The Chief Data Officer (CDO) role appeared in the in the early 2000s. The misleading mission statements accompanying the first appointments may suggest that the CDO’s accountability extends to all the enterprise data assets. After all, is it not the sole C-level role to explicitly include the term “data” in its denomination?
The answer to the title question is unequivocal: No. The accountability of a Chief Data Officer is not exercised over all the enterprise data assets. In many organizations they are responsible for the actions in enterprise data management departments, including data governance, data quality, and metadata management.
It is important to identify types of the enterprise data assets since some of these types are the responsibility of other people in the organization – reporting to the CDO or another C-level role.
Data asset: definition and structure
The term “enterprise data asset” can be simply understood as all the data, information, knowledge, and wisdom accumulated by a company during its lifetime and that can be reused to create value. It can be characterized according to different points of view and criteria:
The technical point of view usually leads to classifying data asset elements according to their format (structured, semi-structured or unstructured). Storage media and location may also be additional criteria (paper, digital, cloud, etc.).
The business perspective considers data asset elements in terms of the business-function acting as data producer or data generator:
- Customer and prospect sheets, contact histories, relational networks, distribution methods, etc. for the data under marketing, sales, and customer relationship management departments’ accountability
- Accounting, financial, risk, etc. data for the data under Finance department’ accountability.
- Personal data, contracts, commercial commitments, partnerships data, etc. for the data under Legal and Compliance departments’ accountability
- Etc.
Finally, the regulatory point of view considers data asset elements according to whether the related treatments are governed by regulatory provisions or not. It is essential to distinguish the sensitive data from the non-sensitive data and develop data governance policies to support these requirements.
Sensitive data: regulation and accountability
Sensitive data means any information or knowledge that, if revealed to the public, would harm the entities it concerns. This class of data exposes data subject to legal risk on the rights and freedoms of a natural person (sensitive personal data) or on the image, position, finance, or contracts for a company (sensitive non-personal data). The processing of sensitive data is governed by regulatory provisions, depending on the category of data subject: an individual or a company.
- Sensitive personal data and privacy protection
When the entity is an individual, the provisions fall under the General Data Protection Regulation (GDPR). They cover data as varied as financial data (credit card number, bank account number, etc.), unique identifiers (passport number, digital identity, etc.), racial data (racial origin, ethnicity, etc.), opinion data (political opinions, religious beliefs, etc.), biometric data, etc.
Companies that process such data can create threats to the data subjects’ rights and freedoms. For the regulatory authority, the issue therefore concerns as much the data subjects’ protection as the enforcement by companies of the protection principles and rules as well as the companies’ ability to demonstrate their compliance.
GDPR establishes the accountability of a Data Protection Officer (DPO) on the management of personal data. This is exercised on:
- The insertion of the regulation principles and rules within the company
- The support of all internal stakeholders in the appropriation of this system and in its daily application
- The management of the data subjects’ consent, requests, and notifications of personal data breaches
- End-to-end risk management, including outsourcing
- Cooperation with the Supervisory Authorities
Unlike the single EC Framework, the US uses sectoral and local provisions. These contribute, each to its scale and in its field, to supervise the processing of personal data.
As a rule, these provisions do not require the appointment of a person in charge to answer to the supervisory authority. In practice, this designation is either the result of a sanction or the initiative of a company. In this context, responsibility can be entrusted to a DPO or Chief Privacy Officer or Data Governance leader, and the appointment of a DPO is left to the discretion of the company.
- Sensitive non-personal data and trade secrecy protection
When the data subject is a company, the provisions in force in the European Union (E.U.) are related to business secrecy and are governed under a directive about the protection of knowledge and undisclosed commercial information. The United States has adopted similar provisions under the Defend Trade Secrets Act (DTSA), with the aim to standardize and to adapt the right to the information and digital economy.
The criteria of these regulations can be met by research projects, acquisitions and mergers, non-patented processes and practices, certain contracts or contractual clauses, secrets shared by industrial or commercial partners, etc.
The regulation does not devote any accountability for such data, as in the case of personal data. It leaves free choice of technical and organizational protection measures to the company. For the regulatory authority, the issue concerns data security and is reflected in the identification and classification of such sensitive data, the training and awareness of staff in the company’s policy regarding disclosure of internal information, the implementation of confidentiality agreements in relations with third parties, the establishment of a secure digital information management system, etc.
In other words, the regulatory authority considers that the company must take reasonable steps to protect its non-personal sensitive data and those of its business partners. This issue is carried within the company by the Chief Information Security Officer (CISO). Although not sanctioned by the regulations, the accountability for non-personal sensitive data must fall to the CISO, as part of its overall mission of developing and monitoring policies and programs to mitigate security risks on corporate assets.
Conclusion
Although the Chief Data Officer (CDO) has the titular responsibility for overseeing most of an enterprise’s actions that involve data, there are other roles that have specific accountability for the processes and decisions surrounding the capture, use, storage, and treatment of various types of data.
