Can “data stakeholder” thinking be a winning data privacy strategy for organizations?
By guest writer Debbie Reynolds
In 2020, I created a five-minute video about data privacy and trust. I introduced the notion of the “rise of the individual.” The “rise of the individual” is an expression of the idea that organizations must always consider obligations to their shareholders but must also come to terms with the fact that individuals, as a result of rapidly evolving regulations, now have a more significant stake in how data about them is managed.
Data stakeholders are any individuals for whom organizations hold data that may be subject, currently or in the future, to data privacy or data protection regulations. Thinking of individuals as data stakeholders, not just consumers or data subjects, is the shift businesses must make now to keep up with the growing scale of data privacy regulations worldwide and thrive financially as trust becomes the new gold.
There are three key ways organizations can shift to a data stakeholder strategy to significantly improve their maturity in data privacy, reduce risks and make data privacy a true business advantage.
Make transparency the norm with data stakeholders
As a result of the growing number of data privacy and data protection regulations, organizations often struggle with determining what they should or should not share with data stakeholders. Organizations must come to terms with the fact that data belongs to individuals, while organizations are expected to be good stewards of that data. Just as anyone would think it was unacceptable to put money in a bank and not receive any details about the money in their account, organizations should expect and act as if they are a “data bank” and are holding and securing data assets for individuals. When individuals provide data to organizations, those organizations should develop the mindset that transparency will be the norm now and in the future. In this way, organizations can start moving closer to what is expected of them with almost all data privacy and data protection regulations, no matter where or in what jurisdiction their data stakeholders reside.
Reevaluate data collection and data retention of data stakeholder information
Organizations’ two actions that create the most data privacy and data protection risks are data collection and retention. Although we know organizations can’t eliminate all data collection and data retention, these data risks are significant enough for organizations to reevaluate the data they collect and the data they retain about data stakeholders.
Organizations should ask themselves, “For what purpose are we collecting the data stakeholders’ information?” Often, when companies reevaluate their data collection, they find they are collecting too much data that is not relevant to their business purposes. This revelation should prompt organizations to rethink their data collection and make appropriate changes.
Organizations should also ask: “How long should we retain information about data stakeholders? Data retention is a tough question that does not have an easy answer for organizations. When organizations are clear on the purpose for which data was initially collected, they can then tie data retention periods to the end of the data lifecycle. Data with a low business value often have a high data privacy risk. Right-sizing your data retention will reduce data privacy risks and reduce cybersecurity risks. Reevaluating data collection and data retention can help organizations create more maturity in their data privacy programs while reducing their risks in managing the information of data stakeholders.
Consider how information held by the organization benefits data stakeholders
Organizations that want to make data privacy a true advantage to their bottom line should also ask, “How does the information I hold benefit the data stakeholder?” When organizations possess information about individuals that does not benefit them, this is often a red flag that indicates that this data will create a high risk for organizations and often breeds mistrust by the data stakeholders.
Organizations are very savvy to ask how information about individuals benefits the organization, but not enough organizations ask themselves how the information they hold benefits the data stakeholders. When organizations manage data in a way that does not benefit data stakeholders, they face data privacy or data protection risks and run the risk of losing data stakeholders or creating reputational damage due to a lack of trust.
When organizations use data stakeholder thinking, they can significantly improve their data privacy maturity, build trust and make data privacy a business advantage.