Last year at this time, Peter Cullen was just joining PwC and talking about helping privacy professionals change the way they think about information risk management. Just as he was getting up to speed doing that very thing for the Information Accountability Foundation.

Now, the market is seeing some of the fruits of that labor. At Privacy. Security. Risk. this week, Cullen will join with Intuit’s Barb Lawler, Google’s Troy Sauro, and PwC’s Toby Spry to talk about implementing fair data use principles. It’s a companion piece to works like the recent PwC publication “Monetizing data while respecting privacy,” and the IAF's “Enhancing Benefits from Information Flows While Improving Regulatory Certainty in the Digital Age.”

The commonality? Data use governance.

According to PwC, data use governance is a practice that makes sense on its face, but is difficult to implement, especially in the sprawling organizations in which many privacy professionals find themselves. How do you combine traditionally compliance-focused activities like privacy and infosecurity with traditionally strategic and revenue-producing activities like using data to make marketing and product-development decisions?

It’s especially hard as global privacy regulations increase in complexity almost as fast as companies increase the amount of data they collect and use.

The real hard part? “Increasingly, we have found what’s being expected from a regulatory standpoint is not just are you using the data in a legal sense, but also in a fair and ethical manner,” PwC’s Cullen told The Privacy Advisor. “Most marketing officers are heavily focused on using data to create revenue. Some privacy officers, maybe many, are focused on legal compliance. Most chief security officers are saying, ‘How do I protect the data?’ But almost no one is saying, ‘How do I use the data in a way that’s both legal and fair from both a customer’s perception and the marketplace’s expectation?’”

Information governance is an opportunity for privacy professionals to step into that breach and head up that data use governance effort.

Data use governance as part of a larger information governance framework is where these areas converge.

This means opportunity for privacy professionals to step into that breach and head up that data use governance effort. “We’ve observed that the leaders in the field are noticing that their companies are growing in the way that they think about and use data,” Cullen said, “and that’s creating a whole new class of risks. They know their job is to help the organization think about this problem, and bring the various stakeholders together to effectively manage those risks.”

They also help anchor the goals of the overall information governance effort to the organizational strategy as a whole. “They’re able,” Cullen said, “to make the organization understand that if growing the use of data is core to the growth of the business, then managing the risks that creates is important, too.”

Successfully making that argument leads to more budget, more responsibility, and a more strategic contribution to the organization as a whole.

Often, that contribution is a decision-making framework that PwC proposes is a way for organizations to know what uses of data fit within their ethical guidelines and which don’t with respect to data management, use and governance. The framework maps the organization’s values to the regulatory environment and creates something that’s able to be referenced by everyone from the human resources director to the sales engineer.

“And these leaders are building structures where there’s an escalation process when the decision on whether to use the data in a particular way is not clear,” Cullen said, “and that can mean escalating decisions all the way up to the CEO or senior leadership.” Because sometimes, nowadays, the answer to data-use questions are “I don’t know” or “there’s a difference of opinion on that.” Leadership often needs to make the call.

Of course, allowed Cullen, it’s still early days. Many organizations are just getting started down this kind of data governance path. And for that they often need strong collaboration between the CPO, the CIO, CMO and the CSO, and often quite a few others

There needs to be an educational process so that IT and others can understand that a single data element can be used in a host of different ways, creating a host of different risks.

Data classification schema need to be created and broadened. Classifications need to allow for the context and nuance of how the data is to be used. There needs to be an educational process so that IT and others can understand that a single data element can be used in a host of different ways, creating a host of different risks.

“The more they use data,” Cullen said, “the more they see they need to focus on the quality of the data and get a deeper understanding of where the data is and how it’s being used. The whole area of a data discovery is rising in importance.”

Data or information governance still means different things to different people, but Cullen and PwC are working on that. As the concept evolves and solidifies, more organizations will embrace it, they speculate. If it’s the privacy professional who works to help organizations understand and utilize it, they may find themselves elevated within the organization. If it’s someone else, well, maybe they won’t.

Photo credit: _DSC0300 via photopin (license)