At a glance
It’s been said that “data is the new oil”, representing an untapped, immensely valuable asset.
This captures the idea that the 21st century data explosion would power modern organisations like a new fuel source, driving innovation and growth. Perhaps it could even create new revenue streams.
Yet many organisations have found that, while data can be a gold mine of business insight, it can also become a major liability. It can put customer goodwill and business reputation at serious risk.
In other words, the valuable “new oil” can also become artery-clogging “trans fat”. In that sense, it can increase the risk of organisational heart attack or stroke, because of poor governance and careless handling.
Daragh O Brien, founder and managing director of Irish data consultancy Castlebridge, sees data as more analogous to J.R.R. Tolkien’s fantasy epic The Lord of the Rings.
O Brien, who is also a lecturer with the UCD Sutherland School of Law, says many organisations can become like the creature Gollum, who fixates on owning the ring despite all costs.
In business, this takes the form of collecting and storing ever-increasing amounts of data as an end in itself. The “precious” data hoard may never be adequately leveraged for business use. Eventually, its sheer volume becomes a liability and an organisational risk.
“The key challenge for organisations is to switch out of that mindset and think about data actively and realise they have accrued an incredible amount of internal debt,” says O Brien.
“Data might be an asset on one side of the balance sheet. On the other side, there’s the debt that has been incurred gathering the data, in terms of poor documentation of processes and procedures, and basic things like the definition of data concepts.”
O Brien offers an example. A company he worked with had expanded and changed its business model without thinking about all the data it was acquiring. While the company had customer data, it was unable to do a reliable or accurate search for customer addresses.
Investigations revealed that addresses were stored in 23 places within company systems. There was no single point of truth for the customer relationship management (CRM) system to point to and look for an address.
“They hadn’t thought about the data in a structured and strategic fashion,” says O Brien. “They were just bolting bits on and adding new screens onto their systems in an ad hoc way.”
Ultimately, this is a human issue, not a technology issue, O Brien says. Just as developing and maintaining fitness means investing in habits and mindset as much as in a gym membership, getting “data fit” means tackling bad organisation habits and mindsets about data.
He makes a distinction between data ownership and stewardship. The latter is a more productive mindset because it makes organisations think harder about whose data is being used.
It also forces organisations to consider which stakeholders are using it – from point-of-sale systems to financial analysis and marketing teams.
The elephant in the (server) room
Ben Henshall, regional vice-president and general manager Australia and New Zealand at data virtualisation company Denodo, points to another serious issue with data.
“In data management world, there is this really big ‘elephant in the room’ called ‘data replication’,” says Henshall.
“Data gets moved around and stored in different formats and in different areas.”
According to US-based Customer Data Platform Institute, large corporates have an average of 400 data sources. In addition, large financial institutions may be running up to 4000 applications, all of them creating their own data streams.
“The cloud is yet another repository that’s yet another place where data is replicated and stored for the purpose of being potentially analysed or used,” Henshall adds.
Replication not only bloats an organisation’s data profile, but also makes it more vulnerable to security breaches and malicious attacks.
“That doesn’t even include what we call ‘last mile’ data copying in Excel spreadsheets,” Henshall adds.
“Spreadsheets get copied and moved around, which increases replication and the surface attack area, and creates-long term operational and engineering issues.
“Every time you copy data and move it around, you’ve then got to try and protect it, store it and manage it,” Henshall says.
Privacy under the microscope
Several major breaches have put data privacy into sharp focus. A review of the Privacy Act 1988 commenced in 2020, prompted by privacy recommendations contained in the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry final report in 2019.
These recommendations included updating the “personal information” definition and strengthening notification requirements, consent requirements and pro-consumer defaults, as well as introducing stiffer penalties for breaching the Act.
Angelene Falk, the Australian Information and Privacy Commissioner, says her organisation’s recommendations to the review of the Act have centred on increased accountability for regulated entities.
This included a “positive obligation” for the collection, use and disclosure of personal information to be “fair and reasonable in the circumstances”.
“The ‘fair and reasonable’ test would provide a baseline of protection,” says Falk.
“It would allow individuals to engage with products and services with confidence that, like a food or building safety standard, privacy protection is a given.”
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 was rushed through federal parliament in December 2022, increasing maximum penalties for breaches of the Privacy Act to A$50 million. This is three times the benefit from the misuse of data, or 30 per cent of company’s turnover in 12 months during the relevant period.
Even before these changes, however, the Act required organisations to destroy or anonymise personal information when no longer needed.
According to Magdalena Blanch-de Wilt, special counsel with insurance and dispute resolution firm Wotton+Kearney, while laws and regulation are part of the solution, they will always lag the technology.
Organisations continue to have a legitimate interest in collecting data, but a lack of rigorous guidance around how to handle it remains.
Australia does not have a set of mandatory data protection standards and only limited guidance on what can be legitimately collected and retained. Organisations have been “left to work out for themselves whether or not what they are doing is enough”, says Blanch-de Wilt.
Calls for data governance
With increased focus on the risks of data, rather than just on its opportunities, momentum for better governance and cleaner – and leaner – datasets is gathering pace.
Data will not stop being valuable. The inevitable consequence of data breaches, however, and growing consumer expectations around security and privacy of their data, will hold organisations to a higher standard.
“Some organisations will still find themselves sitting on ‘poison’ if they’re not prepared to up their game on governance and compliance and customer transparency,” warns Blanch-de Wilt.
“Whereas others that marry that commercial objective with a healthy approach to governance, compliance and risk could end up being quite successful. There is a good news story in this and there is a way to navigate this path.”