By virtually every metric, organizations with more mature information governance practices are better positioned to achieve growth in revenues or profits—and gain stakeholder trust. Four in ten respondents report realizing benefits from data monetization. And half report mature information governance practices. But considering the rush to monetize data and the explosion in concerns about data protection and privacy, there are plenty of risks, seen and unseen, that lie in wait for even the most mature company.
Nine in ten companies say they’ve already started implementing programs to monetize data. Just over four in ten are actually realizing benefits to date.
Turning data into something of value takes several forms: personalizing products and services (for example, a coffee chain or grocery that remembers your preferences and sends targeted ads to your smartphone); improving customer experience (a media streaming company or online learning app that makes recommendations based on your past interactions); offering new services; or improving processes and productivity.
Monetization should be predicated on trust. Consumers, business partners, regulators, employees, Wall Street, the media, the body politic—all have a stake. Not surprisingly, customer trust in personal data protection and privacy is second among the survey respondents’ top five issues to tackle to improve stakeholder trust.
How much can companies be trusted with their use of data—both personally identifiable information and other data? It can seem daunting to gauge that, but we’ve distilled it into four capabilities within a data trust framework: how well a company governs, discovers, protects, and minimizes the data it holds. Data governance is the process, data trust is the outcome: data that decision makers can rely on, data use that is ethical, safe, and trustworthy.
According to our survey, about half are mature in their data trust practices, i.e., they have formalized processes and have fully implemented them. Fifty-one percent report having a combined strategy for different functions responsible for aspects of information governance (privacy, record retention, cyber, data management and others). More than half say they have formal processes to understand where the sensitive and high-value data reside in the organization (54%) and how the data is sourced and moves through the organization (51%). About half protect data sharing within their ecosystems with processes and technologies. Finally, 55% have formalized processes for data retention and elimination (a focus of new regulation such as the California Privacy Rights Act).
We found that companies with more mature data trust practices tend to be ahead in many respects. They realize financial benefits of data monetization via personalized services, greater operational efficiencies and better customer experiences. They strongly agree that higher customer trust leads to demonstrably higher revenue. They've done significant moves in the past year to improve stakeholder trust. And they’re more confident in their third-party risk management program: they do more monitoring of third parties.
Overall, reporting on data security and privacy is heading towards greater transparency. Executives reported significant improvements in four areas: incorporating these risks to overall risk reporting (56%), reporting regularly rather than episodically (53%), providing sufficient detail on earnings and analyst calls (50%) and thorough, in-depth reporting to boards (49%).
Still, there’s plenty of room for growth. While half of the respondents told us they have formal processes in place in relation to information governance, four in ten feel these are only partially implemented and need improvement. And about one in ten have not formalized processes at all.
More importantly, the greater risks with data trust constellate as much around what you don’t know, as around what you do know.
For example, how prepared are companies for a disinformation attack? Disinformation strikes at the heart of stakeholder trust—and in an era of fraying faith in institutions, falsehoods often spread farther, faster and deeper than accurate information. Nine in ten executives in our survey are confident that they’re prepared to defend against a disinformation attack, with 60% saying they’re very confident.
This near-unanimity invites some circumspection, if not outright skepticism. First, not many companies have experienced such an attack yet. Second, a disinformation attack is not like a typical financial fraud or crisis, and cannot be handled in the same way.
There are some frontier angles to consider as well. Does a corporation bear responsibility for what its employees publish—true or false—on social media? To what extent might employees be liable due to actions by (or aimed at) the organization or its senior leadership? Where, if at all, do the lines of responsibility meet? Defending against a disinformation attack, many will find, requires far more cross-functional leaders to work faster together; it requires a playbook that’s rehearsed to the point of muscle memory.
Executives across security, technology, privacy and legal functions begin to formalize information governance processes by answering three key questions: What are the key data that generate advantage for your organization? Where are the key data located? Who has access to the data? This knowledge, continuously updated as the organization evolves, gives your organization’s data trust framework a firm footing.
That framework and its practices are sure to be continually tested. The sheer scope, volume and intimacy of data being surrendered by individuals to connected devices every day is staggering. Data is fueling smarter AI algorithms, which is helping businesses create still better products and experiences that attract more customers who share more data, producing even smarter AI. Responsible AI practices are evolving to govern this tech and to confirm that it’s making accurate, bias-aware decisions and that it’s not violating anyone’s privacy. Newer regulations about data protection and privacy are changing norms, increasingly bending toward stronger exercise of consumer rights and government enforcement. Trust builders are challenging the backbones of systems such as search, advertising and financing, and they’re introducing better ways to protect data and privacy. How are you engaged in thinking creatively about how to improve stakeholder trust in your stewardship of data?
Principal, Cyber, Risk & Regulatory, PwC US
Principal, Cybersecurity, Privacy & Forensics, PwC US
Legal Business Solutions Consulting Co-Leader and US Oversight Board Member, PwC US