The Blog
GBI CISO Event Half Moon Bay

GBI CISO Event Half Moon Bay

Be on the lookout for @Tevora's green and black booth @theCISOevent held at the breathtaking @RitzCarlton Half Moon Bay. Bring your business card and leave it with their team for a chance to win a prize!


Data Responsibility

Posted on September 24, 2018 by Christina Whiting, David Grazer


Maintaining Respect in the Process of Delivering Benefit

A plentiful by-product of our digital age, data is described fittingly as the “new oil.” 1  While its creation is perpetual, preservation of this valuable resource is crucial.

But where to start? There are so many topics swirling around the data-as-a- resource discussion – from data ownership, collection, privacy, protection and transparency to the commoditization of data and its strategic advantages. Over the next few months, we’ll explore some of these conversations against the backdrop of data (resource) preservation. We begin here with data responsibility – a topic that’s been placed front and center on the world stage by the European Union General Data Protection Regulation (GDPR), and one that concerns the balance of respecting the data subject in the process of delivering benefit.


Rules and Regulations – What’s in Place?

You’ve heard the saying, “Possession is nine-tenths of the law.” Evidently that applies to data, since many organizations consider that the personal consumer data they collect is, in fact, theirs. After all, they have invested in the acquisition and storage of that data.

Data responsibility, though, extends beyond basic concepts of possession. It implies stewardship and a certain ethical responsibility on the part of the organization. Enforcing that responsibility are a number of formal government and industry policies and regulations which compel the shift of corporations from data owners to data guardians.

For instance, with mandatory data protection as its central tenet, the formal and recently enforced GDPR puts a spotlight on proper data handling as a responsibility of corporations – along with very specific technology and policy requirements.

In the U.S., though, aside from those organizations obligated to comply with GDPR, regulations for companies with regard to privacy and secure handling of data are more fragmented and inconsistent.

There are, of course, the obvious industry-based regulations. For example Healthcare’s HIPAA and financial services’ PCI-DSS require compliance with defined information security, privacy, and accessibility standards for organizations that handle personally identifiable information (PII), protected health information (PHI) and credit cards. There also are state-level initiatives such as the proposed California Consumer Privacy Act.

But recent publicized U.S. data breaches and information-sharing raised questions and highlighted the gaps in our laws with regard to data ownership, and the discussion is now elevated to the federal level. The resulting proposed GDPR-esque government regulations introduced earlier this year “would give consumers the right to opt out of data tracking and collection, give them more control of over their data, require terms of service documents to be written in plain language and allow consumers to see what information of theirs has been collected and shared.”

To reference a famous Spiderman quote (or Voltaire, depending on your preferred source), “With great power comes great responsibility.” It’s a statement that couldn’t be more appropriate with regard to how organizations choose to wield their data power. With GDPR now in effect and broader U.S. governance a possibility, we have yet to see how data responsibility can be achieved. Is it a top-down legal push? A bottom-up groundswell from consumers? Or some combination of both?


Social Impacts

A subset of the data responsibility conversation, social responsibility is coming to the fore as governments and industries recognize the potential of the data in their charge – not just for their own benefit, but for the benefit of the greater good.

There are many stories of companies who have embraced their social responsibility and shared their proprietary data – and in some cases, saved lives. After the 2015 Nepal earthquake devastated the area, for instance, the country’s largest mobile operator, Ncell, shared its mobile data “in an aggregated, de-identified [form]” with the Swedish non-profit, Flowminder, who in turn used the data to create real-time maps of population movements in the area. The maps “allowed the government and humanitarian organizations to better target aid and relief to affected communities, thus maximizing the impact of their efforts.” 

According to IBM’s CEO Ginny Rometty, only 20 percent of the world’s collected data is searchable – 80 percent resides in proprietary databases in organizations around the globe. 5  Imagine the potential if that data resource could tapped, shared and applied to improve public service design and delivery (e.g., transportation), track poverty, to predict crises such as droughts for early intervention and more.


Achieving a Balance

In the end, whether the benefits of data are being applied to a commercial purpose or humanitarian effort, organizations have a responsibility to respect the data subject in the process of delivering benefit. One shouldn’t outweigh the other. For the moment, though, how that delicate balance of data responsibility is best realized – through legal measures, consumer uprising, or a combination of both – is still playing out.


About the Author

Christina Whiting is the managing director of privacy, enterprise risk and compliance at Tevora.
David Grazer is the privacy practice lead at Tevora.


REFERENCES valuable-resource



Data Commoditization and Transparency

Posted on October 30, 2018 by Christina Whiting, David Grazer


Steering Data Use with Integrity
In our modern technology-driven world, “virtually every activity creates a digital trace.” That digital trace is data, the abundant derivative of our digital age and the world’s newest precious resource.

For the moment, this commodity is free for the taking with only a handful of fragmented regulations associated with its ownership, use and protection. And much like the forty-niners of the California Gold Rush, companies are scrambling to claim, mine, and sell as much of this new resource as they can get their hands on.

As history has shown us, misuse of unregulated resources quickly can lead to manipulation, monopolization and devastation. Fortunately, the historical outcomes and lessons-learned can serve as a helpful framework for developing a plan now that allows us to utilize data ethically and responsibly, as we discussed in part one of this three-part blog series on data.

But the parameters for responsible data use, rights, ownership, security and privacy are not yet defined, implemented and enforced consistently across industries and around the globe. In the meantime, we need to be cautious of our short-term impact on this resource and in Tristan Harris-esque fashion, steer its use by conscious rather than for sole economic gain.

In this second installment of our data blog series, we examine how data collection, mining and commoditization can be acceptable, appropriate and drive real value – when done with transparency.


The Drivers Behind Data Collection

Data as an industry has been around for a while. Traditional list brokers, for example, have solicited their aggregated data wares to marketers since the early days of direct marketing.

It didn’t take long, though, for other organizations to recognize that the data that they collected through the course of business – customer information, transaction history, seasonal trends and more – posed real value. Companies could use their first-party data, for instance, to connect in meaningful ways with their bases, gain competitive advantage by deriving insights into trends, and surface new revenue streams. Their information also held value for others, and companies could gain financially by selling their data to partners, list brokers and other third-party vendors.

This recognition of data’s value, the promise of Big Data and technologies including cloud storage and advances in data analytics all have encouraged the collection of consumer data – even when there’s no specific plan for its use.


Removing The Cloak

Data collection often is done under the cloak of convoluted legalese that a grandparent can’t understand. While shrouded data practices may provide companies with short-term control, “…users can’t trust you if they don’t understand what you’re up to,” and long-term benefits are jeopardized.

But 2018 already has brought some winds of change. The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (the “Act”) are pioneering the shift to consumer empowerment – and the longer- term preservation of the data resource in the digital age. Companies obligated under either GDPR or the Act that want to use data must disclose the types of data they collect and limit use to the context of the permission granted.

These regulations are demonstrating that it IS possible for companies – even those who are not obligated under specific regulations – to collect, mine and sell data appropriately, and to drive outcomes and innovations that benefit both users AND companies.

Transparency around data practices, though, is the key. Not only does transparency build consumer trust, it also commits companies to defining their data use and, ultimately, doing so at higher and dare we say more ethical level.


Balancing the Outcomes

There is a correlation between consumer trust and their willingness to share data. With increased transparency and outcomes that benefit both the users and the companies, data collection is an easier pill for consumers to swallow.

There are, of course, the traditional marketing-based objectives of data collection that arguably result in shared company-consumer benefits – including more relevance in marketing such as online ads prompted by searches and purchase history, and product innovations that prompt exercise and feed interests.

Other outcomes are more innovative and contribute benefits that resonate on a deeper level. Genome sequencing in healthcare, for instance, uses collected samples of DNA data and is becoming an important tool in guiding therapeutic intervention, in vitro fertilization, and preventing disease.

Not surprisingly, newer technologies are helping to enable data outcomes while ensuring critical data privacy. Homomorphic encryption enables companies to share data with companies that can perform mathematical computations and analysis on encrypted information without decrypting or compromising the source data. Differential privacy methods, for example, inject “noise” into data sets to enable similar computations while protecting the source information.



Whether enforced by law or consciousness, transparency enables a more appropriate and balanced approach to data commoditization. This translates to improved trust between data subjects and companies as well as outcomes that are balanced and innovative. Further, it sets the groundwork for a solid long-term plan for tapping into our valuable data resource without exploiting it – or the data subjects. Assurances like these will let companies stand out from the crowd and retain customers as they innovate.


About the Author
Christina Whiting is the managing director of privacy, enterprise risk and compliance at Tevora.

David Grazer is the privacy practice lead at Tevora.




To learn more about future CISO events, click here.

Share this:
Is Your Organization Ready... CISO 18
Is Your Organization Ready...

by Brian Tuemmler, Information Governance Program Architect - Nuix

ObserveIT Blog CISO 19
ObserveIT Blog

New Ponemon Institute Study: Insider Threats Lead to Big Losses and Significant Costs

New Release: Agari Email Trust Platform CISO 21
New Release: Agari Email Trust Platform

New Agari Release Amplifies Protection Against Rise in Advanced Identity Deception Attacks

Request more information

You have missed out some details, please try again.

Your Name:
Job Title:
Company Name:
Please answer the above question to prove that you are human.

©2020 Global Business Intelligence | All Rights Reserved

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we'll assume that you are happy to receive all cookies. You can find out how we use cookies here.