In our highly interconnected world, data has emerged as one of the most valuable assets for businesses, with no indication of this trend slowing down. Consequently, it is crucial for institutions, organizations, and individuals to understand the significance of data ownership—what it entails, why it matters, and how to safeguard it to mitigate risks.
The following article provides a high-level overview of what data ownership is, why it is a must-have requirement for any business , and what can be done to enforce data protection via a strong data ownership protocol application.
What is data ownership?
Data ownership is about managing, securing, and taking responsibility for an organization's data. It refers to a series of activities related to managing, controlling, ensuring, and - when needed - enforcing security over the data collected within a business or organization. Data ownership is a key component within a larger framework of Data Governance, which regulates a wider array of data-related activities such as data handling, data quality, and transformations.
Concretely, Data Ownership refers to the individuals, processes, institutions, or organizations that have access to data and can therefore change, manipulate, share, or dictate its usage.
In a world where regulations are ever more stringent and omnipresent - see General Data Protection Regulation (GDPR) - it is imperative for organizations to define and enforce a structure that not only regulates “who has access to what”, but also - and more importantly - to what extend such data can be shared, and what to do to protect it.
The importance of data ownership
Ultimately, the aim of data protection regulations is to ensure the security of personal data or Personally Identifiable Information (PII). Crucially, where businesses fail to protect personal data adequately, it can lead to very serious consequences, such as the high-profile Facebook–Cambridge Analytica data scandal. However, even relatively small data breaches or losses can also have a huge impact on businesses, not least in terms of reputation, and this is where data ownership and Data Ownership Protocols (DOPs) play a crucial role.
What is a data ownership protocol?
Data Ownership Protocols, or DOPs, are the combination of procedures and best practices regarding who owns and handles different forms of data. DOPs can be applied at different levels and provide concrete action points for organizations and individuals to act upon and protect their data. For instance, at an organizational level, DOPs dictate, amongst many others, who has access to the data and to what extent, authority, or with what third-party, such data can be shared. At an individual level, DOPs regulate aspects such as data shareability or protection.
Although the specifics of a DOP will depend on the nature of the individual business, they all rely on the same principles of data access, protection, accountability, and shareability. For example, DOPs regulate which individuals can access the personal information of a company's CRM, or what processes and software are in place to steer data access. Similarly, companies can improve credibility by obtaining data security certifications from internationally recognized institutions such as ISO or SOC.
Establishing a Data Ownership Protocol
There are four key areas that need to be reflected in any Data Ownership Protocol:
1. Data access
Who has access to what data source? For example, which individuals can see the personal data of a company’s customers?
2. Data shareability
Who can share what and to whom? For example, in addition to data access, which individuals are permitted to share personal data within the organization or externally? External sharing is an especially sensitive topic and regulations, such as GDPR, have set clear boundaries that personal data can be shared only with the explicit consent of the persons or parties involved.
3. Data protection
What measures are in place to ensure that access and shareability are respected? For example, access rights that limit the extent to which an individual can see or interact with PII data.
4. Data accountability
Who are the individuals responsible for ensuring all of the above? For example, InfoSec departments, IT security, and so on.
In today’s complex data landscape, it is very common that these areas do not have clear boundaries but rather overlap with each other. For example, users’ access rights regulate who can access and interact with what data, but also - at the same time - what protection levels the accessed data has. In concrete terms, it is not uncommon for organizations to have unclear limits between these areas, and such ambiguity can ultimately result in a lack of accountability. It is, therefore, crucial to understand which individuals or departments are ultimately responsible for the enforcement of DOPs, for up-to-date maintenance, and for generating company-wide awareness of their importance.
Conclusions
Overall, Data Ownership refers to the principles of data access, shareability, protection, and accountability, while DOPs are the combination of all the actions, processes, and best practices necessary to enforce these principles.
Given businesses' regulatory obligations via legislation such as GDPR and the potential impact on reputation and credibility, having a robust set of DOPs is no longer a nice-to-have but rather a must-have for all businesses.
