Companies should focus on using data for innovation, as well as protecting it, finds study

Out-Law News | 19 Jun 2014 | 9:43 am | 3 min. read

Putting in place measures to protect information should not be a barrier to the use of that information in innovative ways, according to a new report, which has found that companies place more emphasis on protecting data than making use of it.

A study by PwC and information management company Iron Mountain found that most medium-sized businesses rate protecting the data they hold from being compromised as a higher priority than using the information to develop new products and services faster.

In a new report, which charted the results of a survey of 1,200 medium sized businesses based in Canada, France, Germany, Hungary, the Netherlands, Spain, the UK, Norway and the US, found that using information to drive innovation was a much lower priority for companies than avoiding a data breach or litigation and fines due to regulatory non-compliance.

However, the report said that good information governance should allow companies to protect the information they are responsible for, ensure their use of data is lawful, as well as harness it for innovative purposes.

"In defining requirements, management have the opportunity to use governance to drive improvement and to identify information needs for the future," the report said. "To ask questions like 'if we had this information, could we make that strategic decision?” This is the upside of governance, enabling organisations to do what they can’t do now and to seize the opportunities in the digital economy."

"[Businesses should] engage with the key business stakeholders in developing an information management strategy which can support growth of and promote an open/sharing culture while maintaining a level of protection over important information assets," it said.

IT contracts law expert Clare Murray of Pinsent Masons, the law firm behind Out-Law.com, said that making effective use of the data at their disposal is becoming increasingly important to businesses.

"Data and in particular consumers' personal data is increasingly being used to deliver innovative new products and services and tailored offerings to consumers," Murray said. "With leading global organisations disrupting traditional markets by making new uses of data and analytics the onus has been on long-standing companies in those markets to improve their own way of using data at their disposal."

"However, as well as being concerned with whether their use of data complies with data protection laws and other industry-specific regulations, such as those that apply in the financial services sector, businesses are also nervous about doing things with data that may jeopardise their brand and consumers' perception of that brand, even if the use of the data is lawful," she said.

Murray said that a younger generation may be more open to sharing their data to benefit from improved and even personalised products and services, but that businesses will generally need to win over public confidence about their handling of information if they wish to use the data for innovative purposes.

"Businesses can win that trust by getting to understand their customers and their customers' perception of their brand and by ensuring that they communicate openly with them about what they are doing with their data, why they are doing it and the benefits for those individuals. Good information governance will help businesses avoid regulatory pitfalls and risks but also help them tap into the wealth of data at their disposal and meet challenges posed in increasingly competitive and converging markets," Murray said.

According to the PwC and Iron Mountain report, however, many businesses have taken "insufficient action ... to drive the necessary risk assessments and controls design and monitoring that is needed for effective information governance". This is despite the fact many companies have developed information governance policies and have "emerging governance capabilities".

Among the failures in action recorded in the survey was a finding that most businesses fail to assess the effectiveness of information risk training after the training has been completed. In addition, fewer than half of European and North American companies "have a fully monitored information risk strategy in place". "Such a strategy is fundamental to the appropriate level of protection to mitigate the threat of data breaches, leaks and thefts," the report said.

The "growing gap" between the policies and commitments of businesses on information governance and the "practical action" should worry companies because not only could they be exposed to data security risks, it may also mean that they fail to harness the data they hold as effectively as they could, the report said.

"Whilst this gap between stated commitments and practical action is contributing to a greater exposure to information risks, it is also restricting the extent to which mid-market businesses can effectively utilise their information as a valuable and, potentially, a market-distinguishing asset," it said.

The companies that are getting information governance right are doing a number of things that most businesses are not, the report said. The measures include "monitoring and evaluating their information risk policies, processes and programmes; managing their paper information better; [and] establishing distinct teams/people to manage digital and paper information".

In addition, those "front-runners" are using their data to reach new customers rather than focusing on avoid breaches and are calculating the return they get on investing in the information they hold, it said.

The companies are also putting a "greater focus" on data analytics and deploying other skills appropriately, generating faster and more efficient product development cycles and are "creating an appropriate analytical environment" to ensure they retain all appropriate data where it is needed, the report said.