In these tighter regulatory times companies are being asked to innovate in a smarter and more considerate manner We've teamed up with the Data Protection Network and OneTrust for a new report which outlines how companies ought to approach this ...
Data driven organisations face a plethora of challenges in today’s fiendishly complex and fast-moving regulatory and technological landscape. For that reason, the GMA hosts a quarterly breakfast briefing which takes stock of the biggest threats and opportunities requiring the attention of business leaders, CMO’s, DPO’s and anyone else responsible for taking a lead on data.
Here’s a round-up of the analysis and best practice tips from our most recent event…
GDPR and plotting global regulation trends
Key takeaway: Commit your organisation to the spirit of GDPR
As someone who leads engagements with many of the world’s leading technology companies, Robert is perfectly placed to discuss the evolving global regulatory environment.
He began by asserting that the implementation of GDPR on 25 May 2018 marked the end of the beginning. We find ourselves in a new era where regulators around the globe attempt to deliver greater consumer protection by forcing companies to be more transparent in the way they handle personal data.
It seems getting ahead of the curve will provide a competitive edge. As Robert explained:
“Investing in GDPR provides good ROI because the rest of the world will be quite similar. Companies should sell how forward-thinking they are when it comes to GDPR compliance because other legislators will likely follow suit.”
Robert pointed out how GDPR has raised the bar globally with clear trends emerging in how other territories are evolving legislation.
In 2018 California published the California Consumer Privacy Act of 2018, and Brazil, Bahrain, India, Kenya and South Africa are all implementing similar legislation granting enhanced rights to individuals and holding businesses more accountable. Washington State recently published a GDPR-style law and leaders from Snapchat, Google and others are calling for Federal legislation.
The result of the globalisation of data protection rules means that multinationals are more likely to adopt a more “one size fits all’ approach and it would seem that right now the GDPR coupled with the draft law in California is going to set the standard.
Building a data strategy into the heart of your business
Speaker: Samir Sharma, CEO at datazuum
Key takeaway: Improve data literacy across the organisation
As the CEO of a specialist data consulting firm, Samir works with executives in both the private and public sectors striving to use data to successfully transform their businesses.
Among the key issues he raised was the importance of establishing a data strategy at the heart of your organisation. He outlined four key elements:
1. Vision and leadership: leaders must understand what data can do and how it can be harnessed. The result will be improved decision-making and the ability to foster a company culture where the true value of data is grasped by all.
2. Governance: processes, controls, policies and procedures need to be in place to ensure data is clean and complies with relevant regulators.
3. Data literacy: needs to be established across the whole organisation. Data literacy can no longer be the sole domain of data specialists. A commitment to training and guidance is of paramount importance.
4. Investment: technology investment should ideally occur once the people, processes and culture are established. Business leaders need to develop a better understanding of what tech will provide maximum value and how it will be incorporated across the business.
Samir singled out how data literacy – the ability to read, work with, analyse and argue with data – is currently one of the biggest issues hindering organisations from harnessing data effectively.
According to Gartner, by 2020, 50% of organisations will lack sufficient AI and data literacy skills to achieve business value.
While we have endless streams of data and a growing ecosystem of technology solutions, there is a shortage of expertise in how to tie everything together and make sense of it all. Conquering data illiteracy in your organisation is an important step on the path towards unlocking its full potential.
Innovating with data the smart way
Speaker: Craig Hanna, Managing Editor of the GMA and Director at Cohesion web technologies.
Key takeaway: Identify the problem you need to solve
Craig is an experienced marketing consultant who has previously held roles at Econsultancy, Dupont and L’Oreal.
When people think innovation, they think technology. But as Craig pointed out:
“Data innovation is not just about technology, it’s also about strategy, culture and governance…A fool with a tool is still a fool.”
Every business must strive to innovate. But they must do so in a smart way. Innovations which improve an organisation’s ability to leverage data can drive greater productivity, provide better services to clients and customers, and consequently improve overall business performance.
However, many innovations fail. Usually because they haven’t been asking the right question. Even the biggest and most data-savvy corporations have launched products which have been consigned to the scrapyard of doomed innovations. Remember Google Plus?
Google Plus was doomed because it failed to answer a fundamental question that should be asked of any innovation:
Why would people use Google Plus when they already have Facebook, Twitter and Instagram?
When it comes to innovating with data, you need to know what problem you’re trying solve before you commit company funds and employee time.
Assessing data protection compliance risks
Key takeaway: Effective data governance provides the bedrock for safe innovation.
Simon is a professional data protection consultant and during the briefing he gave his expert insights on data governance and how to put accountability at the heart of your organisation. Simon encouraged delegates to get to know the breadth of their data processing right across their organisations.
When it comes to the compliance with data laws there needs to be an organisation-wide commitment to data protection. This requires any potential information security & privacy risks to be assessed across the whole business.
There are four areas to consider for your risk assessment:
1. Data Discovery
- What data is held in which systems?
- Who is accountable for the data?
2. Risk Assessment
- Identify & engage the functions which process personal data
- Document the processing (ROPA)
- Identify data security & privacy risks
3. Action Plan
What shall we do about it?
- Treat the risk
- Tolerate the risk
- Transfer the risk (e.g. outsource processing to a third party)
- Terminate the risk (i.e. stop doing it)
4. Measure & Monitor
- Operational dashboards
- Regular compliance assurance
Danger lurks for those businesses trying to sail as close to the wind as possible – a strong commitment to compliance as well as an ethical perspective on the uses of data is the best way to meet the obligation of Data Protection by Design and by Default as outlined by the ICO:
‘The GDPR requires you to put in place appropriate Technical and Organisational Measures (TOMs) to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.’
Ultimately, this will enable data marketing teams to utilise data with confidence, and free-up teams to innovate without risk of falling foul of regulations.
Managing third-party data handlers
Speaker: Alex Cash, Sales Engineer Team Leader, OneTrust
Key takeaway: Thoroughly assess third party risk
As someone who works at a privacy management software platform which operates across multiple sectors and jurisdictions; Alex is only too aware of the problems faced by companies when it comes to vendors and third parties who manage personal data on their behalf.
How big is the risk and how can you manage it?
Alex shared a worrying statistic: 63 per cent of all data breaches can be linked directly or indirectly to third parties. Furthermore, if there was a data breach at a third party, only 37 per cent believe they would be notified.
Alex believes organisations are starting to wake up to the problem:
“The risks posed by third parties is generally better understood than they once were. I think many organisations prioritise their internal controls and governance, and now that’s in place they’re focusing on their partnerships, supply chains and relationships.”
He believes the number one problem is not only understanding who the third parties are, but who the fourth and fifth parties are too – and where the data is going along the supply chain. Knowing what information they’re sending and who they’re sending it to is a major area of concern:
“It’s possible that I’m sharing large data sets with a third party and they’re only sharing a subset of that with a fourth party, so knowing that upfront is a real challenge. But it’s also knowing where those fourth parties operate, which markets they’re in, where the data’s stored and any local laws around data residency or retention policies is also going to be a challenge.
This means it’s vital to ensure that third parties hold fourth parties to the same standards.
“On top of that is the maintenance of that relationship. So reassessing risk, managing that risk, then dealing with those relationships as well are key areas”
The risk posed by vendors is high and this emphasises the need for a watertight vendor-risk process. Making an appropriate vendor-risk assessment is the first step, preferably from an ISO-certified assessor.
Join the data driven discussion
At the end of our breakfast briefing a series of roundtable discussions gave attendees the opportunity to exchange insights on the trials and tribulations of using data and extracting maximum value from it. Feel free to add your own experiences in the comments below.
Please register below to unlock this article.
An email will be sent to you with your membership details.