4 minute read 4 Nov 2020
Friends discuss investing and cryptocurrency trading

How organizations can safely unleash the value of data

By Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.

4 minute read 4 Nov 2020

Realize the true value of data by enabling teams with self-service thinking and intelligent tools for automated decision making.  

In brief
  • Intelligent tools help teams automate data privacy compliance checks, enabling more-informed decision-making before product, initiative or service launches.
  • Organizations can embed better thinking on data privacy compliance and help promote a culture of “Privacy by Design” by adopting the use of intelligent tools.

Data Privacy. Two words that conjure images of barriers, complication and headaches to dozens of teams across organizations and governments sprinting to deliver new products and services in an increasingly agile world.

They are all keen to create value from the personal data they are gathering – or perhaps already hold – such ambition will be dependent on complying with data privacy laws and regulations. It is also dependent on the additional challenge of frequently having to do more with less, with budgets that have been historically stretched.

But what if it was possible to address any privacy compliance issues concurrent with a new app being developed? What if an agile team was effectively able to “self-serve” its privacy needs? What if there was an intelligent workflow tool that enabled them to make informed decisions along the way? This tool ensures that all compliance risks are taken into account before launching any new initiative— rather than discovering after the event that there is a problem, with all of the inherent costs and frustrations that would bring.

Context is everything in re-using data

To achieve the ultimate goal of extracting value from data, you first have to build in control over that data. That means knowing what data you hold, having transparency over where it is stored, and understanding why it is collected and on what legal grounds. You must also know why it is stored and whether it is received from a third-party. Context is everything.

Applying privacy mandates to the primary purpose for data collection (for example, a contract) and tracking it back to its source—the so-called data lineage—is not a "nice to have" – it is essential. Also important in this context is that this same data cannot necessarily be used for a secondary purpose — for example, to gain data insights to offer discounts and build customer loyalty, or to launch a new product or service — without reference to relevant legal or ethical restrictions on data usage that will undoubtedly apply. An example of not knowing the primary purpose of data collection is when organizations store information into large datalakes without tracking where the data originates from. If data is subsequently used for other secondary purposes, companies may not comply with the privacy legislation, which may have a consequence for its business and commercial value.

For example, imagine a bank that holds significant volumes of data from customers who have mortgages, credit cards, or other such core services defined in the bank's Register Of Processing Activities (ROPA) for the purposes of processing personal data. Imagine also an agile team is keen to access this data and market the launch of a mobile banking app, based on specific payment behavior to specific groups within this dataset; does the bank need consent based on the secondary use of the data it holds? Is it allowed to identify an individual’s payment behavior, or must the data be anonymized? Is it advisable or mandatory to carry out a Data Privacy Impact Assessment? Can the marketing team access the data for broader purposes, and can the bank even sell the customer data it holds to a third-party?

Let's describe another scenario. A company uses third-party credit scoring to determine future customers' creditworthiness, to the extent that such scores become an integral part of the customer acceptance process. For the most accurate picture, however, that same company seeks to compare a third-party score with other data it can access that reveals, for example, a customer's payment track record. Are companies allowed to process the data of credit scoring services for customer acceptance purposes? Can they share their own data for such purposes? Are there differences between countries with regard to processing and sharing this kind of data? And what does my company's ethical code state about these services?

Moving to intelligent tools and automation

A blanket data privacy policy seldom works; it usually sits on a shelf, gathering dust, or lies forgotten in a virtual drawer. Neither does it work to retrospectively apply personal data compliance checks to a product or campaign that is ready to launch. Building anything in isolation is likely to fail. And this is where technology can help.

Intelligent tools are needed to enable teams to identify and highlight privacy issues —  and determine what is and is not allowed in terms of how personal data is being used —  without them having to have expertise in data privacy and compliance areas. Simple question sets and prompts ease the privacy compliance journey.

These tools support a team's decision-making as they go along, enabling them to sprint with the assurance and confidence that what they are developing will meet the mandatory regulatory and compliance standards required, as well as meeting their own ethical commitments. Should they encounter an issue of particular concern, they can elevate that concern to their Data Privacy Officer (DPO) or legal team much earlier in the process, avoiding the legitimate complaint that many DPOs and their peers have of only ever being consulted when it's too late to do anything about it.

EY is piloting tools that use labeling and rules sets to automate processes around data permissibility. These tools offer interfaces to a wide variety of use cases such as enhancing data sharing across entities, organizations and jurisdictions, enabling advanced analytics, feeding Data Loss Prevention systems and optimizing an organization's data Identity & Access Management controls.

Value of data infographic

Figure 1 - Data value creation architecture

The practical advantages of new intelligent tools

Such tools have many advantages and can be used on their own or in support of already adopted technologies. They do not replace an entire compliance check – such as a Data Privacy Impact Assessment – but they certainly enhance the checks that are already in place and help businesses better understand the challenge of permissibility. At a practical level, they reduce the volume of simple questions that are usually addressed to the DPO. They also embed better thinking and respect for data privacy going forward, supporting the concept of "Privacy by Design." From a commercial perspective, they give the Chief Data Officer greater visibility of the data an organization has and its use. This enables the business to better and more quickly exploit its data, and how such data can be subsequently protected.

Data privacy does not have to be a blocker to future initiatives with personal data at their core. Realizing the true value of data is the ambition — but it can be a short-lived ambition if the groundwork isn't done from the start and the risks and limitations aren't properly understood. Put another way, the road to success rests in leveraging technology that makes life easier for all stakeholders — the agile team, the DPO and the board. The right approach to data privacy unlocks the potential for future value.

Summary

Intelligent tools are being developed that enable teams to identify and highlight privacy issues — and determine what is and isn’t permissible in terms of how personal data is being used — without them having to have any detailed “technical” knowledge of their own. This article looks at the ambition to create value in data without compromising privacy by adopting this new “self-service” style of thinking, and why a blanket data privacy policy seldom works.

About this article

By Tony DeBos

EY Global & EMEIA Data Protection and Privacy Leader

Strong sense of team orientation and innovative vision. Entrepreneur and forward-thinker. Team builder. Sports lover. Husband and father of three.