Return and risk balance concept

16 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Over the past two days, I shared the first two lessons I’ve learned to “Be a counselor and Build sustainable solutions over the past 15 years of seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The final lesson I’ve learned is that it’s not enough to focus on regulatory compliance, maturity, accountability or even ethics. While all of these are important components of an effective, holistic, progressive approach to managing a program, in order to truly embed privacy and data governance into the functioning of a business, a privacy leader needs to help the business understand the value of data as an asset – as well as the risks associated with that data – not just on the individual project level, but across the organization. In other words, the privacy leader needs to think and speak the language of the business and the way in which the business thinks about successful outcomes. Here are some tips to help get those conversations started.

3.  Maximize net data value. In sharing my first lesson learned, I mentioned that when you are guiding business teams on how to realize the value of the data to their specific projects, you should help them see the corresponding risks associated with not effectively governing and protecting that data. While that can – and should – be done on a project-by-project basis, in order to truly enable the business, the privacy leader should look for opportunities to partner with other data stakeholders in the organization to drive or support the organization in support of a broader data governance strategy.

a.  Partner for integrated data governance. A broader, holistic data governance strategy for an organization that enables it to concurrently view data needs, data value and data risks, needs to take into consideration not only privacy and data protection-related data responsibilities, but rather, how those responsibilities align with other information lifecycle management and compliance responsibilities within an organization. Such responsibilities might include financial data, for which the chief financial officer is the primary stakeholder; trade secrets and other intellectual property, for which the chief innovation officer, chief technology officer, research or product leader of the organization is responsible; customer data, for which the chief marketing officer typically is the key stakeholder; e-discovery for which the general counsel is primarily responsible; and administrative, technical and physical risks associated with sensitive, confidential and proprietary business information which the chief information security officer typically oversees; and compliance program implementation and effectiveness, which the chief ethics and compliance officer monitors and oversees for the organization. Consistent data identification and classification strategies across all of an organization’s data types can inform consistent evaluation of data uses and reuses, benefits and risks.

b.  Consistent data evaluation can drive better business decisions. Establishing an integrated data governance program can not only help organizations understand the benefits and risks of data in a holistic way, it can drive consistent evaluation of the value and costs associated with acquisition, storage, use and reuse of the data. This in turn can inform the business of how effective management of the data is key to driving a range of potential business outcomes and also how to make key business decisions based on that knowledge and understanding. [1] Early work is underway to quantify the value of data as an asset. [2] This work may lead to better assessment of the value of data generated in connection with an innovative new technology, the value of data in a potential divestiture or sale of a line of business, the value of data compromised by a breach and the investments in resources, controls and insurance to preserve that value. Over time, perhaps there will be accounting standards for recognizing most data on an organization’s balance sheet, and for how data contributes to revenue, expense, and net income or loss. For now, however, viewing one’s privacy responsibilities as part of a broader data governance strategy can help earn the privacy leader a seat at the table in strategic discussions about business drivers in addition to discussions about compliance and risk.

[1] See

[2] See Sidgman, J and Crompton, M. Valuing Personal Data to Foster Privacy: A Thought Experiment and Opportunities for Research. Journal of Information Systems: Summer 2016, Vol. 30, No. 2, pp. 169-181.


Share This

Share this post with your friends!