It’s time to light the match and burn your data
We’re excited to bring back Transform 2022 in person on July 19 and virtually from July 20 through August 3. Join leaders in AI and data for in-depth discussions and exciting networking opportunities. Learn more
If you spend time reading a company’s latest quarterly results, there will undoubtedly be discussion about how much it has invested and how well it is analyzing and using the information. Silicon Valley is full of companies dedicated to creating, consuming, and analyzing massive amounts of data. We were told that data is a currency, increasing in value as increasingly complex and sophisticated technologies are applied to derive insights from it. However, if data is not just a currency, but an instrument of debt, its intrinsic value can quickly turn negative.
The value of old data: a new calculation
The value of information is obvious: it is needed in almost every function of an organization, from small local businesses to the largest financial services and technology companies. But calculations of information risk remain inconsistent. Information security risks have been highlighted by commentators, breaches and ransomware attacks.
Yet even with these well-known risks, organizations often struggle to remove, well, anything. There are three main reasons companies have been reluctant to delete data: (1) its potential value or use at some point in the future, (2) legal or compliance issues regarding theft or deletion misinformation and (3) an incomplete view of information across the organization.
The first problem is often the hardest to solve. Marketing, sales, development, and product teams have an insatiable appetite for data to drive results. The idea of removing information, even if theoretically used today, that could provide unique information in the future is terrifying. And the ever-increasing sophistication of analytical capabilities offers the ability to draw subtle conclusions without significant additional investment.
In contrast, legal and compliance concerns generally become more manageable. For a long time, the risk of spoliation through legal proceedings or improper/accidental deletion of corporate documents far outweighed the benefit of deleting anything. Legal and compliance teams are scarred by more than a decade of litigation and regulatory enforcement actions where data issues were front and center. But this experience has also taught these teams that there is risk associated with information, and they can see that the calculus of data retention versus data deletion is changing. Additionally, early experiences with global privacy requirements, such as GDPR, provided further validation of the risks.
The new calculation is based on a balance of variables and a multiplying factor which is associated with sensitive information. First, all parts of an organization must accept that possessing information represents risk, in addition to value. Second, sensitive information that can provide high levels of information carries equal levels of potential risk. Finally, companies must put in place effective means to dispose of the information they do not need once their obligations to value and keep them have passed.
The big new variable: confidentiality
The insurance industry is not often seen as a driver of change. It is highly regulated in most jurisdictions and has developed risk models based on a long history of claims and events. These dynamics have effectively forced the industry to adapt slowly to change, to require extensive retrospective analysis of data, and to maintain long data retention periods. And yet, we could see the insurance industry quietly leading the new charge.
Long before big data, machine learning and advanced analytics appeared in the latest tech journals, actuarial science in the insurance industry had led the way. However, the analyzes were largely retrospective, based on similar past events, to predict future risks. In recent years, the insurance industry has adopted practices that have created large amounts of information, consumed in real time, to develop its models. In the process, the industry has created new risks, which it is still trying to fully understand.
For example, many insurance companies now offer potential savings on car insurance if they are allowed to monitor driving habits in real time. These apps capture huge amounts of information, duration, distance, acceleration, speed, and other attributes for a given individual. This allows companies to create risk models and modify hedge rates based on this analysis. At the same time, they create large amounts of sensitive private information.
Insurance companies are also now developing insurability scores and models, based on an extraordinary aggregation of available public and private data. The aggregation of this data includes some of the broadest views of an individual’s habits, practices, and personal information. It is constantly updated by them, vendors and third-party vendors, and powers a number of automated models, systems and processes.
All of this data creates value for developing risk models and serving customers. But it also generates a huge amount of highly sensitive private information.
Actuaries at work
The National Association of Insurance Commissioners (NAIC) is an organization few have likely come across. Insurance regulation is largely state-based in the United States, and the NAIC creates standards and model rules to be adopted as practice by insurance companies or codified into law or regulation. The NAIC has a history of model rules that address information security, record retention, and privacy, focused on protecting information and organizations and making data available to regulators. However, with the passage of new laws in many US states and the experience of the EU General Data Protection Regulation (GDPR) governing information use, access and rights, the NAIC realized that a more privacy-focused model was needed.
Through a working group, they sought to distill the obligations and lessons of GDPR, as well as CCPA, CPRA and CDPA, and provide a common set of requirements including:
- Right to opt out of data sharing
- Right to limit data sharing unless the consumer agrees
- Right to correct information
- Right to delete information
- Right to data portability
- Right to restrict the use of data
The elements aren’t particularly unique, but the insurance industry was among the first to realize that the scale of what can confront them from a privacy perspective could overwhelm existing technologies and practices. Almost every person in the world’s developed markets is a customer of an insurance company. What happens if only a fraction exercises one of the rights mentioned above? This will dwarf the volume of preservation requests processed for legal or regulatory purposes. And what about all the sensitive information that has long since exceeded their retention requirements, but was never deleted?
Burning the Glades: Establishing the Value of Your Data
Companies must establish practices and technologies that meet all privacy obligations in the EU and emerging in the United States. Ridding your organization of information of limited value or beyond its retention period is an essential first step. Many organizations have struggled with routine data deletion; now they must be prepared to do so on demand, potentially from a large number of their customers.
Like the undergrowth of the forest, information has value up to a point. It then risks burning the whole forest if it is not managed or removed. Organizations must begin by establishing the value of information and clearly understanding what represents undergrowth and risk. Then they have to light the match and burn what they shouldn’t have or no longer need.
George Tziahans is Managing Director of Breakwater Solutions.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including data technicians, can share data insights and innovations.
If you want to learn more about cutting-edge insights and up-to-date information, best practices, and the future of data and data technology, join us at DataDecisionMakers.
You might even consider writing your own article!
Learn more about DataDecisionMakers