Data as a key asset – maximising value and minimising risk in a changing legal landscape

May 2013  |  PROFESSIONAL INSIGHT  |  DATA MANAGEMENT

Financier Worldwide Magazine

May 2013 Issue

Every day, we generate an estimated 2.5 quintillion bytes of data – that’s 2.5 with 18 zeros worth, including 12 terabytes of tweets. Over 90 percent of the data stored in the world today was generated in the last two years. 

Searching for value in data

The perceived wisdom, certainly among big data consultants, is that there is significant value in all of this extra data. 

Gartner forecasts that the monetisation and exploitation of big data will drive US$34bn of IT spending this year and create 4.4 million IT jobs by 2015. 

However, finding the value in data is proving to be more elusive for many organisations. Few organisations have really embraced ‘big data’ as yet. Various reasons are given for the low take up of big data applications, including a lack of metrics and benchmark price points for data and data applications. In part, this is because the exploitation of big data is still in its infancy – so there are few transactional price points to draw from. Another common reason given for low take up rates is reluctance by organisations to share customer data with third parties due to a fear of losing competitive advantage. There are also significant technical challenges stitching together old and new databases. 

More fundamentally, the sheer volume of data which is now generated and stored by many organisations makes it much harder to even know where to begin extracting value from that data. With more data, comes less focus. 

Many organisations are also rightly concerned about legal and regulatory risk – a fear which has been heightened by the extensive media coverage of data breach fines and the announcement last week that Google is now facing enforcement action from six different European Member States arising from its merging of customer data from each of its different business lines and changes to the Google privacy policy. The broader legal challenge for big data applications is that regulators are taking a more restrictive view of ‘purpose limitation’, the principle that personal data should not be processed for purposes incompatible with the purposes for which it was originally collected. This is at the heart of the ongoing investigation into Google’s merger of customer data. In addition, the influential Article 29 Working Party, comprised of European data protection regulators, concluded in an opinion adopted earlier this month that informed “opt-in” consent will “almost always be required” for tracking and profiling individuals for the purposes of direct marketing, behavioural advertising, data brokering, location based advertising and digital market research.­

Some data successes

Yet, there are examples of successful exploitation of the value in data. 

Large brands and e-tailers spend millions on search engine optimisation techniques to improve search engine rankings and to increase sales. The number one search engine ranking is worth considerably more in sales than having the number five ranking. 

More controversially from a privacy and data protection compliance perspective, advertising networks have proven, at least to some extent, that the use of cookies, web beacons and analytics tools to monitor customer behaviour across different sites can more effectively target advertising and drive greater sales. 

One of the most successful uses of data sharing to date is fraud detection and credit referencing, with the development of sophisticated interconnected networks monitoring suspicious transactions and sharing credit rating information. 

A common theme of these success stories is that they each have a clear objective as to how data will be exploited for a specific business advantage which in turn makes it easier for businesses to track impact on sales or in the case of fraud and credit detection, bad debt. 

Data as a liability

If data isn’t making money for a business, it will be costing money. Historically, the trend has been to collect as much data as possible on customers with a view to working out what to do with that data at some point in the future. That may have been an acceptable approach when data protection laws were largely toothless but with the increase in both the level and frequency of fines and sanctions around the world for mishandling data, the proposals for antitrust style fines in Europe based on a percentage of revenues and the many examples of organisations suffering serious damage to reputation from data breach, collection without clear purpose is a much riskier business model. Many data also have a limited shelf life; their value diminishes over time. 

There are also significant costs arising from the storage and management of data, principally from the latter. As data has grown exponentially so have the costs and complexity associated with retrieving data, for example to respond to a disclosure order during litigation or to comply with a subject access request from a data subject. 

Data risks are manifold. Security breach and cyber-attacks continue to make headlines. Commissioner Adrian Leppard, head of City of London Police, recently said that online fraud was rising ‘exponentially’, with the largest number of attacks originating from Eastern Europe and Russia. With cyber-attacks and data breach comes the risk of compromising crucial intellectual property assets and trade secrets, the disclosure of customer data and payment details and the disclosure of employee data. The costs of dealing with the fallout of breaches, such as ensuing third-party claims, regulatory investigations and fines, notifications to affected individuals and regulators can run to hundreds of millions for larger security breaches.

Given that regulators have finite resources to prosecute breaches of data protection laws, they tend to focus on the most serious breaches and typically on the larger better known brands, to maximise the deterrent effect. The risk of detection and investigation of breaches may be lower for relatively unknown early stage businesses – but the potential consequences of a breach could be relatively much more severe. Larger organisations may have the assets to be able to recover from a major security breach. For early stage organisations, a breach may prove terminal, particularly if security is a cornerstone of the business, as it is, for example, for enterprise cloud providers. 

Usually the most damaging aspect of a security breach to a business is the reputational damage and loss of trust. 

Legal compliance risks in data

Organisations which offer services over the internet in a global marketplace have a seemingly limitless number of laws and regulations to comply with. Even within regions such as the European Union where data laws derive from the same common Directives and Regulations, there are significant differences in practice among different Member States and many examples of Member States ‘gold plating’ Directives with additional requirements; data protection laws being a prime example.

Unfortunately the large volume of law and regulation inevitably leads to tick box compliance culture rather than focusing on those risks and liabilities which pose the greatest threat to the business. It also leads to a breakdown in communication between legal and compliance teams and the business. Lawyers are increasingly tied up in the detail rather than being able to add value by identifying and advising the business on what the key legal risks are. 

Data protection laws place an emphasis on detailed full disclosure to data subjects about how their data will be gathered and processed. As a result, consumers have been overwhelmed with privacy notices and cookies policies. According to one US study, it would take the average person about 250 working hours or 30 full working days to actually read the privacy policies of the websites they visit each year. 

Another core principle of data protection laws is the principle of purpose limitation meaning that data gathered will only be processed for discrete lawful purposes – and not for any other purposes which are incompatible with the purposes for which the data was originally gathered. This is a challenge for many of the big data initiatives of organisations and underlines the need for organisations to draft privacy policies widely when collecting data. In light of the recent Article 29 working party opinion which concluded that informed opt-in consent will almost always be required for big data applications relying on the tracking or profiling of individuals’ data, organisations embarking on big data projects will need to carefully review existing policies and most probably will need to obtain additional opt-in consents from data subjects. Alternatively, anonymisation may provide a workaround to the need for consents, provided data cannot be reverse engineered and linked back to an individual. 

Data compliance risk is set to increase significantly in Europe as the draft Data Protection Regulation includes proposals for fines of up to 2 percent of annual global turnover for breaches of data protection laws. 

Legal risks in data are not confined to data protection laws. Business also needs to ensure compliance with consumer protection laws. For example, the Office of Fair Trading took enforcement action against Handpicked Media for SEO link building practices which contravened transparency requirements for advertorial content. Google frequently demotes brands which are found guilty of ‘unnatural’ link building activities. 

These risks are multiplied for businesses offering services directed at multiple jurisdictions.

Maximising value and minimising risk in data

Our exploitation of value in data is still at an early stage of development with relatively few examples of organisations leveraging data to drive value. That said, the examples such as there are would suggest that to successfully exploit value in data, focus is key. Understanding what you want to achieve with data will in turn enable you to be much more precise in terms of the types of data collected. 

Focused collection and processing of data also has advantages from a liability standpoint. Put simply, businesses collecting and processing less data have less risk. It also helps data protection compliance as narrower collection and processing is easier to justify. 

You therefore need to ensure that the data your business collects is making you money. If not, it is costing you money. 

For the majority of business there are some basic rules which can help mitigate legal and compliance risk.

Firstly, even though money is tight in the early stages of a business, it is worthwhile to invest in an analysis of the legality of the business plan at an early stage. As with software development, it is much easier and cheaper to fix a legal bug in a business plan before the platform is built and the supply chain contracted. Build privacy compliance into the design of the business. 

Secondly, if the business is consumer focused, gathering and processing consumer data, it is easier to become compliant if you create a culture of compliance early on. 

Thirdly, consider the following suggestions for prudent data management.

Be transparent with customers about how their data is gathered, how it will be used, who it will be shared with and what protections are in place to ensure its security.

On the one hand, policies should be crafted broadly to avoid immediately tripping up over the principle of purpose limitation – that personal data should not be processed for a purpose incompatible with the purpose for which it was originally gathered. On the other hand, for certain data such as health data, more detailed information will need to be given. Wherever possible, build consents for data collection and processing into the customer on-boarding process. Broad policies aren’t the answer for all processing. If new purposes are very different to the purposes originally anticipated by the data subject when providing their data further disclosures and in some cases additional consents will be required, for example where additional tracking or profiling is to be undertaken as part of a big data solution. 

Ensure that customers have an easy way to exercise their legal rights of access to personal data and to opt out of marketing. 

Ensure that marketing suppression lists are implemented and followed and make sure that the business has a complaints handling procedure in place. 

The requirement for data to be accurate is currently on the regulators’ hit list. It also makes better business sense to have better quality, more accurate customer data so ensure that there are procedures in place to vet the accuracy of data and to check that it is kept up to date. 

Data security from collection to destruction is of paramount importance. 

Overall, in addition to mitigating legal risk and liabilities, these practices should ensure that you maintain high ‘trust equity’ with your customers. 

 

Ross McKean is a partner and head of the global data protection practice at Olswang. He can be contacted on +44(0)20 7067 3378 or by email: ross.mckean@olswang.com.

© Financier Worldwide

BY

Ross McKean

Olswang

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.