Responsibly leveraging data in the marketplace Key elements of a leading approach to data-use governance

Responsibly leveraging data in the marketplace

Executive summary

Companies everywhere face a growing challenge: how to use the vast amounts of data about individuals they now gather to create greater value for themselves and their customers while not crossing the line into unethical, unlawful, or unwanted use. For companies to effectively balance opportunity and risk, they should build data-use governance capabilities into their data privacy program.

In the first installment of our two-part series, we looked at some of the major opportunities and risks inherent in data use, including the shifting focus of global regulation and regulators. We also presented a maturity spectrum that illustrates the key capabilities and practices that can help companies effectively manage risks and thoroughly leverage the value-creating potential of data use.

In this second installment, we explore how companies can increase their maturity by adopting a formal approach to data-use governance that can guide the development of these capabilities and practices. Organizations that can build out these capabilities may benefit from competitive differentiation, leveraging the full value creation of data.

PwC 1

Toward greater maturity – A formal approach to data-use governance

Legal requirements such as the General Data Protection Regulation (GDPR) in Europe and U.S. Federal Trade Commission consent decrees, as well as publicly stated regulator expectations, have made a well-functioning, accountable privacy program an imperative for contemporary organizations1. An increasingly important element of such a privacy program is a formal, robust approach to data-use governance—one that helps companies use the vast amounts of data about individuals they gather to create greater value for themselves and their customers while lessening the myriad of risks inherent in doing so. In fact, we are rapidly moving to a world in which organizations are expected to have a mature governance approach that enables them to use data responsibly, legally, and fairly while adequately protecting data.

What does a mature governance approach look like? At a high level, it spans across the enterprise, enabling a company to manage the benefit-risk tradeoff of data use in a coordinated, cross-company way. It also is fluid and responsive to business drivers or regulatory changes.

At a more granular level, a mature approach to data-use governance is characterized by both a deep understanding of where data resides, how is it accessed, used, and retained; and a robust data-use governance structure that guides the development of the practices and capabilities necessary to manage data use effectively on an ongoing basis.

1 “Getting Accountability Right with a Privacy Management Program,” April 2012. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/gl_acc_201204/

2 Responsibly leveraging data in the marketplace

Getting a handle on data and its use

Organizations today are confounded by the massive amounts of data they create and can access. Often, the sheer scale of their data is compounded by the reality data often resides in many different systems and silos—both inside the organization and with external partners. These silos could be business units, lines of business, functions such as marketing or customer service, or even separate databases within the same function.

Before an organization can unlock the value in its data, it needs the answers to seven questions:

What data do we have?

Where does it reside?

Is data being collected broadly and retained indefinitely by default, or has collection and retention been tailored?

How is that data being used, and by whom?

Is that use appropriate and optimal for that data, and is the data optimal for its use?

Is data being used consistent with legal obligations, customer expectations, and the company's values?

How might the data be used differently in the future?

Answering these questions is not easy, especially in larger organizations whose data and data use is widely dispersed. This is why technology-enabled tools can be helpful in discovering data assets. With such tools, a company can create a visual model of where data resides, as well as how data moves through the organization and its

partners. Current technology tools, however, do not yet provide a complete picture of how data is being used.

The benefits of this exercise are twofold: it helps an organization identify how it can more effectively protect data and use it to create value. And it can help pinpoint over- or under-protected data assets, quality issues with data, redundant data sets, and replicated data stores, all of which are opportunities for cost savings and increased efficiencies.

But even organizations with the greatest resources have limits on how much time and money they can devote to data governance. To help focus efforts on the most valuable and sensitive data, most organizations have made some attempt to develop and implement a classification schema, with more sensitive data attracting stronger, and more expansive, protections.

Yet such traditional classifications, while important, are either too narrow or no longer effective on their own. This is because they don’t consider both the type of data and its use. Companies should use this broader approach to data classification because the definition of “sensitive” has also expanded to include data use. Certainly, a particular type of data may, in itself, be sensitive and need to be secured in a certain way. Credit card data is a good example. The vast majority of companies view credit card data as inherently sensitive and take appropriate steps to protect it.

But how should companies manage nontraditional data that could be used in a sensitive way—for instance, a person’s steps measured by a personal fitness tracker? Some

individuals might not see such data as inherently sensitive. However, combining it with other lifestyle, demographic, or psychographic data on the user could provide a reasonably accurate picture of the individual’s overall health—and potentially even the person’s risk of certain types of health incidences. Using these types of insights could easily be considered a sensitive use of information. Further, a recent study concluded consumers need to be better informed about fitness tracking systems’ privacy and security practices to help them decide whether or not they are comfortable with the usage of their fitness data. Data use that may be “surprising” to a consumer is but one area companies need to consider as appropriate use and establish ways to inform their customers.

By establishing data-classification principles across the enterprise that include data use, an organization can determine how to protect each type of data asset regardless of form and location and make informed decisions about how types of data may be used. Typically, the higher the degree of impact on an individual that use of the data could have, the more a company must be concerned about the accuracy, efficacy, and provenance of the data on which decisions are based. In this way, data is treated more like a productive asset than something that must simply be protected.

Currently, no industry standard of such a broader classification exists. Organizations that want to enhance their data-use governance capabilities will need to develop one that takes into account their own unique uses of data as well as their processes and business models.

PwC 3

Creating a robust data-use governance structure

Beyond developing a deeper understanding of their current data collection and usage, companies should also build a governance structure that enables them to develop and maintain the practices and capabilities needed to manage data use more effectively. This data-use governance structure should be holistic and enterprise-wide, as well as fluid and responsive so it can flex with business drivers or regulatory changes. It should align with the company’s existing data-governance and data-protection governance structures, as well as help support the company’s overarching information governance.

A formal data-use governance structure comprises four main pillars: strategy, people, policies and processes, and monitoring and improvement (Figure 1). Within each are several things that organizations need to get right to help make the structure effective, sustainable, and responsive to the company’s needs.

Figure 1

Data-use governance

Four pillars of an effective data-use governance structure

Strategy

A clear mandate and

position on data-use

governance within the

enterprise:

• Establishes

company-wide

goals for data use

• Aligns data-driven

objectives with

business strategy

and company

values

• Position data-use

governance across

the enterprise

People

A well-structured

organization of core

data-use roles and

governance bodies:

• Establishes a top-

down model, with

executive support

• Assigns

responsibility for

data-use and

protection decisions

• Defines roles and

responsibilities

• Outlines the

decision-making

process

Policies and processes

A set of policies and

processes necessary

to facilitate and help

maximize results:

• Introduces rules and

guidelines to govern

data-use process

• Delineates when to

apply rules and

guidelines

• Outlines a path for

decision making

and escalation

Monitoringand improvement

A cadence of

maintenance through

monitoring and

continual improvement:

• Facilities compliance

and oversight with

policy and

procedures

• Defines a set of

metrics for reporting

• Identifies areas for

enhancement

• Implements

technology solutions

to automate

processes

4 Responsibly leveraging data in the marketplace

Strategy

The foundation of a data-use governance structure is strategy. A data-use strategy, in conjunction with a business vision, is critical for two reasons: it ties data-use governance to business objectives and it creates a “value-adding” function rather than one that simply facilitates compliance. Both are vital to helping the company get the most from its data.

A data-use strategy achieves those dual goals in several keys ways. First, it helps establish company-wide goals for data use as a core driver of value, encompassing both current and likely future strategic uses of information. It aligns these goals with the enterprise business strategy and data initiatives, as well as with risk management objectives. It also aligns data-driven projects with company values, strategic goals and business outcomes. Finally, it appropriately positions and aligns data-use governance with existing information governance functions such as privacy, security, and data management.

People

The people pillar addresses the “who” of data-use governance:

People responsible and accountable for making data use and protection decisions;

How those people are organized;

Their reporting relationships within the larger enterprise; and

How the company will deploy the decision-making framework through the organization.

Companies can approach this dimension in several ways. For example, some companies may put in place a federated governance structure with representation from

and executive sponsorship of each key business unit that uses data. These companies also place responsibility for information governance with an executive-level officer.

Some companies may assemble centralized data-governance teams. These organizations assess new data initiatives through the customer lens to determine if proposed uses are legal, fair, and ethical. Such assessments either directly involve or are led by the data privacy team, which always should be a key stakeholder in data-use governance.

Governance teams also involve engineering and include senior architects, business leaders, privacy and security professionals, data scientists, and data analysts. A quarterly reporting process to an executive board, which acts as the team’s sponsors, serves as a venue through which the team assesses the decisions it has made. Architectural and infrastructure needs regarding data—for example, establishing and implementing corporate data standards—are often managed separately. But even so, they also are reported to an executive sponsorship board. Working groups are established and sponsored as required to address specific business needs.

In other leading companies, the privacy office may act as a central program office. It handles the policies and procedures relating to data and data use across the enterprise and works with business units to make them operational.

Regardless of the approach employed, they all share a common denominator -- they explicitly anchor responsibility for the effective operation of the governance program with some person or group of people. This could

be dedicated resources such as a program management office or a traditional function or professional such as the chief privacy officer.

Policies and processes

The policies and process pillar addresses the “how” of data-use governance: the ways in which a company creates, stores, uses, protects, archives, and deletes data. While numerous processes can be part of an information governance structure, three are core to those that are most effective.

Managing rules and guidelines

One is the process for managing rules and guidelines, which helps a company apply a data use and classification schema consistently and smoothly across the organization. This process helps the company not only initially define its rules and guidelines for data use and protection, but also maintain them over their lifecycle to keep them relevant and effective (Figure 2).

Currently, this process is not used widely. In fact, even class-leading companies are still working to develop it. Organizations are typically better at establishing rules and guidelines to meet a legal requirement. But they’re less mature in figuring out how to achieve an ethical objective simply because the concept is so new. Very few companies have reached the level where they can say they’ve fully codified their ethical values or have a formal process through which they do that. Those that do could find themselves a magnet for employees, customers, and even investors who increasingly favor organizations that operate ethically and responsibly. In fact, several studies have confirmed that companies operating ethically outperform others in revenue and profitability.2

2 “Cashing in on the Ethical Advantage,” Andrew Leigh, November 5, 2013. http://www.consultant-news.com/article_display.aspx?id=10798

PwC 5

Figure 2

Rules and guidelines: The importance of each

A common challenge companies face is whether they can consistently and smoothly apply their data-classification schema across the organization regardless of who is using the data or the specific use case. In other words, they have to make it clear to employees what’s allowed, what’s not allowed, and when employees must seek help from a “higher power.” This is the function of rules and guidelines.

Rules are just what one might expect them to be: non-negotiable edicts that must be followed. For example, a rule might call out specific uses of certain types of data that are explicitly against the law and, thus, are prohibited; or it might state that certain data must be protected in a very specific way.

Rules make it clear what constraints the company has in what it can do with data. Constraints could be internal such as a particular company policy; external, such as uses that are prohibited by law; or contractual, such as uses that are not allowed by the third party from which the company had purchased the data.

Guidelines, on the other hand, help companies balance potential and protection by leading users to ask the right questions rather than giving them “the answers.”

For instance, they offer boundaries within which users have a degree of discretion and latitude when deciding how to use and protect data. A good example are guidelines concerning new use cases for existing data. Data can end up being used in very different ways than those the organization envisioned when it collected it. Thus, organizations should develop guidelines based on

their values or ethics that go beyond simply focusing on how data is used today and can accommodate unforeseen future uses.

Guidelines also can help a user think through a benefits/risk assessment when considering a new use case for data. One company, for example, starts each potential data collection or use initiative by defining the expected business outcomes from the activity. Understanding explicitly what the company hopes to accomplish enables the company to more effectively determine whether the initiative is worth the effort and the risk, as well as establish clearer principles for the initiative to follow.

Good guidelines help companies address grey areas in which the “right” answer isn’t always clear. Personalization is a good example. People tend to fall somewhere on a personalization spectrum. At one end are individuals who eschew personalization because they don’t want to share the type of information that’s needed to tailor offerings and engagement. At the other end are those who give a company permission to freely use their data because they truly appreciate and value personalization. Guidelines help a company determine how it should use and protect data about customers at either end, as well at points in between.

Importantly, guidelines should consider the ethical threshold for how the data is used. When dealing with the “value” side of the data-use equation, guidelines should consider how the benefits of data use accrue to individuals as well as to the company. If regulators perceive there’s an imbalance that favors the organization, they are more likely to step in and take action.

6 Responsibly leveraging data in the marketplace

Delineating the application of rules and guidelines

A second process is the one that calls out how and when the company applies the rules and guidelines for actual decision making.

For instance, in some companies, nearly every data decision may be subject to an initial impact assessment. This assessment, based on the traditional Privacy Impact Assessment structure, may also require analysis by a core governance team, which looks at the data use from a broad perspective and the impact on the customer. The process can also engage a gatekeeper, who will not approve a project unless it has undergone an Impact Assessment.

A growing number of organizations with more mature data-use governance capabilities support this decision-making process with a self-service capability to reduce the load on the core team and speed up the process. Such self-service models typically include a decision tree that helps guide practitioners to a decision based on a set of questions. In some cases, someone—for example, a privacy professional—may have to step in and actually make the call.

Supporting escalation

A third key process is the one supporting escalation. Even organizations that have a fairly well-defined governance structure occasionally face a dilemma: The business wants to use data in a way that’s not explicitly dealt with by the governance structure or that could be perceived as inconsistent with the company’s overall objectives and values. The escalation process defines how to resolve the situation, which typically involves first sending the issue to the executive council for a benefit-risk tradeoff discussion. If necessary, senior leadership is ultimately called upon to make the final decision.

As is the case with the organizational element of the governance structure, mature governance processes have oversight and accountability at the senior executive level of business functions as well as risk, legal, and IT. And they have a reporting process that allows these senior leaders to exercise their responsibility.

PwC 7

Monitoring and improvement

Establishing a data-use governance program is the important beginning of an ongoing process. With the world changing as rapidly as it does, a company needs to monitor its data-use governance program on a continual basis. Doing so helps facilitate compliance with established policy and procedures and highlights areas for continuous improvements. Three things are especially important to effective monitoring and improvement.

First, a company needs a defined a set of metrics or measures that it can use to measure the program’s effectiveness and maturity. These metrics should form the basis of regular reports provided to senior management and other executive-level bodies to help inform their decision making.

Second, regular reviews by the governance team are needed to determine the effectiveness of their policies and processes and identify enhancements to governance activities. The results of these reviews should be integrated with internal audit and the enterprise risk management (ERM) program.

Third, a company should, where possible, use technology solutions to automate data-use governance processes. This is particularly true for those involved with locating where data resides across the organization, managing the requirements through product or initiative development, and verifying access control or identifying anomalous behavior.

8 Responsibly leveraging data in the marketplace

Making data-use governance a strategic imperative

Data-use governance, as part of an evolving approach to privacy, has become both strategically important to many types of organizations and more challenging than ever to excel at. Opportunities to use data for beneficial results are exploding, as are the potential risks associated with that use. Yet the sheer amount of data companies generate can make it difficult to get a handle on.

Some organizations are faring better than others. Those with more mature data-use governance practices gain a strategic advantage by excelling in leveraging data’s upside while managing risk and reducing costs. Those with less-mature capabilities and practices are playing catch-up. They must quickly shore up their basic understanding of the data they collect and maintain, as well as define and implement a formal governance structure for the ongoing management of data use.

Organizations should develop the capabilities needed to enable a more robust, mature approach to governing data use that meets the expectations of the market and regulators and creates greater value for companies and their customers in a legal, fair, and ethical way.

PwC 9

For a deeper conversation about data-use governance, please contact us:

Jay Cline Principal, PwC jay.cline@pwc.com Joe DiVito Principal, PwC joseph.v.divito@pwc.com Carolyn Holcomb Partner, PwC carolyn.c.holcomb@pwc.com

Jacky Wagner Managing Director, PwC jacqueline.t.wagner@pwc.com Peter Cullen Privacy Innovation Strategist, PwC peter.cullen@pwc.com

© 2016 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.