I was going to write something completely different this week about data driven businesses. I was going to look at the future looking world of data literacy and data skills competencies frameworks. I’ve been doing a lot of work on that with colleagues over at the Leaders’ Data Group. But, instead, I’m going to look at the importance of good data foundations for organisations. This is essential in today’s data driven business environment. And for organisations of all kinds.

The Importance of Foundations

Since the start of the year, my colleagues and I have been doing some coaching calls with early stage start up businesses across a range of sectors. Many of these will be no more than a call to discuss an issue. That call then results in a write up of the data strategy, data protection, or data quality challenges that the organisation faces. The write-up includes our quick recommendations for actions the organisation need to take. The focus is on pragmatism and actionable solutions.

In these calls, the common theme is that in the rush to get something implemented or get to market some basic things have been missed and need to be rectified. Things like no consideration of their data protection notice. Or the implications of cross-border data transfers on hosting decisions. Even assumptions about how they might be able to use data for new purposes can throw up potential challenges that need to be addressed. Other calls have the opposite problem. The organisation is so concerned about getting things right from the start that they have paralysis by analysis because they lack the expertise inhouse to assess and understand the issues.

Focus on Data as an Asset

But in either case, the focus ultimately lands on the foundations of their business. Not the technology. But their business model, their goals, and their objectives. Not the sexy stuff, but the nitty gritty of how data will support and enable their objectives and deliver value, and what they will need to do to manage and govern that data in a way that will ensure that value.

By putting in the right foundations early, it’s possible to scale up your governance and controls. With the right structures and discipline early, it’s possible to manage growth in scale and complexity of the information environment of your business. And, increasingly, investors and potential clients are looking to this in companies they are investing in or buying from.

Solid Foundations Mitigate Risk

Why? Because if the foundations aren’t there to help manage and mitigate data-related risk, those investors or clients are buying an unquantified bucket of risk. In the same way as an investor will be cautious about a company with lax financial controls and oversight, the increasing importance of the data asset means the focus (and the wariness) is shifting to the governance of that asset class.

And when a buyer asks for evidence of the quality of the product or service they are betting their business on, organisations that can’t provide it will lose out.

Clubhouse’s Shaky Foundations

The hot new social media platform Clubhouse seems to have data foundations made of clay. From the faux exclusivity of their enrolment method that actually acts to vacuum up contact details from users’ devices, to their development of shadow-profiles of non-members, to their mapping of your social graph to provide a ranking of your ‘popularity’ on Clubhouse (even if you aren’t a user), the issues seem endless. And that’s before we get to the problems of users being able to access recordings and their questionable data hosting situation.

But pretty much all of the issues that they are facing are ones that are well established from a legal perspective in the EU for many years. They are issues that have arisen with other social networking platforms from Facebook to Whatsapp. And the response to Zoom’s data protection and security issues last year should have been a clear warning to the promoters of Clubhouse that “move fast and break things” is no longer a viable business model for data driven businesses.

Add to this their description of a security breach that arose due to a failure to consider potential security threat models and allowed for users to be able to extract call recordings from the platform as a “data spillage“, and it is clear that Clubhouse have not considered the foundations that needed to be put in place. Bluntly: if your only security control to prevent people doing a bad thing is a clause in your Terms and Conditions (which few people read), you’re doing this data thing all wrong.

The Foundations of Amazon’s Labyrinth

Today, Politico’s Vincent Manacourt broke a story about the problems Amazon has with the core data of its non-cloud services business. In the piece, Manacourt shares revelations from whistleblowers from Amazon who highlight weaknesses in internal controls. They also reveal a lack of oversight or governance over core data sets and databases. The piece goes on to disclose issues such as staff who raised concerns being reassigned or dismissed. Further issues revealed include changing the governance decision-making processes in respect of staff with oversight functions in the EU.

Basically – if even half of what Politico have revealed today is true, the fundamental foundations of good data management and governance needed to support effective data security and data protection practices are lacking. And, to make things worse, there appears to be a Data Ethics issue in respect to how people who raise concerns are dealt with. That is a fundamental foundation problem in a data driven business – how your organisation culture responds to and manages concerns and issues that are raised.

As Manacourt says:

More broadly, the accounts raise questions about what corporate values are rewarded at a company that has risen quickly to become the world’s dominant e-commerce player.

Trust but verify – the foundation of data related procurement?

Over the past few years, Castlebridge has worked with clients to help them integrate good data due diligence into procurement processes. And, every so often, we have had clients say no to a supplier who couldn’t, or wouldn’t, provide responses to questions about the data foundations of their business. Questions about governance and control processes. Questions about data security practices. But the data due diligence at the vendor selection process is the buyer’s way of at least quantifying the bucket of risk they are buying.

And this leads to another foundation concept: Quality is in the eye of the beholder.

Of course, we’ve also worked with buyers and vendors who have recognised the trust factor that needed to be established. They have worked together to ensure that answers were provided. Those sellers were able to integrate those learnings into their go-to-market plan with their next customer. This reduces sales cycles the next time around. The buyers also improved their understanding of controls and risk!

Cisco highlighted this benefit of having good data foundations back in 2018 and 2019 in their Data Privacy Benchmark studies.

Data Foundations and Vaccine Passports

The role of good data foundations has been very clear in public health responses to Covid-19. Clear communication of data in an intelligible way requires good data foundations of data definition (what does it mean) and data lineage (where did it come from). Investment of time and effort by public health authorities in developing and deploying technologies such as smartphone apps or mobile phone network analytics requires solid data foundations. Those foundations include transparency, data quality, and compliance with data protection laws.

Yes, the perfect is the enemy of the good. But the good still needs stable foundations or it will fall over or fail.

The latest stampede towards a data driven panacea for pandemic is the idea of a digital ‘Vaccine passport’ or antigen testing passport.

Bluntly: the data foundations for these are unclear and are unstable. And the potential social and societal impacts of deploying such technology need to be clearly debated and evaluated. Such tools are no different to the start ups we’ve coached. It’s essential that the objective of such solutions is clearly defined and understood. Then the data foundations must be assessed in light of those. Open questions remain about vaccine effects on transmission across the multitude of vaccine types that are out there, and serious data protection concerns exist that would need to be addressed. Furthermore, the exclusion of people from society on the basis of them having or not having received a vaccine raises significant ethical questions as well, particularly when there are classes of people who may not be able to have a vaccine.

What does all this mean?

In the Karate Kid, Mr Miyagi tells Daniel-san “First learn to stand, then learn to fly“. This is nature’s rule. In martial arts, a good posture and stance is essential to executing good technique. The same is true of data driven business, regardless what size or scale of organisation you are.

It can be tempting to rush to implementation of a new idea or business. But if you don’t make time to plan for your data foundations the start, you will find yourself missing opportunities. Or having to do a lot of scrap and rework. When your organisation or business grows, it can be increasingly difficult to tame the whirlwind.

It is particularly hard to tame the whirlwind when you are the subject of media scrutiny or regulatory investigation.

How can we help?

Are you trying to get your head around the foundations of data strategy, the fundamentals of data quality, or the brass tacks of data protection?

You can also check out our Podcast and Webinar archives to find other insights!

Daragh O Brien

Daragh O Brien

Daragh is the founder and Managing Director of Castlebridge. He brings over twenty years of experience in data strategy and regulatory operations to the table for clients. He lectures in the School of Law in UCD and in the Law Society of Ireland on Data Protection and Data Governance. He is a Fellow of the Irish Computer Society and holds CIPP/E and CIPM certifications from the IAPP and other data management qualifications.