There  have been few days this year in which some aspect of client data protection has not featured in  international news. The size and  potentially devastating effects of data breaches are constantly  increasing, and regulatory bodies are continually evolving to develop  newer, more relevant and more far reaching legislation to ensure that  organisations are doing  everything possible to protect the information  and identities of their customers.

The prominent 2016 Uber data breach which impacted the personal information  from 57 million riders and drivers is a prime example of the risks to  businesses and their clients of an IT security failure.

Information security breaches

While media coverage of such IT security breaches is very effective in raising awareness of the importance of securing potentially sensitive data, the very generic and non-specific  approach to the issues also contributes to a lack of understanding that there are different ways in  which information can be used, manipulated or compromised.

Consequently, there is a widespread misconception that the primary danger inherent in a data breach is that clients’ passwords, account details or card  numbers will be used  for fraudulent purposes. While this is the most obvious, and potentially the most financially harmful impact of data theft, it is by no means the only danger that an organisation’s failure  to fully secure its information presents to its clients.

The high-profile Facebook and Cambridge Analytica case is a prime example  of how important conduct standards are when customer data is used. In this instance, however, user data was not stolen  or illegally accessed,  and there was no infiltration of systems, theft of passwords or even  access to highly sensitive customer information.

In  fact, all appropriate data governance requirements were in place and statistical and advanced analytical techniques were applied correctly.  However, the affected users were not informed about  that particular use  of their data and neither of parties involved made any effort to  understand how the customers would actually perceive their actions.

Data protection regulation

The  universal fallout on the issue perfectly illustrates why there is such an urgent need for global regulatory bodies to take immediate steps  towards expanding the regulations that govern the  collection and  storage of customer data to also include focus on governance  requirements of the appropriate use of that data, including a focus on  conduct standards.  

Arguably  more importantly than such external regulation, though, is the need for  organisations to focus on internal governance of their data analytics  processes and outcomes. This will help to  ensure that the ways they  use, share and benefit from customer data and information is secure,  ethical, and prioritises the best interests of those customers over  revenue generation and efficiency creation models.

This  focus on analytics governance demands an understanding by businesses of  precisely what it is, and what it isn’t. A cursory glance at the annual reports of the majority of organisations reveals that, in this regard  there is still much work to be done. While most companies have a clear  understanding of the need to ensure good governance of their IT frameworks, technical models, data systems and information protection  methodologies, very few include  analytics and data science governance  as a key strategic imperative or business performance indicator.

It’s  not difficult to understand how this governance gap has emerged.  Today’s fast changing and increasingly competitive business environment  has required that most companies implement highly  advanced and rapidly  evolving analytic and data science process and capabilities. So rapid  has the analytics ‘revolution’ been that few organisations have even had  the time to recognise that they present significant additional risks,  security challenges and  ethical considerations that are simply not  addressed by their existing governance models.

Information governance vs Data science governance

In  addition, it appears as if there is potentially a general lack of  understanding of the difference between information governance and data science governance. This has led to instances where  r organisations are  meeting their governance requirements on all these aspects while, but  need more focus on good governance of data science.

What  is urgently needed to bridge this gap is a commitment by organisations  to put in place internal governance frameworks that guide the  application of data science across  the entire business. Organizations  can also ensure their culture is correct and that their conduct is then  aligned through self-regulation in accordance with the POPIA and GDPR  requirements. These requirements go a long way in defining how  organizations can  protect customer’s data rights, as well as clarify  what must be done to safeguard these rights.

This  involves creating a comprehensive ethical and operational framework  that ensures that a culture of appropriate use of customer information  and data analysis is integrated into the broader  enterprise. The  implementation of such an organisation-wide data science governance  framework must be guided by six key principles.

Firstly,  all data science and analytics activities must ultimately focus on  helping the business to meet and exceed the needs of its customers.  While it can be tempting to leverage customer data  as a means of  manipulating those customers into acting a certain way or buying a  specific product or service, doing so is not necessarily in their best  interest or, for that matter, in the best long-term interests of the  business. However, good customer data  can, and should, be analysed and  used to enhance the organisation’s customer value proposition by  ensuring that their current and future needs are well met. This is not  only an infinitely more ethical approach, it is also one that will  contribute to long-term  customer loyalty and, in this way, the  sustainability of the business concerned.

Secondly,  organisations must inculcate a culture of transparency and trust that  underpins all its data analytics activities. There must be clear rules  around who has privileges to create, access,  store, modify, delete and  most importantly analyse customer data. This is not just a security  consideration. A robust data analytics governance framework is a  significant business asset because it ensures that the right people,  with the right qualifications,  are dealing with customer data in the  right way – which is key to ensuring a win-win approach to data science.  

Then,  the organisation needs to ensure that all its data science outputs are  100% trustworthy. This requires a governance system that prioritises the  accuracy and quality of data inputs. It also  demands a total  commitment to testing and retesting - at a quantitative and qualitative  level - the precision, accuracy, stability and practicality of the data  science methodologies employed in the production of the results. While  such practicality is difficult  to measure empirically, it must be  expressed through the thoughtful and proactive design of the analytics  solutions.

For  any business to deliver maximum customer benefits from its data science  activities, it is essential that it also understands that any person in  the organisation that deals with customer data,  in any way, is part of  that data science ecosystem. As such, it is imperative that those who  are end users of data science outputs, including marketing and sales  forces, are provided with the full picture regarding the analytics  outputs they are expected to  use in the customer engagement activities.  

Then, it is vital that data science deliverables are proven to be fit for  purpose. Simply analyzing data because it is available for analysis is  not purpose-driven and will never truly benefit  the customer. Any data  science process must begin with the desired end in mind and be guided by  clearly articulated customer and organisational needs. The best data  analytics approaches are the ones that start simply, achieve accessible  and useable results,  and then get gradually more complex and refined  over time. Data science is not a quick route to profitability; but it  can be a proven journey to effective customer engagement and delivery,  which leads to sustainable business growth.

The  final data analytics governance principle is that an organisation’s  data science framework must be embedded within the risk management and  conduct risk framework of an organisation and approach  must be managed  from the top down. It has to have a champion at executive committee  level and must then be proactively driven across the organisation and on  an enterprise-wide basis. It should also be built on global best  practices to ensure it is lean, agile  and forward looking. In this way,  data science can dovetail with, and effectively inform, an overarching  organisational data strategy that links with, and gives effect to the  business plans.

Ultimately,  data science governance needs to follow a similar approach to the  safety protocols that exist in a number of industries, like construction  and vehicle manufacturing. While participants  in these industries are  guided by regulatory requirements and engineering guidelines, they also  have clear and focused customer safety protocols built into their  overall safety standards. In the same way, any business that deals with  customer information must  have similar customer-focused ‘safety’  standards as part of their end-to-end governance frameworks. Key to the  implementation of these standards is the important need for clear roles,  responsibilities and accountability of every person involved at every  point  in the data science value chain of an organisation.

Equally  important is the imperative for these analytics ‘safety’ standards to  acknowledge the customers’ ownership of their information and their  right to always feel secure in terms of how that  information is  analysed and used by the organisations to which they have entrusted it.

In  conclusion, a lack of data science governance will derail any efforts  and investments around artificial intelligence and digital  transformation as they primarily dependent on mature data strategies.  These data strategies drive the development of deep and machine learning  capabilities which are ethically driven by data science governance.


Cover image credit: Sample data breach notification filed by Uber with the state of California on 22 November 2018.