The Power of Information Flow Modelling – Part 3

In this series of blog posts, we are looking into the business enablers of what is a new way of seeing your business by modelling information flow. The challenge that exists in the marketplace was described in this blog post; it is a challenge which is growing daily as the pace of change and the curiosity needed to understand the disruption potential of that change accelerates away from what we know today.

Part 1 looked at how we can better understand the role people play in enabling information flow and how the deep understanding of the value that they offer can help us prioritise the work they do.

Part 2 looked at the same outcome from the perspective of the System.

In Part 3, we are going to take a look at how an Information Flow Model can be augmented with other language to help answer questions of data and information privacy.

Why Consider Data & Information Privacy?

Data PrivacyData and information privacy is the hot topic of 2018. Fueled by the European Union General Data Protection Regulation (EU GDPR) which becomes enforceable on May 25th 2018, understanding what data you have, where it lives in your business, how it is used, what permission was granted to you for its use when it was captured, who it is shared with and which outcomes it enables has, quite literally, never been more important than it is today.

GDPR impacts any organisation with data on an EU citizen, so it is incredibly far-reaching and is already having an impact on other countries data privacy laws. For example, in New Zealand, this happened in early February. Privacy Commissioner John Edwards’ recommendations to changes in the Privacy Act are likely to be just the first example of how other countries begin to implement the intent of GDPR into their own regulations.

As the customer becomes more knowledgeable about their rights and how organisations who have to comply with legislation like GDPR begin to protect their data better, it is inevitable that this will drive other organisations to do the same, preventing customer flight.

Customer Flight

In a late 2017 Gartner Survey, 90% of people interviewed said they value their data privacy enough to stop doing business with an organisation who didn’t protect it enough. Gartner’s “What are Customer’s Expectations for Privacy” presentation by Research Director Jenny Sussin is an excellent resource if you’re keen to know more. A PWC survey suggested that 87% of individuals would take their business elsewhere, facilitated by the new data portability rules, if their current service provider did not use their data responsibly.

The Ponemon Institute 2017 Cost of Data Breach Study interviewed 419 companies to provide its most recent results. Although the average global cost of a data breach has dropped from $4 million to $3.62 million, the report highlights customer churn; the unexpected and unplanned loss of customers following a breach, as a significant consequence that needs to be carefully considered and managed. The report says;

The inability to retain customers has serious financial consequences. It pays to keep customers. Organizations that lost less than one percent of their customer base had an average total cost of $2.6 million. If four percent or more was lost, the average cost was $5.1 million. Organizations in Japan, Italy and France lost the most customers. South Africa, Brazil and the ASEAN cluster were better able to keep customers. Industries with the highest churn were financial, health and services. Organizations in the United States paid the highest price for losing customers ($4.13 million).

Data Breach Churn

Preventing your customers from taking their business to your competitors is a compelling case for understanding how you are using their information, whether there is a fine associated with the mishandling of data or not.

How understanding Information Flow helps

Information Flow ModellingWhen you model the flow of information through your business, you are creating knowledge about where all data and information exists in your business based on who or what touches it.

By considering the value of the information asset that is created by the data flow, and thereby understanding the value of everything connected to producing that asset, you can direct your capture activity to the most valuable parts of your business first. As you document your information flows, finding personal information, you know that this is what needs to be governed correctly in accordance to any regulation you need to comply with.

By other terminology, this forms the basis for a Data Impact Assessment. In GDPR terms, this is Article 35, but the process for capturing this knowledge is fundamental to simply knowing where to get started in terms of managing the personal information your business collects, stores, manages and uses on a daily basis. Perhaps this turns meeting a requirement to know this level of detail about your business from a threat to an opportunity; the opportunity to provide a level of assurance to your customers that you take their data seriously. The other opportunity is of course that you benefit from the continuous improvement opportunities presented by the level of knowledge you now have.

Enabling Data Literacy for Information Privacy

Data? What data?Now that we have the Information Flow documented, we can start to enable full data literacy through the organisation based on any additional language or taxonomy we wish to apply. By adding new connections to the core information flow, the language can be extended to deliver pivots to answer specific questions.

Customers providing consent to their personal information for a specific purpose, is an information flow. If all consent provided by your customers is correctly modelled, pivoting around Customer will provide insight into all information they have allowed you to use. Connecting that data to the business purpose will record why you have the information. The systems modelling in the flow will show you where it exists in the business; whether data passes through as it is processed, or stored in a repository. Any additional actions undertaken against that data and who performs them will also be highlighted. This trace from consent to business value will enable you to understand where you need to protect the rights of your customers, and plan for compliant governance if it does not already exist.

Data Literacy for Information Privacy is needed most at the governance tier. Within GDPR, the Data Controller role is responsible for defining the purpose of data containing personal information across the business and is held responsible for breaches of the regulation. Ignorance is no longer an excuse, hence the upcoming role of Data Protection Officer for larger enterprise businesses who will report directly to the Board.

Implementing robust processes to manage personal information in your business becomes an opportunity to make a real difference not only to the way you operate by better understanding People and Systems, but to increase your credibility with your customers, and prevent the costs associated with breaches.

In summary, by taking an Information Flow Modelling approach to data and information privacy you will immediately be able to answer data and information security related questions; what data do I store, where is it stored, which outcomes does it support, what permission do I have to use it, is there personal data involved, do I share data externally, can individuals be identified, do I know who I have to contact in the event of a data breach, are all of my critical systems encrypting data and secure against cyber-attack. The result – your business governance tier no longer has hide behind ignorance – it can proactively take control of the strategic direction of the business and ensure customer loyalty through robust data management which ensures compliance to local and international laws.