Will The Real Data Owner Please Stand Up?

In theory, it is easy for an organisation to know who "owns" and "controls" its data. Research suggests this position is not easy to achieve in practice. In this article we examine the practical link between great data ownership and data protection compliance.

The research

Stibo Systems, a software supplier, conducted a big data survey around how organisations structure their 'ownership' of data.

They uncovered a confused picture:

  • When senior managers were asked who owns their organisation’s data 61% said IT, 21% said Finance, 9% didn't know and 7% said Marketing.
  • Somewhat concerningly, nearly 10% of senior people surveyed were unsure who “really owned” the data.
  • 40% of Finance heads felt they owned the business’ data.
  • 73% of the IT Heads questioned believed they owned the data.    
  • On top of the above, one third of all respondents (34%) admitted that they did not know what the company does with its Big Data.
  • Almost half of Marketing Heads are unaware of what the company does with its Big Data (perhaps unsurprising if IT own the data in many organisations, but concerning given how central marketing is to customer-driven big data initiatives)
  • Three quarters of IT Heads knew what the organsation was doing with its Big Data (probably because they own it in the majority of cases!)

What does this picture tell us?

Stibo's main line is that data should be 'owned' within an organisation by the divisions who are mostly likely to use it commercially to add value. So customer data should be owned by Marketing, employee data by HR, and so on. IT should not be data owners. This view is generally accepted good practice, and having seen it at work in some clients, it is one we agree with.

There are some deeper matters at stake here for anyone interested in the law though:

Ambiguity in ownership raises questions as to who is accountable for legal compliance

In our experience, weak accountability tends to mean no or ineffective compliance on the ground.

Organisational clarity about what you do with data is essential.

Admittedly, not every person has to have this clarity, but it must exist somewhere, and that place must be generally known. Someone must know the 'who, what, when, where, how' of all things data including what comes in and from where, where and how it is stored, where and how it is used, and where it then goes (including who it is shared with).

The more fragmented and fluid this organisational knowledge, the harder compliance is to administer. If you are not on top of it, you can find yourself in breach of the Data Protection Act 1998 inadvertently, not least because drawing up an accurate privacy policy becomes nigh on impossible. More worryingly, comprehensive, consistent, end-to-end security becomes very hard as well.

In our experience, such clarity is hard to achieve, especially in large complex organisations where immediate focus is on other matters, such as (in the case of marketing teams) getting more data in.

Its fundamental role as a building block of compliance has long been recognised though, not least as it forms a core tenet of the relevant British Standard for privacy compliance.

We should not forget that these matters are also fundamental to good data governance and in turn, being able to properly leverage data to create value. Legal compliance is just one part if this big picture.

So make sure your ownership is clear, and your owners know their stuff, including the law. If you do, you will have killed numerous data management best practice birds, and one increasingly important legal one, with one stone.

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.