Collect all the data. Store all the data. Once you've got a massive reservoir of data, you'll be able to answer all the questions the business wants to ask, right? Maybe you can even anonymize the data, package it and sell it, driving revenue to the bottom line.
Not so fast. Monetizing that data may well be the right decision for your company, but it's important to recognize that your data may represent a massive liability from a legal and security perspective, says Jennifer L. Rathburn, partner with law firm Quarles & Brady and a specialist in data management, data breach and privacy and cybersecurity issues.
"Anyone who does cybersecurity and data breach work would say never to retain more than the minimum amount that you need because of the risk of a data breach," she says. "It's really a balancing act. Don't just collect all the data you think you want. You have to have a good business justification for collecting it because it can be a liability."
The Value of That Data
It's clear that data initiatives offer myriad opportunities both internally (streamlining processes, customer insight, enabling new products, etc.) and externally (selling data to third parties). As an example of the latter, Rathburn points to Carolinas HealthCare System, which buys patient data (like credit card purchases) as a data source that it uses as part of an initiative to predict and prevent illness.
Such uses have the potential to transform your business, but they also may expose your organization to considerable risk. In a paper published last month, Rathburn and Associate Simone Colgan Dunlap note that regulatory issues may just be the tip of the iceberg.
"One of the biggest risks associated with use of big data stems from regulatory issues," they write. "The regulation of data is complex and is shifting rapidly. Accordingly, a critical part of creating a successful data monetization strategy involves understanding regulatory constraints related to data acquisition, use and disclosure."
The U.S., for instance, has a confusing array of federal and state laws that address privacy, mostly by industry. Violation of these laws can result in big fines, criminal penalties or lawsuits.
Rathburn and Colgan also note that the U.S. Federal Trade Commission (FTC) has broadly interpreted its authority under Section 5 of the FTC Act, which empowers it to pursue enforcement actions against entities for "deceptive" or "unfair" practices. These enforcement actions can result in consent decrees that require periodic audits for up to 20 years, with fines for those that find themselves in violation.
"Chances are, if your organization is operating within a regulated industry, you are aware of applicable data privacy requirements," Rathburn and Colgan write. "But, mitigating risk requires organizations to go beyond awareness to developing what the FTC has dubbed 'privacy by design,' or building and periodically re-evaluating workable privacy protections into policies, procedures and products."
Sign up for MIS Asia eNewsletters.