Govern your organisation’s data

Annelies Moens, Managing Director, Privcore discusses why data and its governance  is important to most, if not all, organisations and is something that leaders and managers need to embrace. Annelies Moens

The below extract is based on an article and presentation prepared for the Australian Institute of Company Directors’ Australian Governance Summit, 1st to 2nd March, 2018, Melbourne, Australia and published in the Journal of Data Protection & Privacy, Vol. 2.1, 2018. United Kingdom

Data is an asset or a liability depending on how it is managed and in this sense, every organisation (business, government and not-for-profit) is a data business.As an asset or a liability, data is a core topic with which leaders and managers must make themselves comfortable and familiar.

A lot of data in organisations is about people, their lives, what they do, where they go, what they buy, what they like, what they say, what they look for, what they do for entertainment and so on — it is personal information and thus in many instances is subject to privacy and data protection requirements. Data is so integral to organisations, that it must be treated as core business. Data protection and privacy also have the added dimension of being considered a human right as recognised in the UN Declaration of Human Rights, the International Covenant of Civil and Political Rights.

Four key themes affecting the governance of data

1) Trust and social licence

The 2018 Edelman Trust Barometer reveals that trust is in crisis around the world. In 20 of the 28 economies surveyed, business, government, NGOs and media are generally not trusted. Yet for innovation to flourish, trust is vital; and innovation depends increasingly on the use and sharing of data.

In Australia, the Office of the Australian Information Commissioner’s Community Attitudes to Privacy Survey 2017 shows that ‘one in six [citizens] (16%) would avoid dealing with a government agency because of privacy concerns, whilst six in ten (58%) would avoid dealing with a private company’.  Leaders and managers need to think about how their organisations communicate with stakeholders. How do they build and shape expectations with customers? It is certainly not shaped by the terms and conditions of products and services.

2) Mass customisation

The term ‘mass customisation’ refers to our present-day era where we have taken the handmade bespoke aspects of the pre-industrial era and the mass production capability of the industrial revolution era to be able to produce customised items at scale.

In our mass customisation era there is a need for customer centricity, where we need to understand our customers at an individual level in order to provide for their bespoke needs. Yet at the same time, ensuring an organisation has a 360-degree view of a customer is NOT a customer-centric approach, as customers may not want to fully reveal themselves to organisations. Customers may want to be able to choose what they share.

Privacy is all about giving the customer control of what happens with their data — making them the driver and the reason for our products and services. As such, customer service and managing failure, including data breaches, are becoming increasingly crucial touchpoints in determining the level of engagement and goodwill customers have towards organisations.

3) Increasing number of data breaches

Being able to manage failure is increasingly important as more and more organisations are subjected to data breaches owing to either their own inadequate security practices, system/human failures or unfortunate external attacks against which they cannot fully protect themselves.

The more data that leaves controlled and protected environments, the more we are polluting our data ecosystem. Identity fraud increases, trust diminishes (both ways between customers and organisations) and billions of dollars are wasted. Indeed, an Australian expert on data breaches testified before the US Congress on the impact of such breaches on identity verification, and outlined that static knowledge-based authentication is becoming increasingly risky in a post-breach data world. Focus on cybersecurity to ensure organisations have control of the data for which they are custodians is becoming increasingly crucial.

4) Technology

Technology is rapidly dictating our policies as legislatures and policy makers struggle to keep up. We are in a world where it is easier to keep data than delete it and it is easier to create systems that retain data. An increasing amount of data will be collected about people as more devices become connected to the Internet of Things, which saturates our lives.

We have new technologies that are affecting massively the handling of customer data; consider:

  • Automated driverless cars and the collection of masses of data from sensors, voice and behaviour.
  • Automated algorithmic decision making and artificial intelligence affecting our day-to-day lives.
  • Social credit scoring.
  • Biometrics and facial recognition in private and public spaces.
  • Digital identity management.
  • Cloud services through which data storage and processing is outsourced.

While none of these technologies are inherently bad, they can rapidly lead to massive increased individual risk, through over-collection of data, data breaches and misuse, or out of context use. These issues can be minimised with appropriate governance, which will be needed in order to retain customer trust. We need to build core human values and ethics into our products and services. We must keep individuals at the centre and build technology that respects human values, including privacy and security.

Five ways leaders and managers can build trust

1) Develop a culture of respect

The importance of culture cannot be underestimated. In an independent review of the Accident Compensation Corporation (ACC) in New Zealand following a data breach that occurred in 2012, culture was the biggest transformational issue. ACC. had had inconsistent practices around respecting customer data, which led to numerous incidents of inappropriate data handling. Today, New Zealand government agencies have privacy maturity assessment frameworks in place and a chief privacy officer who operates across the whole government, so that confidence and trust in New Zealand government can grow.

2) Make privacy part of risk management frameworks

According to the World Economic Forum’s 2018 Global Risk Report, alongside extreme weather events and natural disasters, cyberattacks and data fraud/ theft are the top three and four likely risks to occur. As such, privacy needs to be part of risk management and assurance processes.

3) Make leadership accountable

What gets measured gets done. If no person at senior executive level or board level is responsible for the decisions their organisation makes with respect to what happens to data, the direction the organisation takes will likely be dictated by factors other than core values, such as respect for customer data.

4) Monitor key indicators such as input from customers, suppliers and employees

Listen not just to senior executives, but also to customers, suppliers and a broad set of employees. Consider how fast bad news travels to leadership and whether privacy is a regular board agenda item. How are failures and complaints managed within the organisation?

5) Collaborate with the regulator

Regulators with collaborative approaches tend to have more successful regulated outcomes (plus most complaints are negotiated settlements). The New Zealand Privacy Commissioner, as an example, is taking an innovative regulatory approach by introducing a Privacy Trustmark, whereby it is willing to indicate services or products that take data protection seriously and give customers confidence their personal information will be respected and protected.


It is incumbent on leaders and managers to know what goes on in their organisation in terms of the handling of data; only then can they steer their organisation to adopt and develop innovations that respect one of their most valuable assets. Failure to do so is likely to lead to customer dissatisfaction and loss, regulatory intervention, fines, shareholder and customer litigation and class actions, and decline in share value and profits.


Annelies Moens, CIPT, FAICD, CMgr FIML is a widely recognised global privacy expert and thought leader, trusted by business executives, government and privacy professionals with close to 20 years’ experience. She is Managing Director of Privcore and cofounder of the International Association of Privacy Professionals in Australia and New Zealand. She held elected roles during her six year Board term, including as President. She has held several senior leadership roles, including as Deputy Managing Director of a privacy consultancy, External Relations Manager at an online legal publisher, Group Manager and Chief Privacy Officer at a copyright licensing agency, and Deputy Director at the Australian privacy regulator. Annelies has an MBA in general international management (distinction) from the Vlerick Business School in Belgium, is a qualified lawyer, has undergraduate degrees in computer science and law (first class honours) from The University of Queensland, Australia. Contact Annelies at You can also connect with Annelies via LinkedIn