James Thew - Fotolia

Lacking data management processes holds back digital business

The business fallout of poor data management processes goes well beyond security and privacy implications. Evident IT CEO David Thomas explains in this SearchCompliance Q&A.

Modern, digitized companies certainly have no shortage of information they can analyze to help improve services, products and customer interaction. The plethora of data also comes with inherent risk, and poor data management processes can result in breaches of customers' or employees' personal data as well as compliance risk stemming from regulations like the EU's General Data Protection Regulation (GDPR) going into effect next month.

Data management processes are also vital factors in digital companies' bottom-line success, according to David Thomas, a cybersecurity industry veteran who has held leadership roles at Motorola, AirDefense, VeriSign and SecureIT. Now CEO and founder of identity assurance platform provider Evident ID Inc., Thomas said companies need to use data management to balance data privacy standards with the ability to grow the business -- and bottom line. In this Q&A, Thomas discusses how companies can achieve this balance.

Editor's note: This interview has been edited for clarity and length.

What are the biggest implications of poor data management processes as companies become increasingly digitized?

David ThomasDavid Thomas

David Thomas: One of the biggest implications is certainly poor security and security breaches that are revealing incredibly personal information about people. Also, data is an essential, critical asset -- in addition to being a liability. If you have poor data management practices, the likelihood that you're actually going to be able to leverage data properly is very low. It's up to every company to pay close attention to how they manage and secure data.

That is important as regulations like GDPR come into play. Every company has to figure out, 'Am I going to have a worldwide approach to GDPR, where I apply GDPR principles everywhere? Or am I going to segment it by region somehow?' And then if you segment it by region, how do you handle local data protection regulations that may have a good bit of overlap with GDPR? Do you target those local regulations or do you apply the GDPR requirements?

When it comes to data management, GDPR is something you should be thinking about. Whatever principles come out in whatever state regulation or countries' rules, they are likely to overlap quite a bit with the principles of GDPR.

Users want personalized services -- they just want to be protected at the same time.
David ThomasCEO, Evident ID

Analyzing customer data is an invaluable business tool. What steps should CIOs and other IT executives take to gain insight into customer data, but avoid privacy risks and hacking threats?

Thomas: One the most important principles you need to think about is the user's consent and how their data is used. You need to think about deriving facts that are relevant to your business from their data, rather than handling the data itself. A CIO needs to carefully consider what data to directly handle and what to avoid handling as much as possible, yet still get those critical business answers.

User consent fixes a lot of things, and often users want personalized services -- they just want to be protected at the same time. Those are the options that CIOs need to be looking for.

What types of data management processes should startups and smaller companies use to maintain high privacy standards for customers, especially when they're trying to grow the business?

Thomas: The first thing that a smaller company can do is recognize that while data privacy may not be your top priority as a high growth, small company, it has to be on the list of your highest priorities and you have to pay attention to it. Ultimately, consumers are going to expect companies to pay attention to privacy and they're going to direct their business toward companies that they feel confident will handle their data properly.

The other thing small companies have the opportunity to do that larger, more mature companies don't is they can start out by minimizing the personal data they handle. Large, mature companies already have so much of this data that it's more of retrofitting exercise for them.

How do they make their business work without it? How do they make their business work with less of it? A small company has a great opportunity to start out light when handling personal data and making sure that their business doesn't become a significant target the way that most large, mature companies have become.

How have technologies such as AI and machine learning benefited and complicated companies' efforts to manage and analyze their data?

Thomas: Companies have gotten the idea that the more data they have and they hold and they store, the better off they're going to be for the long ride. I think they believe that because these more sophisticated methods of analyzing data like machine learning have come to fruition over the past few years.

Ultimately, that isn't the right frame of mind. You can't, as a company, have a data-hoarding mentality -- you have to be in a data-minimization mentality. They should think about, 'What [data] do I absolutely need to run a business, and what data can I avoid so that I don't paint a target on my back?'

Everybody thinks they need to store as much data as humanly possible. It's just not accurate. It certainly has benefited businesses tremendously in automating complicated patterns -- software now can offer personalization that is well beyond what was previously available. There's no question those things are offering benefits, but you don't have to become a data hoarder to take advantage of those benefits.

Dig Deeper on Risk management and governance