There is growing evidence that data forward processes will require governance that considers impacts not just to privacy and cyber security but also considers inappropriate discrimination, precluded opportunities, and fair practice for potential competitors.  “Data forward” means data is becoming a larger and larger enabler of business strategies, but only some of these organizations are starting to invest in governance processes that match their data forward plans. Being data forward exacerbates the cyber security deficit.  More observation and processing increase the touch points for cyber incursions, and more use of artificial intelligence (AI) introduces new classes of cyber risk.

For example, the Algorithmic Accountability Act, S.3572 and HR.6580, have been introduced in the United States Senate and House of Representatives.  Both bills would require impact assessments that go well beyond the approach and capabilities of the majority of the organizations that are looking to be data forward. 

Last week the UK Competition and Markets Authority (CMA) reached an agreement (press release) with Google related to Google’s removal  of third-party cookies from the Chrome browser.  Google’s blog makes it clear that any changes made regarding its browser will apply to its advertising products. The agreement includes assessments that balance the interests of third parties and individuals as well as competitive markets and includes a required Monitoring Trustee who will work alongside the CMA and will be central to Google’s compliance.

Yet, one of my colleagues was asked by a consulting firm executive why consulting firm client services executives aren’t being asked for tools to build more advanced governance?  Good question.  Maybe the answer is the people they are talking with are doing a sprint to catchup with legacy compliance requirements and are not yet asking the questions required for data forward governance.

GDPR and California have had some significant lessons for the privacy and cyber security fields.  Among them are that the tools needed to fulfill data subject rights and manage international transfers are much more difficult and expensive to build and implement than anyone anticipated.  The new lesson in emerging market demands is that organizations need to be more anticipatory relative to governance approaches and need to start building the change well before the requirement is specific.   The failure to recognize these needs is creating a governance deficit.

In conclusion, data policy management executives, which is what the best privacy officers truly are, are too busy catching up with the past to pay attention to the future.  Similarly, CEOs that don’t anticipate this attention deficit will be making interest payments on the governance deficit that accompanies the adoption of data forward strategies that don’t include forward looking governance.

Organizations interested in avoiding the governance deficit that is already beginning to happen should participate in the governance discussion DLA Piper, The Providence Group, and the IAF are holding April 11 in Washington D.C.    Join us April 11.