Creating a Culture of Data Privacy & Protection (An Excerpt)
It fascinates us how few data audit teams we run into, regardless of company size or data asset library depth. Everyone is accustomed to financial audits; the very same principles can be put to work for your data strategy to monitor intrinsic and extrinsic data usage. Data audit teams systematically review and document the usage, access, and financial linkage of data throughout an organization. They are a hybrid between bean counters and data geeks.
Regardless of industry, management can get an enormous benefit from the creation of a data audit team. Customer data, transactional data, financial data, and just about every other silo of data you produce as a business has potential to create value, but this can only be pursued once the right culture and process is in place.
Create this team, or hire a data auditor to create it, and you will immediately increase data protection and privacy focus around the organization. Typically, a data audit team will begin with a review of systems and access logs to identify who is using what. You will be shocked at how much data is accessible by people within your organization that should not have access to it. If you don’t already have a team reviewing all of your log files to track users and access points, then your data audit team will start with that. This is also the first moment where your new data audit team will make some enemies. Usually, some manager “who has always had access before” will be upset that the audit turned up their access and usage. Be prepared for this type of response: it’s a sign that you’ve caught something problematic.
Once the data audit team has used log files to document and then restrict access to data, it continues with an interview process within each division. The goal of internal interviews is to work with the rank-and-file employees to find out what they use data for, whether their use and access is necessary, and how you can better protect the information. Many companies restrict their audit interviews to managers, but this can be counterproductive. When you consider that every newsletter signup, Twitter account, purchase, customer service complaint, and website hit affects several different employees at your company, you realize that those are the people closest to the data and they often have the best understanding of how it is (or is not) used.
Interviews reveal the social hierarchy of data access at your business. There are engineers that have access to every transaction at your company, although they aren’t in sales or accounting. They can see all the transactions, including the financial terms because they built the database in which this data often resides. Even if it is encrypted in storage, these employees typically have also built (and have the keys for) the encryption module. This isn’t necessarily a problem, but it illustrates the types of insight you might get from interviewing an employee who is boastful about their access, or from another employee lamenting their lack thereof. This creates a “God Mode” problem.
Data Audits Root Out God Mode Data Access
We consider “God Mode” to be an approach to data and privacy that subordinates personal autonomy, privacy, and human dignity to a dubious belief that any activity is permissible if it has some commercial utility. The problem with this theory is that it is self-defeating for virtually everyone who employs it. Unrestrained usage of personal data, if uncovered, destroys trust with customers and invites wrath from regulators.
If undiscovered, full access to all customer or supporting datasets leads to the gradual erosion of boundaries about data usage within companies. This can ultimately lead to the costly, unnecessary data hoarding and the problematic “creepy” behavior we’ve discussed before. More than this, “God Mode” creates a sense of separateness that undermines the relationships necessary to build lasting partnerships, both with consumers and other businesses. By creating a data audit team, you can identify all situations where “God Mode” has emerged across your organization and lock it down. We talk about this at length in Data Leverage when we discuss the “dehumanized” approach to using data and its risks.
This type of “god-mode” access was exactly what landed Uber in seriously hot water with the FTC.
Data Audits Directly Impact Revenue (and Loss)
Once the access logs and interviews are all buttoned up, the data audit team will flip around their green visors and determine the financial metrics. This is our favorite part of the process because it so closely aligns with step two of the DataSmart Method, Value. The data audit team will connect access and loss or misappropriation of data to potential financial impacts. For example, one company we worked with had hundreds of salespeople who could provide “free trial” access to a dataset for a period of 30 days. For some datasets, this generates a lead, helps demonstrate value, and engages prospective customers.
The data audit team at this company discovered that there was no process tracking the number of times a customer received a free trial or how many times the free-trial period was extended for an additional 30 days. They tabulated thousands of these additional “months” of access over a period of only one year. At a cost of around $500 per month, these accounts misused data with a value of more than $1 million in one year. Data audit teams always pay for themselves by revealing such activities.
This was more an example of poor sales training than malfeasance. Many times, the data audit team will help with issues in identifying and valuing data, which then leads to better data governance. However, the data audit team also improves the overall corporate culture and attitude toward data security in general. From the day you announce the arrival of a data audit team empowered to review access and usage of all company data assets, you will see employees and practices change. Rats will jump ship and reckless drivers will suddenly position their hands at ten and two.
A Culture of Data Protection
There are many ways to promote a culture of data protection and data privacy in your organization. Unfortunately, it can’t all be carrots. You have to show up with the occasional stick as well. The data audit team helps identify where problems exist, but they are also an excellent way to project the importance of data protection and data privacy policies across your entire organization.
This outline of Data Audit Teams is adapted from our book Data Leverage: Unlocking the Surprising Growth Potential of Data Partnerships released in January of 2019. All rights reserved.
Also published on Medium.