Baringa has observed two broad privacy management paradigms emerging within organisations and across industries: value protection and value creation. These are not mutually exclusive and can be used to a firm’s advantage to create value and enhance its brand.
Value protection is very well understood by most firms as it is typically regulatory driven. Organisations that are further along their privacy capability life cycle will also look to combine value protection with value creation. In this blog we will explain the key elements of both and demonstrate how the two can work in harmony.
Understanding the key elements
Value protection aims to converge privacy and information security with a primary focus on risk and control to build and maintain customer trust.
Value creation seeks to optimise privacy and data analytics in order to extract insight, increase data utility, monetise data, and leverage innovation whilst remaining compliant.
Regulation. Privacy, data management and information security have become intertwined in terms of regulation. It safeguards the transparency of data processing activities across silos such as information security responsibilities for identification, breach prevention, protection, incident detection and response. Regulation may have been the catalyst for value protection, but it is also providing the opportunity to monetize data once regulatory frameworks have been established and embedded into a firms’ operating model.
Privacy management consists of adapting the various regulations into working privacy policies and procedures, creating privacy champions, training, and implementing tools for classification and rules management. This provides an understanding of the data landscape, including the firms’ digital footprint, and is key to the protection of the firms’ data as well as enabling value creation.
The privacy maturity journey
Too often firms are not sufficiently clear about immediate priorities, key risk exposures or value drivers. Significant effort is still being expended in meeting perceived regulatory obligations without considering the needs of the organisation and its data journey.
Firms making demonstrable progress in their privacy capabilities generally have:
established an operating model across the Privacy, Information Security and Data Management functions with initial focus on the most significant areas of exposure
created clear RACI matrices which define the role each function plays, to understand the nature of the risk, define and implement suitable controls, and ensure appropriate management and oversight exists over the data processing.
access to clean and trusted data.
Clean and clearly understood data is the linchpin to enable adherence to regulations and open the door to data analytics.
Clearly defined data sets with data lineage provide the opportunity for the Privacy team to promote value creation for insights on up and cross selling opportunities for the organisation. Knowing where all of the client data is stored across the firm and how that data can be safely monetized, both internally and externally, elevates the Privacy function from a cost centre into a potential profit centre for the business.
Firms with mature privacy capabilities are adept at understanding where secondary processing of personal data may be undertaken and where data will need to be anonymised or processed under a separate lawful basis. This enables firms to optimise of their personal data towards the efficient frontier without exposing the business to unnecessary regulatory risk.
The secret to success
As firms progress on their privacy journeys they should look to ensure tight coordination between the Information Security and Data Management functions to enable value protection and also eliminate any duplication of effort. Firms should encourage stakeholders across the business to promote data mining for value creation based on the clear understanding of the origin and lineage of the data.
Leading organisations design and execute their privacy management initiatives in a way that allows them to adhere to regulations, create value to the business and subsequently make ground against their competition.
Please contact Daniel Golding or Lisa Toth for more information on our privacy practice or how we can help you progress along your privacy journey.