Own your data, don’t let it own you
April 19, 2022
By Kristy M. Scott, CPA, CISA, CIA
In today’s world, individuals and businesses are creating data faster than ever before. According to Forbes magazine, 2.5 quintillion bytes of data were created each day in 2018, with the pace accelerating with the proliferation of the Internet of Things (IoT).1 How much data is that? Consider that 2.5 quintillion pennies laid flat would cover the Earth five times! Organizations are collecting and using data in unique ways to carry out their missions, reach new customers and enhance relationships with existing customers.
With organizations obtaining and storing more data, the importance of sound data and information technology governance becomes increasingly significant to maintain a positive reputation and achieve success. By collecting and using data, organizations are accepting additional risks and broadening their risk universe. An organization that does not completely understand its data is impeding its progress toward implementing appropriate policies, processes and disclosures to manage the associated risks. Developing a complete, accurate understanding of the data being collected and used is critical not only to protect an organization, but also for maximizing the returns realized through data analytics and insights that can enrich business strategy and decisions.
Data collection and use
Data collection methods have evolved at a pace similar to that of data creation, and differ depending on an organization’s industry. Organizations in private industry may collect data on existing and potential customers with overall goals to increase sales revenue and market share. Conversely, government and nonprofit organizations may obtain and share data to better carry out missions and serve stakeholders. Technological change has required organizations within the private and public sectors to revisit and redesign how they are collecting and using data as part of their daily operations.
In general, the most prevalent collection methods for an individual’s data are by: (1) asking for the data, (2) indirect tracking, (3) company records, (4) social media, and (5) obtaining the data through other companies.2,3 Below are examples of each of these collection methods:
- Asking for data: Subscribing to a new service, completing a customer survey, registering with a new website to make a purchase or completing an application for a customer loyalty card
- Indirect tracking: Website cookies, website beacons and location-sharing information through smartphones 4
- Company records: Transaction histories, recorded customer service phone calls and submitted feedback
- Social media: Text mining of posts and comments and log-in records (for example, the use of a Facebook account to log in to a third-party application, such as Spotify)
- Obtaining data through other companies: Purchasing data from big data companies, such as Acxiom or Oracle
Each of these collection methodologies has inherent risks and responsibilities, but common focus points among them are transparency and privacy. In looking across various privacy statements and disclosures from organizations in different industries, at a minimum, they typically include:
- Providing information on what data is being collected.
- Details on how the data will be used.
- Whether or not the data will be disclosed to any other parties.
- How an individual can access his or her collected data.
- How an individual can contact the organization collecting the data.
Individuals are demanding this level of transparency relative to the data collected on them and how it is being used. The ways in which organizations opt to communicate their privacy statements and disclosures may include verbal communications, pop-ups on websites and within smartphone applications, printed materials presented to individuals when doing business, etc. Without fully understanding its data, an organization is unable to prepare and make adequate privacy statements and disclosures to impacted individuals.
Numerous well-known companies have experienced public backlash from not adequately communicating what data they are collecting. During 2018, MoviePass and Uber were subjected to scrutiny for their data collection practices and their implication on privacy rights.5
Additionally, outside of data collected on individuals, organizations may collect data from other external and internal sources. Depending on an organization’s financial and technological resources, the types of additional data collected can be seemingly limitless. An organization may collect data on transactions, internal processes, industry metrics, current events, market statistics, supplier service levels, etc. These types of data may not have the same level of sensitivity that an individual’s data has; however, an understanding of the information that is being collected across the organization is a powerful tool that cannot be fully realized without a commitment to do so.
Recent examples of how companies have used data to their advantage include:6,7
- Shell: Captured data from its facilities and machines around the world for use in predictive analytics to anticipate machine downtime and maintenance issues.
- Dr. Pepper/Snapple Group: Used a platform equipped with machine learning and other analytics tools that references customer transactions and sales goals in order to make recommendations to salespeople and to track sales performance and other metrics.
- GE: Took more than 50 information silos related to direct material purchases and analyzed them to identify efficiency savings in procurement
- AT&T: Collected and analyzed data on customer service experiences to create simplified, actionable plans for customer care agents.
Data inventory
Obstacles to effectively use or protect organizational data are always present if an organization lacks a complete understanding of what data it is collecting, using and storing. Dedicating the time to documenting a comprehensive data inventory is a recommended first step. Several elements of a comprehensive data inventory and related documentation include:
- Life cycle of data from collection to use to disposal.
- Timeliness and volatility of the data relative to its intended use.
- Consistency of data definitions among data providers, collectors and ultimate users.
- Departments and business contacts most familiar with the data and its use.
- Sensitivity and privacy classifications.
- Priorities of data recovery during a disaster.
- Retention and disposition timelines.
If an organization is unable to attest to what data it has, it is opening itself up to a myriad of consequences, which can include: decisions based on bad data, audit findings, legal liability and reputational damage. A lack of understanding around the data being collected and its use undermines the efforts made to initially collect it, which is also wasteful, as it affects organizational efficiency and effectiveness. Examples of ways organizations are wasteful with their data include:
- Excessive cleansing of the data because proper planning did not take place prior to collecting it.
- Collecting the same data multiple times due to lack of awareness of the data needs and collection efforts across the organization.
- Storing more back-up data than necessary and the associated costs, due to lack of alignment with the business continuity and disaster recovery plans.
- Inefficiencies in assigned tasks and projects due to an inability to locate needed data.
The Control Objectives for Information and Related Technology (also known as COBIT) is a framework created by Information Systems Audit and Control Association (ISACA) that addresses many of the challenges discussed above and provides a pathway for addressing them relative to data governance. COBIT depicts the life cycle of data and emphasizes understanding how different members of the organization will use the data, with a focus on data quality. ISACA highlights how data evolves into information, followed by knowledge and finally into organizational wisdom.8
ISACA provides a variety of resources that can be helpful in working to formalize an organization’s understanding of its data. A comprehensive data inventory is one of the most impactful but time-consuming initial steps in gaining this understanding. An organization’s data is one of its assets and deserves a comparable level of care and scrutiny. An organization’s understanding of its data is foundational for being able to adequately protect it, recognize where quality improvements are necessary and take advantage of its benefits.
Creating and maintaining a data inventory is a long-term investment. As with any investment, to realize a return, an organization must outlay initial resources and needs to undergo thorough research and consideration. Examples of initial outlays may include time and monetary commitments related to:
- Bringing on new employees and/or cross-training existing employees that will be the leads in documenting and then maintaining the data inventory.
- Needed modifications to existing information technology resources or the purchase of new resources to support the data inventory and need for any new, associated controls.
- Engagement of information technology, legal counsel, public relations, marketing/advertising, internal/external auditors, and other specialists relative to your organization’s industry. They will assist in interpreting any takeaways from the data inventory that may carry legal, reputational, financial, or other business-related implications.
- Establishing the linkage between data inventory and disaster recovery.
- Establishing organizational awareness and data quality controls.
An organization with an up-to-date understanding of its data and how it is used will be a step ahead of others when developing and maintaining a comprehensive data privacy policy. With the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), data privacy has been receiving increased attention with a high likelihood of similar legislation forthcoming throughout the United States. An organization with a comprehensive data inventory will be able to quickly establish an action plan for achieving compliance with such data privacy legislation.9 Additional benefits of a comprehensive data inventory include:
- Recognition of new reporting opportunities to communicate progress, performance, and other significant information to assist in decision-making.
- Cost savings relative to eliminating redundant or unnecessary data, including storage costs.
- Formalized data ownership and maintenance.
- Improved coordination and execution of data-driven projects.
- Opportunities to connect data to organizational strategy, goals and core competencies.
With all of the risks present from data collection and use, it can feel overwhelming for an organization to commit to improving its understanding of its data and to take the steps toward completing a data inventory. An important consideration when embarking on this is to acknowledge it will be an ongoing effort, not a one-time project with a finite start and end date. This is also a chance to collaborate across the organization to gain a more holistic view of the data available and how different business areas currently use it.
With the pace of technological and organizational changes and volume of data, re-affirming and updating an understanding of the organization’s data and its use presents ongoing benefits. In the age of negative publicity focusing on data compromises and breaches, as well as positive news stories highlighting competitive advantages and the ways companies are better able to serve their stakeholders through the use of data, do not allow your organization to be caught in the negative category or excluded from the positive category. As an organization, recognize your data for the asset that it is and the value it brings, and own your data through your understanding and use of it — do not let it own you!
Kristy M. Scott, CPA, CISA, CIA, is a senior auditor at the Virginia Retirement System in Richmond.