There have been few days this year in which some aspect of client data protection has not featured in international news.
The size and potentially devastating effects of data breaches are constantly increasing, and regulatory bodies are continually evolving to develop newer, more relevant and more far reaching legislation to ensure that organisations are doing everything possible to protect the information and identities of their customers.
The prominent 2006 Uber data breach which impacted the personal information from 57 million riders and drivers is a prime example of the risks to businesses and their clients of an IT security failure.
While media coverage of such IT security breaches is very effective in raising awareness of the importance of securing potentially sensitive data, the very generic and non-specific approach to the issues also contributes to a lack of understanding that there are different ways in which information can be used, manipulated or compromised.
Consequently, there is a widespread misperception that the primary danger inherent in a data breach is that clients’ passwords, account details or card numbers will be used for fraudulent purposes. While this is the most obvious, and potentially the most financially harmful impact of data theft, it is by no means the only danger that an organisation’s failure to fully secure its information presents to its clients.
The high-profile Facebook and Cambridge Analytica case is a prime example of how important conduct standards are when customer data is used. In this instance, however, user data was not stolen or illegally accessed, and there was no infiltration of systems, theft of passwords or even access to highly sensitive customer information.
In fact, all appropriate data governance requirements were in place and statistical and advanced analytical techniques were applied correctly. However, the affected users were not informed about that particular use of their data and neither of parties involved made any effort to understand how the customers would actually perceive their actions.
The universal fallout on the issue perfectly illustrates why there is such an urgent need for global regulatory bodies to take immediate steps towards expanding the regulations that govern the collection and storage of customer data to also include focus on governance requirements of the appropriate use of that data, including a focus on conduct standards.
Arguably more importantly than such external regulation, though, is the need for organisations to focus on internal governance of their data analytics processes and outcomes. This will help to ensure that the ways they use, share and benefit from customer data and information is secure, ethical, and prioritises the best interests of those customers over revenue generation and efficiency creation models.
This focus on analytics governance demands an understanding by businesses of precisely what it is, and what it isn’t. A cursory glance at the annual reports of the majority of organisations reveals that, in this regard there is still much work to be done. While most companies have a clear understanding of the need to ensure good governance of their IT frameworks, technical models, data systems and information protection methodologies, very few include analytics and data science governance as a key strategic imperative or business performance indicator.
It’s not difficult to understand how this governance gap has emerged. Today’s fast changing and increasingly competitive business environment has required that most companies implement highly advanced and rapidly evolving analytic and data science process and capabilities. So rapid has the analytics ‘revolution’ been that few organisations have even had the time to recognise that they present significant additional risks, security challenges and ethical considerations that are simply not addressed by their existing governance models.
In addition, it appears as if there is potentially a general lack of understanding of the difference between information governance and data science governance. This has led to instances where r organisations are meeting their governance requirements on all these aspects while, but need more focus on good governance of data science.
What is urgently needed to bridge this gap is a commitment by organisations to put in place internal governance frameworks that guide the application of data science across the entire business. Organizations can also ensure their culture is correct and that their conduct is then aligned through self-regulation in accordance with the POPIA and GDPR requirements. These requirements go a long way in defining how organizations can protect customer’s data rights, as well as clarify what must be done to safeguard these rights.
This involves creating a comprehensive ethical and operational framework that ensures that a culture of appropriate use of customer information and data analysis is integrated into the broader enterprise. The implementation of such an organisation-wide data science governance framework must be guided by six key principles.
Firstly, all data science and analytics activities must ultimately focus on helping the business to meet and exceed the needs of its customers. While it can be tempting to leverage customer data as a means of manipulating those customers into acting a certain way or buying a specific product or service, doing so is not necessarily in their best interest or, for that matter, in the best long-term interests of the business. However, good customer data can, and should, be analysed and used to enhance the organisation’s customer value proposition by ensuring that their current and future needs are well met. This is not only an infinitely more ethical approach, it is also one that will contribute to long-term customer loyalty and, in this way, the sustainability of the business concerned.
Secondly, organisations must inculcate a culture of transparency and trust that underpins all its data analytics activities. There must be clear rules around who has privileges to create, access, store, modify, delete and most importantly analyse customer data. This is not just a security consideration. A robust data analytics governance framework is a significant business asset because it ensures that the right people, with the right qualifications, are dealing with customer data in the right way – which is key to ensuring a win-win approach to data science.
Then, the organisation needs to ensure that all its data science outputs are 100% trustworthy. This requires a governance system that prioritises the accuracy and quality of data inputs. It also demands a total commitment to testing and retesting – at a quantitative and qualitative level – the precision, accuracy, stability and practicality of the data science methodologies employed in the production of the results. While such practicality is difficult to measure empirically, it must be expressed through the thoughtful and proactive design of the analytics solutions.
For any business to deliver maximum customer benefits from its data science activities, it is essential that it also understands that any person in the organisation that deals with customer data, in any way, is part of that data science ecosystem. As such, it is imperative that those who are end users of data science outputs, including marketing and sales forces, are provided with the full picture regarding the analytics outputs they are expected to use in the customer engagement activities.
Then, it is vital that data science deliverables are proven to be fit for purpose. Simply analysing data because it is available for analysis is not purpose-driven and will never truly benefit the customer. Any data science process must begin with the desired end in mind and be guided by clearly articulated customer and organisational needs. The best data analytics approaches are the ones that start simply, achieve accessible and useable results, and then get gradually more complex and refined over time. Data science is not a quick route to profitability; but it can be a proven journey to effective customer engagement and delivery, which leads to sustainable business growth.
The final data analytics governance principle is that an organisation’s data science framework must be embedded within the risk management and conduct risk framework of an organisation and approach must be managed from the top down. It has to have a champion at executive committee level and must then be proactively driven across the organisation and on an enterprise-wide basis. It should also be built on global best practices to ensure it is lean, agile and forward looking. In this way, data science can dovetail with, and effectively inform, an overarching organisational data strategy that links with, and gives effect to the business plans.
Ultimately, data science governance needs to follow a similar approach to the safety protocols that exist in a number of industries, like construction and vehicle manufacturing. While participants in these industries are guided by regulatory requirements and engineering guidelines, they also have clear and focused customer safety protocols built into their overall safety standards.
In the same way, any business that deals with customer information must have similar customer-focused ‘safety’ standards as part of their end-to-end governance frameworks. Key to the implementation of these standards is the important need for clear roles, responsibilities and accountability of every person involved at every point in the data science value chain of an organisation.
Equally important is the imperative for these analytics ‘safety’ standards to acknowledge the customers’ ownership of their information and their right to always feel secure in terms of how that information is analysed and used by the organisations to which they have entrusted it.
In conclusion, a lack of data science governance will derail any efforts and investments around artificial intelligence and digital transformation as they primarily dependent on mature data strategies. These data strategies drive the development of deep and machine learning capabilities which are ethically driven by data science governance.
By Dr Mark Nasila; Chief Analytics Officer: Consumer Banking & Chief Risk Office, First National Bank