As someone who has worked in the data industry for over three decades, I’ve watched with fascination as the use of personal data by businesses has been elevated to the top of the news and business agenda. The stories haven’t always been positive, of course—but encouragingly, there are a number of high-profile voices who are talking a lot of sense when it comes to best practice in use of data.
One of these is Dean Armstrong QC, who recently told the Daily Telegraph that companies have become “the custodians of data” and must use the valuable asset in the correct way. I am in complete agreement, but I understand why some business leaders may find such a grand charge quite intimidating—especially in a world in which the General Data Protection Regulation (GDPR) has forced firms to rethink their entire data strategy. Fortunately, there are clear steps businesses can take to ensure that they are living up to this new role as “custodians of data”.
Artificial intelligence: Data will be the differentiator in the marketplace
1) Appreciate the value of your data
I cannot emphasise enough the importance and value of data as one of the most important business assets. It must be treated with the same respect and attention as any other valuable and business critical asset. As part of a robust data strategy, implementing a strong data protection process is a good start. Ensuring that you are doing your due diligence here is the first and most important step. Companies should start by reviewing their existing information security practices and processes, ensuring they adhere to two key principles of privacy written into Article 25 of GDPR: Privacy by Design and Privacy by Default.
Privacy by Design is the principle that any action undertaken by a company involving personal data – whether that be the creation of a new technology, or the launch of a new service – should have data protection woven into the fabric of that action at every step. Privacy by Default, on the other hand, requires a company to apply the strictest privacy settings by default (without user input) once a service or product is in the public domain.
All data processing should abide by these two principles, as should all processing done by any third parties or suppliers who use the data collected by a company. Article 28 of GDPR has introduced more obligations for data processors as well as data controllers, meaning that the Information Commissioner’s Office (ICO) expects businesses to apply the same standards of due diligence to their suppliers as they do themselves.
A further consideration companies must make is whether the appointment of a Data Protection Officer (DPO) is necessary. A common misconception is that the legal obligation to appoint a DPO is dependent on the size of the company, however this obligation is actually measured against the scale of the data processing undertaken within a business.
For instance, if a business processes a large volume of personally identifiable information (PII) or special category data – which includes data such as a person’s racial or ethnic origins, political opinions, religious beliefs, and more – they will be required by law to appoint a DPO.
Data privacy can give businesses a competitive advantage
2) Take care of your data
Just as important as a review of data protection processes is an audit of the data itself. Companies need to ask themselves honest questions concerning the information they hold. What data they have, where they are holding it and, most importantly, why they are doing so. A business must have defined the legal basis behind its data processing under GDPR.
Once the reasoning behind holding data has been defined, it is vital to maintain data quality on an ongoing basis. Data is, after all, constantly changing because people are constantly changing. Its quality starts to decay from the moment it is collected, meaning businesses must have an effective and efficient data cleaning and maintenance service in place to satisfy data quality obligations under Article 5.1 of GDPR. It is important for businesses to remember that the ICO are concerned with any contravention of the GDPR and can apply the same level of fines for holding data that is inaccurate as for a data breach.
Not only will taking care of data enhance the reputation of a company as a custodian, it will also lead to valuable business benefit. Services and marketing can be far more effectively tailored to an audience if the information known about that audience is clean, accurate and of high quality.
Having clean data also lends itself to more efficient data representation, such as through a single customer view. A single customer view allows for an aggregated and accessible view of all the data held on an individual customer. It gives companies a comprehensive picture of their customers using personal preferences, demographics, history of interaction and more, and this all-inclusive portrait can be used to offer genuine personalisation or foster meaningful customer relationships.
Open banking and the challenge of customer data privacy
3) Do the right things with data, and reap the rewards
If the use of data has the potential to be both regulatory and commercially impactful, then implementing the right data strategy should be front of mind for many executives. In 2019 we’ll see a rise in appointment of chief data officers (CDO)—a board-level executive with the talent and experience to maximise the value of data in the short, medium or long term.
A CDO can drive transformational data policies, using the prominence of the role to unite disparate parts of a business under a forward-thinking strategy and culture. This is especially important at a time of fast paced technological change and cross-industry competition, where a strategy led by data insight is vital to keep pace. If an organisation has already made the wise decision to appoint a CDO, then it must ensure that they are given the ongoing resources to achieve their strategic objectives.
Ultimately, becoming a custodian of data, and continuing to use it to the fullest effect, is not a one-time fix. Following these three steps will certainly help businesses cement this title, but maintaining a reputation for the thoughtful and secure use of data is a continuous process. It lasts throughout the lifetime of the relationship between customer and business, relying on the trust built from a demonstrable history of protection, maintenance and positive strategy.