Data Capital: Be secure in the knowledge on data proctection
COMMENT: Partner and Head of Data Privacy at legal firm Burness Paull David Goodbrand on how to ensure your info is a business asset not a liability
1 Understand what data you have, manage it well, and keep it safe
The amount of data that all organisations are collecting is rising exponentially – and it’s a real challenge for businesses to understand and have a genuine awareness of all their data.
Ask yourself questions: What data sets do you hold? Where is it held? Is it being collected and stored in different locations? Is it recorded in note form, ratherthan digitally? Do you have data silos, where certain data is only accessible by specific teams? How can you bring everything together effectively and transparently?
Record your data accurately. Manage it effectively. Protect it.
Larger organisations are more likely to maintain records of processing documentation, tracking metrics such as where things are held, who holds them, who has access, and how long they’re holding data. For medium and smaller businesses, it’s often more fragmented.
2 Data analytics done well differentiates good from great businesses
We see many examples of this among our clients. Cazoo, the online car retailer, for example, has a very streamlined data collection process, and is very good at tracking trends in the market and understanding how vehicles recirculate.
We also see large utility companies putting data lakes at the heart of their business and feeding everything off that single source of truth.
The financial services and fintech sectors use data analytics to improve internal operations, helping them better understand customers needs and wants, and generally helping them make informed decisions that promote better business outcomes.
3 Acquiring a business? Understand you will inherit data assets AND liabilities
You could be taking on a rich customer database, but actually inheriting problems too, if a data issue is lurking in the background.
Marriott Hotels revealed in 2018 that it suffered a large database breach, affecting up to 500 million guests of Starwood hotel network, which Marriott acquired in 2016. The initial breach dated back to 2014, but Marriott had to take responsibility – including a fine of almost £100 million from the UK’s Information Commissioner’s Office, specifically citing Marriott’s failure to do due diligence on Starwood’s IT infrastructure.
4 Do your due diligence on any acquisition
The Marriott case, among others, highlights the vital need for due diligence on any acquisition. Ideally, take a deep forensic dive into the seller’s systems, although it’s unlikely a seller will grant unfettered access to data until after sale, so the buyer may still face some uncertainty.
Careful and thorough questioning is critical to assess whether a buyer can realise value in the relevant data.
We see huge development in the use of data due diligence questionnaires. Ask the right questions at the right time, and follow up to probe deeper into responses from the seller.
If the seller hasn’t done penetration testing on their systems or doesn’t have a disaster recovery or data breach plan in place, it paints a picture of their level of data maturity, and that feeds into the overall risk analysis. It will ring alarm bells if those things are not in place.
5 Be aware of database permissions
We see plenty of businesses acquired because of their rich customer database. One rationale for acquisition might be for the purchaser to cross-sell its own existing services and market its service to these customer databases.
However, it’s not always possible to do that unless you have particular consents and opt-ins from the various customers – so understanding what permissions customers have given in advance is key to unlocking full data value. That could make a major difference between whether the purchase is a success orotherwise.
6 Never underestimate the value of compliance
The cost of not doing something in the long run is always higher than having an appropriate, strong compliance programmein place. This might include having the right permissions, and ensuring your security is as good as possible.
Longer-term, that will pay dividends. Good compliance can avoid regulatory fines, negative brand associations or brand degradation that might come from data breaches. Cyber breaches impact on people’s trust in consumer brands.
7 React positively to a data breach
Data and cyber breaches can happen to any organisation – that’s the uncomfortable truth. It’s the reaction that sets you apart. Try to get on the front foot to prevent anything happening in the first place. How you respond to any breaches or issues that come up is absolutely key. Be ready. Have a plan.
8 Embrace a deep data culture
There is a huge variety of ‘data readiness’ across businesses. In the business-to-consumer field, like financial services and retail, there is deep understandingof data privacy, security and compliance. Yet many businesses don’t have that maturity or understanding of their rights, obligations and responsibilities, and don’t invest in this area as much. Ideally, you need specific people or teams tasked with data as part of their day-to-day activities, although resourcing is likely to vary massively depending on your organisation. For SMEs, it might be more difficult to justify having a dedicated resource. This is also an issue for fast-growing businesses like tech start-ups where compliance functions have run behind scale of growth.
9 Get rid of data you don’t need
There is always a temptation to hold onto all data collected. However, from a personal data perspective, there’s an obligation on companies to minimise thedata they hold, and for how long.
It can be a liability to hold data that is out of date, inaccurate or no longer required. Businesses should be deleting unwanted data on a regular basis.
10 A good data culture starts at the top
When it comes to data compliance, the tone has to come from the top. An increasing number of executives and boards are aware of the power and valueof data - and the information security and data privacy aspects of it. It is recognised as a valuable asset, but it can also be a massive liability if things are not managed correctly. So boards ought to understand what the organisation is doing to protect their data, and to invest in compliance activity to make sure that positive culture trickles down to everyone.
Regular training and information-sharing are key to protecting the data and the business.