightened sense of awareness. The latest privacy challenge data and analytics leaders are facing is the increased volume and complexity of data sets and regulations or new data uses, like employee tracking.
Previously, most organizations were not concerned with office swipes or monitoring who was logging into what machines. But with the pandemic and importance of contact tracing, advanced analytics become integral to disaster response plans to allow for rapid recovery. Traditionally a back-burner issue, suddenly major organizations find themselves implementing disaster recovery plans. If this continues for a prolonged period of time, some states or industries could find themselves facing new regulations regarding, for example, how long people can or should be online during a day, respect for time zones, etc., leading to concerns about what PII can or should be shared with the business or with external partners.
Managing Data Privacy Holistically
An area gaining traction in the wake of this latest disruption is technology adoption. CDAOs often get excited about new technologies, but need to remember to view the system holistically. It’s about the people, then the process, then the technology. In order to have a durable solution, a data leader needs to orchestrate all of these levers in a way that allows for execution within the company’s reality and with the best possible outcome.
Focusing on closing the data loop is one method of managing data privacy holistically. Many tools are excellent at enabling an organization to react – but those tools need to be supplemented with processes that allow the business to not only react quickly and effectively, but to also identify why the problem happened in the first place. Neglecting to close the loop can add another layer of complexity to an already heterogeneous data ecosystem.
One executive mentioned the creation of controlled user groups, which have the unintended consequence of creating data silos; likening it to a double-edged sword. Controlled access is implemented across the enterprise, but the data is not able to be fully integrated at a centralized location to create powerful information or insights. Over time, with the right processes and evolution of tools, data leaders will be able to get to a sweet spot, so that it is no longer a matter of restricting access. As one data leader questioned: In a world where information is a catalyst to success, should we be seeking to restrict access more so than give access?
If information is a catalyst to success, should we be seeking to restrict access more so than give access?
Data Privacy & Data Governance Strategy
Business ownership can also be the missing ingredient for a mature data privacy and governance framework, and at the same time, is crucial to its success. The data leader can be likened to the spider in the middle of the web. If a strand snaps, the ability of the CDAO to do their job severely diminishes. At every touchpoint, CDAOs should seek to ensure that data is entering ecosystems correctly at the point of entry, and a large part of that responsibility falls on key partners understanding, enforcing and validating rules. It’s a careful balance that requires established governance principles and one that can be counterbalanced by strategic use of internal partners.
An organization’s legal department can give data leaders quite a bit of guidance. CCPA, for example, could have been an unmitigated disaster for many organizations without said guidance. Legal departments, through due diligence, enable privacy rules and recommendations to become best practices. They also assist CDAOs in refocusing their energies in the right direction with realistic timelines, and they understand not just the letter of the law, but also the spirit of the law to do the right thing for the business and the customer.
Solving the Privacy Paradox
But words like “regulations,” “compliance,” or “governance” are often seen as punitive to many other data end-users, causing adoption of privacy best practices to stagnate. It becomes about aligning best practices with recognition that each vertical and function has its own mandates. The challenge to CDAOs lies in demonstrating the value they provide. Not only is it about partnerships and collaboration, but also about mindset.
Privacy becomes everybody’s issue, and CDAOs can embed those practices in process so the processes themselves, if designed correctly and not as bureaucratic, will be perceived as helping the overall business rather than punishing individual units for failing to comply. It is at this point data leaders can gain commitment from stakeholders and the internal data community. If a data leader is always fighting fire with fire, they will never have the headspace to lay the foundation for the future.
It is the privacy paradigm – everything is copacetic until you are bitten, at which point you take 10 steps back. For privacy policies to be effective, the organization needs to remain three steps ahead. CDAOs will consider their frameworks fully mature when they are able to do governance without ever saying the word. If you can achieve that nirvana, as a CDAO, you know you’re doing everything right.
by CDAOs, for CDAOs
Join the conversation with peers in your local CDAO community.