The digital era has opened opportunities to re-invent business models and transform customer interactions, creating great potential and significant risks at all levels of the business. Most organisations, however, have yet to articulate a comprehensive, digital enterprise strategy, or appoint a focused digital governance and data protection leader.
This is not necessarily a failure of oversight: setting out a digital strategy is tough, and the data protection landscape remains overly complex. Currently there are no best practice guidelines, only scattered examples; however, business will need to prioritise its approach based on its unique market dynamics, and relative digital maturity.
For those operating in regulated markets, the need for digital governance and data protection is more urgent. But digital requires consideration by nearly every organisation, not least due to the pervasive use of digital content, channels and tools, with social networks and the ability to share built into every app and device. It is simply a matter of when, not if, an organisation will have to deal with an employee inadvertently tweeting or posting sensitive information; or a cyber breach creating unauthorised access to large amounts of personal data.
As digital becomes increasingly core to most businesses, several specific pressures are pushing digital governance up the corporate agenda:
- New regulatory requirements demand action. Governments are racing to catch up with the speed at which the digital world is moving, leading to a number of new and emerging laws on tax, privacy, data handling and more – with steep fines for failing to comply.
- The growing risk of cyber security needs to be urgently addressed. Businesses today have to assume that attacks will occur at some point, and plan accordingly. Added to this, regulators are putting pressure on firms to admit to such breaches publicly.
- Perceived digital weaknesses can do irreparable damage to brand reputation. Consumers are becoming increasingly aware that, when they bring companies their custom, they must also hand over their data. Firms that show themselves as untrustworthy custodians of data will face a major loss of brand equity.
How does it affect you?
There are several reasons why yesterday’s approach to data protection and governance may no longer serve in the digital age. First, the legacy mindset of governance as a control mechanism does not work when information flows are fluid. Second, traditional digital governance overly rooted in mitigation will limit organisations in the possible upsides. Various new realities need to be factored in:
- Digital is pervasive. The use of digital content, channels and tools has led to exponential growth in new market segments, business models and ways to engage employees and customers. Companies need to find ways to adapt: in how they differentiate and develop products, rethink customer engagement and communication, and handle employee interaction.
- Employees are now broadcasters and publishers. Thanks to social networks, every employee can freely and easily broadcast to the world. Training and communication can help, but firms need to find smart ways to adapt to this reality – and tap its potential.
- Decision-making happens at the speed of digital. Governance is traditionally about establishing a set of rules and processes, providing structure and guiding decision-making in a large organisation. But in a digital economy, decision-making approaches are changing and processes need to adjust accordingly.
What’s the fix?
Organisations grappling with the issue may want to consider the following steps:
- Set out an appropriate operating model. The first challenge lies in organising the business for digital – designing an underlying operating model that is fit for purpose and defines ownership and governance.
- Seek to change rules, processes and behaviour. Governance in the digital era is not chiefly through rules, but through a combination of rules, processes, values, monitoring and listening, and the explicit development of infrastructure and services to support and shape how digital helps create value for the business.
- Plan for shadow IT, not just traditional IT. In ensuring appropriate governance, organisations need to plan for the IT spending that happens outside of the official IT budget. Cloud computing offerings make this increasingly common, and it will increase.
What’s the bottom line?
Operating in a digital world presents seemingly unlimited opportunity; however it also raises new risks, from cyber security threats through to compliance failures and organisational silos. As companies have raced ahead in experimenting with digital, data protection controls have lagged behind in maturity.
Now, as legislators and regulators work to introduce new rules, and as awareness of both digital opportunities and risks grow, businesses can no longer afford to ignore digital governance.
Boardrooms incorporating both executive and non-executive management have a direct responsibility, thanks to their oversight across the business and their ability to define and implement a viable operating model. A comprehensive digital governance and data protection model requires investment, but the benefits reach far beyond merely managing compliance: digital leaders will reap cost and efficiency gains, as well as reputational and competitive advantage.
Mark Brown is director of risk and information security at Ernst & Young