I’ll let you in on a (poorly kept) secret: The use of advanced analytics and other AI-powered capabilities that help users manage and interrogate data isn't new. The practice has been around far longer than the current bubble of hype surrounding AI has been inflating.

What has changed more recently has been the public's degree of awareness surrounding this approach. (Scandals such as Cambridge Analytica, the latest Facebook data breach, and debates about the use of facial recognition has sparked a significant furor.) In many cases, it boils down to the type of data used by AI. But no matter how sophisticated the analytic or AI, without data it cannot do anything.

True data protection demands more than just regulation 

As is often the case, this oversimplification of data runs into a big, complicated problem: The Pandora’s box (of data) has already been opened. Exabytes (or 1 billion gigabytes) of data reside across the global IT landscape, and anyone who has ever conducted a data mapping exercise knows how tough it is to track down and classify even modest stores of data. Data is all around us—from internet browsing, geolocation, digital CCTV, social media, and smart devices to the vast networks that connect them and the underlying systems that administer it all. The scale of data potentially available for use is perhaps already beyond our ability to effectively govern.

Does this mean we should throw our collective hands up and accept there is nothing to be done about it? Of course, the answer is no. I, for one, will admit to an occasional concern about the vastness of the issue and the volume of work required to tackle it.

Legislation is just one part of the puzzle

There has been significant movement on legislation designed to protect individuals’ data and how it is used. Some of the best known legislation includes the European Union’s General Data Protection Regulation (GDPR) and the recent California Consumer Privacy Act (CCPA); Japan has similar legislation in the form of the Act on the Protection of Personal Information. We expect to see more enhancements and further legislation in the near future. These efforts are welcomed, but do not necessarily align with the reality of how data is created, stored, and used—a reality that is not in concert with borders, creating uncertainty about legal jurisdiction.

There is another, less talked about issue: “Just because we can, should we?” The art of the possible—in terms of data sourcing, analysis, and actions that can be taken from that—continues to expand at breakneck speed. While I am certainly not an expert in legislation, my impression is that technology’s speed of development outpaces the ability of laws to keep up. As a result, principles enshrined in law are important, since they can enable the protection of personal data without relying on specific reference to current technological capabilities. This could include adopting an “opt-in” rather than an “opt-out” approach to the use of customers’ data.

Trust brings benefits for customers and companies

Many organizations must change their focus from compliance and risk aversion to opportunity and value creation. In many businesses, the management of data in accordance with regulatory standards falls under the aegis of compliance programs; the rationale for such programs is typically the avoidance of risks. This rarely creates cheerleading enthusiasm for spending on these programs, but viewing the exercise in a different light can deliver multiple, value-adding benefits.

• Businesses viewed as trusted custodians of customers’ data will perform better.

Leading in privacy is becoming its own currency. We already see advertising campaigns focused on this, and more businesses are relying on this concept to help drive business. For example, those who do not meet public expectations will find themselves at a substantial disadvantage.

• Understanding how data can (and cannot) be used enables more uses. 

Although it seems counterintuitive, creating a complete understanding and enforcement of good data practices (e.g., ensuring data is not just physically secured, but that users understand how data may be used, along with protection that backs that up) enables data to be more available for use. Clarity about what data an organization stores, where it is stored, and what it can be used for is at the core of many compliance programs. The fact that it can enable use cases by growing data’s visibility for use—and confidence in that use—are often overlooked benefits.

It is worth noting that the value of trust is not just something that concerns customers; it is increasingly seen as part of an organization’s culture, and therefore of great interest to employees as well. Developing a culture of trust when it comes to how data is used helps businesses motivate and retain their employees. 

Building a culture that supports data trust

With all these points in mind, what practical steps can be taken to build from a starting point of compliance to a data culture that fosters trust with customers, partners, and employees? I suggest a three-step approach that starts with a foundation of technology-enforced compliance, continues with the enhancement of compliance through the addition of corporate standards, and finishes with forging a culture that puts conscious use of data at its core.

1. 1. Acquire and build technology with built-in compliance. It may be obvious to say: At a bare minimum, organizations must comply with relevant legal requirements. These types of requirements are not new to data professionals, although the volume of requirements is growing. There are long-standing requirements regarding the retention of certain types of information, such as medical records. Regardless of requirements or the use case, relevant compliance requirements must be baked into the software and should be pushed as far down the technology stack as physically possible to enable its use across projects. This approach builds in safeguards to help prevent the misuse of data and should be combined with software that searches data stores to identify potentially sensitive information, such as personally identifiable information (PII).
   2. Enhance compliance with corporate standards. Bare minimum compliance with non-comprehensive legal requirements does not send a strong message to customers and partners about an organization’s commitment to the appropriate use of data. Corporate governance and culture initiatives that guide an organization’s approach to how it treats its customers and partners should play an active role in how it uses information. For example, treating customers fairly is a key tenet for a majority of businesses and enhances compliance through a more thoughtful approach to data use.
   3. Make the appropriate use of data a part of your company’s culture. The use of data in an appropriate way (not just securely and in line with compliance requirements) is a shared responsibility in any organization and should form part of both corporate governance and culture programs. I, among others, have long proposed a simple test for projects involving data use: If the data project appeared on the front page of a major publication, would your company, its customers, and stockholders be okay with that? Just because something is technically possible and not prohibited does not mean that it will be met with approval. 

For organizations that achieve each of these steps, the protection of data should become a self-enforced cycle. Where compliance standards do not specify that a particular use is not allowed, a culture of appropriate data use should help manage that situation. When an individual—even inadvertently—attempts to misuse data, technology-based compliance software and guides can help minimize risk.

The opportunity to benefit from growing trust with customers, partners, and employees is clear. While the universe of data continues to expand, and technologies that exploit it advance, so too must the regulations, principles, and culture that govern its use.