Loading...

Mitigating Risk in the Age of Big Data

By Rinus Viljoen, 03 August 2019

It’s been said that in a digital century, ‘data is the new gold’ and there is no question that data, correctly leveraged, 
can deliver huge benefits. 
Over 87 per cent of company value today is now in intangible assets, and data together with brand, software code and confidential information are critical to everyday business.

  •                        Over 87 per cent of company value today is now in intangible assets.
  •                             Less than 0.5 per cent of data is actually ever  analysed and used.
  •                             In unlocking the value of big data there are some significant technical, legal and reputational risks and challenges to navigate.
Customer lists; inventory management systems;
purchasing information — all data. In fact many of a company’s most basic functions from invoicing 
to advertising would grind to a halt without data.

Data analytics promises efficient supply chains, better product design and individualized marketing 
to name but a few opportunities. For example it has been estimated that each Fortune 1000 company 
could on average generate an additional $65 million annual net income through a ten per cent 
increase in data accessibility to its workforce. Whole business models have sprung up around 
selling data — check out creditkarma.com for example.

In other cases the value of the company is the data. For example, in a recently completed a sell- 
side mandate for a 30 year old financial services company. The owners had originally been advised
the company would sell for no more than four times EBTIDA. After analyzing the business we realized 
that the company’s most valuable asset was not even on the balance sheet — it was the 30 years
of data it had collected. So instead of targeting people who wanted to buy the operating business 
we targeted people who wanted the data — a completely different set of buyers with much bigger 
cheque books. The result: the business sold for 32 times EBITDA.

This is not an isolated incident: in 2013 when Caesar’s Palace went into bankruptcy the data (again 
not on the balance sheet) was conservatively valued at US$1 billion, making it the single most 
valuable asset in the entire company. When online retailer Kogan’s bought the failed Dick Smith’s 
customer database and brand there was commentary to the effect that Kogan made 15 times their money 
in under three months.

It’s unsurprising then that many c-suites and boards have begun to ask ‘we’ve collected all this 
data — what are we doing with it? What could we do with it? Can we sell it? Are we sitting on a 
gold mine?’

However, before you reach for the shovel to stake your gold rush claim there are some significant 
issues to be aware of. These divide into three groups:
1.    technical (what can and can’t be done from a technical perspective)
2.    reputational (the brand impact of using data in ways that customers may not expect) ‘
3.    legal (what can and cannot be done legally).


Technical challenges

The inconvenient truth that less than 0.5 per cent of data is actually ever analysed and used. As 
Todd Park, ex CTO for President Obama points out ‘data by itself is useless. Data is only useful if 
you apply it’. A key driver here is that frequently data is collected, but not in a useful form.

Sometimes the data is in deep silos that make integration impossible or prohibitively expensive; 
other times small but persistent inaccuracies can render data sets effectively useless. 
For example, 75 percent of businesses think that the customer contact information they hold is incorrect.

On other occasions the problem is that expected insights just aren’t there. Data Scientist, Maksim 
Tsvetovat states ‘there has to be a discernible signal in the noise that you can detect and sometimes there just isn’t one’. Sometimes the problem is not the absence of a signal but the absence of people who can interpret it — CapGemini found that 37 per cent of 
companies have trouble finding skilled data analysists to make use of their data.

Perhaps the most significant technical challenge is ‘recency bias’, a cognitive bias that gives 
greater weight to more recent events. Given that 90 per cent of the world’s data was created in the 
last few years this is a serious problem because new data tends to unquestioningly replace older 
data even when they are equivalent or older data is superior.

Reputational damage

Businesses face significant reputational damage if customers (consumer or business) discover that 
their information is being used in ways they never anticipated or approved. In the rush to exploit 
data, the potential benefits need to be carefully weighed against risks to the broader customer 
relationship.

Take the relatively new $24 billion industry for selling data. Many telco’s facing diminishing 
subscriber growth are looking to exploit the tremendously rich stream of data they receive as their 
customers surf, text and call throughout their daily lives. Similar initiatives are being driven by 
other major data accumulators such as banks, utilities and insurance companies.

There are very significant reputational risks here: not the least of which are whether customers 
have actually given their consent to these kind of practices. With the advent of social medical 
brand velocity (the speed at which brands are built and destroyed) has increased dramatically in 
the last decade. It takes only small but highly publicized mistakes to do significant brand damage: 
witness when Target’s big data practices sent coupons for pregnancy related products to a teenage 
girl who had not yet told her parents about the impending arrival.


Legal risks

There are also some potential legal risks involved when trying to unlock the value of big data.

Under both Australian privacy law (the Privacy Act 1988) and New Zealand privacy law (the Privacy 
Act 1993), there are restrictions on the use of ‘personal information’ which means any information 
about an identifiable individual.

For ease of analysis, most commercial data can be divided into one of four types:
1.    ‘meta data’ — data about your data
2.    ‘B2B data’ — data about individual businesses which are your clients, suppliers or contractors
3.    ‘anonymised B2C data’ — data about individual consumers, but for which identifiers such as address, date of birth or name have been            removed 
4.    ‘personal information’— data about individual consumers which has not been anonymised.

What you can (and can’t) legally do with ‘your’ data is heavily dependent on the type of data you 
hold and how you came to have it.

Among other things, the Australian Privacy Act governs how information can be collected, used, 
stored and disclosed. The information:
•     must only be kept as long as it may lawfully be used
•     a company is restricted to using data for the purposes to which the individual consented, and
•     must be satisfied as to its accuracy before using it.

The good news is that under current law, these restrictions only apply to the fourth type of data 
(personal information), not metadata or B2B data. Both types of data can be highly
valuable (as the case studies above high light) and despite typically being absent from company 
balance sheets they should be regarded as potentially important assets. Efforts should be made by 
Boards and Management to determine if such data is valuable and how that value could be unlocked.

However on the downside the fact metadata and B2B data fall outside privacy regulations does not 
however mean companies are free from risk.


Anonymised data: not so anonymous?

Anonymised B2C data, lives in a somewhat grey middle zone and presents unique challenges. First, at 
a purely practical level anonymised data may be of little use to many types of businesses, just how 
useful is a customer list without any contact details?

Secondly ‘anonymisation’ isn’t a get out of jail free card. For example, car-driving data is being 
continuously collected by many devices to our cars. In a study completed last year, just 15 minutes 
of driving data was sufficient to create a driving ‘fingerprint’ able to identify an individual 
driver out of 15 drivers, with 100 per cent accuracy. Fifteen minutes of the brake pedal data alone 
gave a 90 per cent identification rate.

Mandatory reporting of data breaches

In Australia, a further area where companies face significant legal risk are mandatory data breach 
notifications.

Companies and government agencies that determine they have been breached or have lost data will 
need to report the incident to the Privacy Commissioner and notify affected customers as soon as 
they become aware of a breach. Failure to do so comes with stiff penalties.
When Target was hacked in 2013 and the personal information
of 100 million customers was compromised it was estimated not only did the retail giant sales drop 
three to four per cent but it suffered an estimated $1 billion in fines and other related
expenses.

The take-outs

Most companies are likely already sitting on valuable data sets (as well as other important 
intangible assets). Often these assets will be off balance sheet, under-utilized and under- valued. 
Conventional reporting and analysis will often fail to

identify significant opportunities. Management and boards have a legal obligation to generate a 
return on all assets, including data assets. There are very significant opportunities to unlock 
value and drive increased performance from such assets.

However there are also very significant technical, legal and reputational risks and challenges to 
navigate. These issues require specialized business-centric expertise that measures the potential 
benefits against these risks: just because something is technically ‘viable’ or is legally 
‘acceptable’ does not mean it is the right business thing to do.

So the data gold rush is on but it seems that simply buying a shovel to dig up those data nuggets 
is not quite as simple as it seems.


Paul Adams can be contacted via email at
p.adams@everedgeglobal.com or via www.everedgeglobal.com.

This article was first published in the February 2019 edition of Governance Directions, the 
official journal of the Governance Institute of Australia (www.governanceinstitute.com.au). 
Reprinted with permission.

Paul Adams
Global CEO, EverEdge

By Rinus Viljoen, 03 August 2019