Who Owns the Data?
There are also contractual sources of risk to consider. Just because you have access to certain data, that doesn't mean that you own the data or can use it in particular ways.
"Everyone thinks the data they have is their own," Rathburn says. "Do you really own that data? Are you getting it from a company you contract with? Are there restrictions on how you can use that data? Do you have the legal authority to do what you want to do with it?"
Rathburn and Colgan note that restrictions on data use may be buried in ownership or confidentiality provisions, meaning your organization needs to conduct a careful review of existing contracts to determine the parameters of relevant restrictions and how they affect the intended uses of your data initiative. And going forward, your organization should determine how it wants to use data, how it needs to use data and then make sure all future contracts are negotiated with those wants and needs in mind.
That anticipates another potential source of risk: your relationship with consumers. It's not enough to simply meet the legal requirements associated with your use of data, Rathburn says. Those requirements form a baseline, but you must balance the potential economic upside to your use of data against reputational harm.
"Keep in mind that angry consumers can do more than sheath their credit cards and tweet scathing reviews," Rathburn and Colgan warn. "U.S. common law has handed consumers a serious weapon in the form of privacy torts -- i.e., no caps on damages, potential for class-actions, torts with a capital 'T'."
"If you can't lock down your big data and segregate it off, you really need to make sure you're only keeping the minimum necessary amount of information," Rathburn adds.
Big Data Questions to Ask
- How is the data collected?
- What type of data is collected?
- Is the data coming from outside the U.S.?
- Are we a regulated entity (e.g., healthcare provider, financial institution, etc.)?
- What does our Privacy Notice say?
- Was consent obtained from individuals?
- If de-identified data is being used, how is de-identification being accomplished and is it in accordance with applicable law?
- What do our contracts provide about data use and monetization?
- How and where is the data stored?
- What purpose do you want to use or disclose the data for?
- Do we have cyber, privacy and breach notification policies and procedures in place?
- Are we periodically conducting risk assessments related to data?
- Will we receive any remuneration for the data?
Rathburn stresses that you shouldn't allow yourself to become too gunshy to use data -- "No risk, no reward," she says -- but it is essential that you stay aware of the risks and plan for them.