With Data Privacy Day coming up on Jan. 28, there’s no better time to assess the impactful role data plays in modern business – and the challenges we face in data protection.
The need to address the issue is critical. At least 980 known breaches affected private and public organizations in 2016, exposing more than 35 million records. Given this risk, many organizations are supplementing their security infrastructure to lock their data away and keep it safe. They are treating one of their greatest assets (information) as a liability instead of as an asset on which to build their business.
I recently sat down with Cisco Chief Privacy Officer Michelle Dennedy to discuss data’s value to organizations and how they can use it without sacrificing partners’ and customers’ privacy and trust. Michelle is the co-author of “The Privacy Engineer’s Manifesto” and leads Cisco’s efforts to raise awareness and create tools that promote privacy, quality, integrity, respect and asset-level possibilities for data. Michelle is also speaking at the National Cyber Security Alliance’s Data Privacy Day 2017 event on Thursday, Jan. 26.
What is the difference between viewing data as an asset and considering it a liability? How does this change its usefulness for businesses?
It’s very simple: un-utilized data becomes a liability. Data is never neutral. Either you’re leveraging it to provide services, build relationships and otherwise improve your business or it is static and causing risk because you are not protecting it well. Data can either move your company forward or cause pain.
How do we change the perception of data as a liability within organizations?
You must develop an active business plan for it. All organizations should think through what data they truly need to make better business decisions. This involves quality, Big Data and analytics.
Then approach it like your quarterly budget: We assess how much we can spend and determine whether money is going to the right places. Why can’t we do that with data? Review it quarterly to make sure it’s enabling you to achieve your goals, just as you would with any tangible asset. Look at which data is being used wisely and which isn’t. If it isn’t, get rid of it!
Think about it from a consumer perspective: I love sitting in my car, but I didn’t buy it because it’s comfortable. I bought it because it gets me where I have to go. Similarly, we should think of data as a vehicle that can take us where we have to go instead of letting it sit around creating risk.
These practices will help organizations strike the right balance between privacy/security and the opportunities the data presents.
Who are the key stakeholders who need to be involved with this?
Well, I could say “everyone,” but that’s a predictable answer. For primary players, we can start with board members. We’re seeing breaches affect every category of organization. You no longer have a choice to be secure or not, yet many boards aren’t involved with data risk mitigation.
We can include people in charge of human capital, overseeing lots of internal data. For external data, there are the people who drive customer relationship and experience initiatives.
Ultimately, change occurs when we realize information is about other human beings and develop ways to work more effectively, efficiently, securely and ethically with data. Only then will we have the means to adequately respond when people make mistakes with data, which is inevitable. When you combine threat awareness, technology tools and attention to data as an asset, you establish a dynamic, risk-based approach. That approach must also engage your people, or you need to get out of the game.
How do you foster this specifically within an organization like Cisco?
From my experience, I view data as an asset strategy opportunity. I want to make it trustworthy, valuable and sustainable.
Toward this end, we prioritize data and identify how and how many team members can access it. Who’s keeping it safe? If you don’t know that, you won’t be able to protect it.
Then, we manage data in a contextually appropriate way. If it’s going across borders, for example, do I have the proper permissions and consents? The right proportionality of data to grow my business? Or, consider the Internet of Things (IoT). Everyone is concerned about breaches in connected technologies like smart health and smart manufacturing. So we come up with people- and technology-driven approaches to mitigate risks while still looking at innovations like IoT as growth opportunities.
I always ask sales teams, “What is the data friction you face? What is slowing you down?” It may be that customers are asking for a joint liability arrangement for data, because it’s now shared over time. This kind of discussion allows us to digitize our environment and drive business while lowering liability for emerging technologies that will last ten years or longer.
How should organizations communicate their use of data to customers and partners?
Develop a strong privacy policy and share it with everyone. Take advantage of it to tell a compelling story about your company and its integrity. Even if the policy involves a lot of complicated parts, find a simple and engaging way to explain it. I’ve seen companies do this with videos and cartoons to make their story clear, accessible and interesting. It should be interactive too.
If people send comments about your data use policy, use it as a branding opportunity and show them that you’re taking this very seriously in your response. At the same time, you’re conveying as much transparency as possible about your intentions and oversight of data. Being forthright about this will always help build customer trust and brand loyalty.