4 minute read 26 Oct 2018
EY - Digital finger print

Can your data strategy be your competitive strategy?

By

Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.

4 minute read 26 Oct 2018

Moving data privacy and protection from compliance issue to strategic driver can set you apart in a competitive market.

Data isn’t just a compliance issue anymore. From privacy to protection, the way you handle data is a strategic driver that can set your organization apart in the market.

Framing privacy with a purely compliance-centric view can overshadow the opportunities to be found when you advance your company’s data privacy and protection profile.
Yogen Appalraju
EY Canada Cybersecurity Leader

Don’t be fooled: compliance still matters. The sheer volume of regulatory requirements, compounded by regulatory changes, will keep compliance high on the boardroom agenda for years to come. From the European Union’s General Data Protection Regulation to the Personal Information Protection and Electronics Document Act, businesses can’t afford not to stay on top of these evolving rules.  

Still, framing privacy with a purely compliance-centric view can overshadow the opportunities to be found when you advance your company’s data privacy and protection profile. In the age of increasing consumer awareness and digital interconnectivity, transparency is key to achieving and maintaining client trust.

A properly executed data privacy plan (DPP) strategy that incorporates customer rights and ethical use of data can build on that to give you a competitive advantage. But keep in mind: the risks of getting your approach wrong carry real weight in a world where mismanaged data can result in litigation, regulatory action, reputational damage, a dip in market value, and direct financial loss.

How can you bake the right risk management elements into your data and privacy protection program? Focusing on three key pillars at the design stage is fundamental to ensuring your program isn’t just effective now, but sustainable in future, too.

1.  Make governance the foundation of your program.

At the governance stage, the goal is to understand the changing regulatory landscape your organization faces, and dig deep into the complexities specific to your organization. You’ll flesh out the links between DPP and business initiatives, such as digital transformation and analytics. By uncovering the gaps between current and desired state, you’ll start to shape your approach to DPP regulation compliance, while checking important themes like current data processing roles, responsibilities, data leakage procedures, data flows, and data usage.

Bridging from that fact-finding to a ‘privacy by design’ approach where you draw a practical roadmap comes next. This includes clearly stating goals and purposes to foster organizational acceptance. It’s important to factor in data flow mapping, data breach notification and incident management processes, privacy impact assessments, and a privacy management and accountability program at this stage of the game.

2.  Assess your use of data from all angles.

You can make great use of the data your organization collects, while simultaneously enabling privacy compliance. Having the full picture of the ways your organization is currently using data is the first step to understanding where hidden opportunities lie. Will it be necessary to make data anonymous in your future state, or should you apply pseudonyms to data tags? Does your identity and access management program meet both DPP compliance requirements and respond to broader organizational needs? Does cross-border data management require specific policies? Do you have the right data retention and records management structure in place? On the flip side, do you have a deep enough understanding of the organization’s data flow to effectively mitigate for leakage and respond to incidents? Asking these critical questions now plays a big part in fleshing out your program approach, and ensuring it’s ultimately fit for purpose at your organization.

3.  Validate, validate, validate.

Every organization is unique. True, too, for its DPP needs. Organizational set-up, maturity and resourcing will all play a part in ultimately determining how your program comes together, and how you’ll support it over the long term. You may decide to outsource repeatable tasks by using services such as a managed privacy impact assessment. Or you may find you need guidance to support monitoring activities through managed data privacy analytics. At the validation stage, testing the design can help you determine where you might need to invest differentially, and plan accordingly. 

Are you ready to transform?

Privacy program transformation should be on everyone’s agenda. Mapping out the best ways to integrate privacy-related components into your company’s daily processes can act as a driver for keeping up with the changing privacy regulatory landscape. It can also help raise your organization’s overall data maturity. By doing this, you can extend your existing data usage capabilities, and increase the effectiveness of current data analytics and dashboarding activities – all significant steps forward in your transformation journey, and your market value.  

Summary

From privacy to protection, the way you handle data is a strategic driver that can set your organization apart. Building a program that weaves in strong governance, a smart approach, and the right validation steps can help turn your data strategy into a competitive edge.

About this article

By

Yogen Appalraju

EY Canada Cybersecurity Leader

Committed to helping clients minimize the impact of cyber threats. Proud husband and father.