What are the opportunities and risks for advanced digital systems that run on data?

Developing and implementing a data strategy with supporting governance is crucial to business success. A data strategy should be designed to improve all of the ways you acquire, store, manage, share and use and create new data. It begins with identifying the business strategies enabled or the business problems data and data systems are intended to solve. It must incorporate security and privacy, data ethics, compliance demands and a means of balancing the interests of multiple internal and external stakeholders.

These considerations are fundamental - whether to enable machine learning and AI, data-first business models, data centric workflows, or, if your business is data itself.

There are six core elements of a data strategy:
(1) Identify - Identify and catalog data sources and systems - both internal and external including origin, structure and types of data; map data, data systems, and data models.
(2) Define - Define and catalog the purposes of the data sources and systems, and their use(s); determine and define linkage to business strategies and KPIs.
(3) Store - Persist data in structures and locations that supports secure, easy, appropriate shared access and processing.
(4) Provision - Package data so it can be appropriately reused and shared, and provide policies, rules for use and access, accuracy and integrity, and supporting controls.
(5) Integrate - Move and combine data residing in disparate systems, data lakes and ponds, and provide mechanisms and user tools that provide unified, consistent data views and analysis.
(6) Govern - Establish, manage, communicate and train key stakeholders on information policies, processes and mechanisms for effective data security, usage, quality, measurement, reporting and improvement of data systems and structures that support the business. (These of course include the legal and regulatory requirements appropriate to the industries and geographies in which the business operates.)

An effective, cross-functional data strategy incorporates the six elements, and typically is overseen by top level leaders given the mandate to for all elements, or through a consortium or data governance council or review board.

Update October 3, 2024

Now we wait for the new California Legislative session in 2025 to develop a proposal that balances the dual goals of supporting innovation while achieving safe and secure AI. Surely having a testing process and a protocol for dealing high impact events are smart and fundamental components of any future legislative proposals.
****************************************

September 20, 2024.
Can innovation and safety go hand in hand? State Legislators are pushing California Governor Gavin Newsom to sign the Safe and Secure Innovation for Frontier Artificial Intelligence Models Act (SB1047) resting on his desk. Will the SSIFAIMA become the new acronym we must learn (and may I suggest AIMA for short)? 

Among its requirements, the bill would obligate "developers" training AI foundation models at a certain compute level (computing power greater than 10^26 integer or floating point operations) to take various safety measures to protect the public from cyber attacks on critical infrastructure, prevent AI from being used to develop chemical, nuclear or biological weapons, or enable automated crime. Those obligations include making it possible to quickly and fully shut the model down, ensuring the model is protected against “unsafe post-training modifications,” and post deployment, maintaining testing procedures to evaluate whether a model or its derivatives is especially at risk of “causing or enabling a critical harm.” It also includes the creation of a Frontier Model Division, which would be overseen by a new Board of Frontier Models composed of representatives from the open-source community, AI industry, academia, and government. Support and opposition to the bill has not fallen predictably - with some AI organizations and members of the U.S. Congress in favor while others are opposed. Newsom has said he is interested in AI bills that can solve today’s problems without upsetting California’s booming AI industry. Whether a hint or a misdirection, we won’t know for up to another week.

If Governor Newsom signs the bill, California, similar to Colorado earlier this year, will have taken an historic step to proactively ensure an exciting new technology protects the public interest as it advances new and important benefits in everything from logistics to healthcare. 

If signed, organizations will have a few years to incorporate the requirements into governance, technical workflow and assessment processes. If not signed, organizations may consider adding some concepts into their digital governance frameworks.

Early in my HP career, before jumping into privacy, I took extensive training as a Total Quality Control (TQC) Coach. The concepts of TQC - taking the time to build a process or product in the optimal sequence with the 'right' elements, mirrors the famous missive, "build it in, don't bolt it on", often applied to incorporating security and privacy needs in product development cycles, cloud security and even business operations. 

A TQC-type approach can be the key to privacy and security compliance for small and medium companies that struggle with the demands of tight resource allocation while executing necessary business initiatives; when only a few projects can be chosen. These businesses strive to balance growth and compliance, ethics and innovation, survival and investment. The pressure comes from the top - investors, the sides - partners and customers, and the bottom - employees. It takes a virtual village to meet the challenges of building a small business while meeting the security, privacy and compliance demands from clients, customers and their own employees. 

A commitment to mission and opportunity goes hand in hand with building privacy and security standards at the beginning of design and development processes. Businesses that think and operate that way have an advantage. And, it combats ideas like "we do it quickly so please don't add extra requirements" or "we'd rather gamble because no one cares about our tiny company".  

When businesses prioritize and apply TQC concepts to incorporate and build confidence in their privacy and security compliance baseline, they thrive, customer interests are served and the business grows.

The time is coming soon when businesses will need to consider the impacts, benefits and risks of data use -- including from advanced analytics -- beyond the company and beyond individuals. Now groups of individuals, broader groups and even society as a whole should be considered. This is “risk balancing”, the next phase of governance and sustainability.

In 2022 we saw increased pressure and scrutiny on digital economy activities, from AI applications, to AdTech, from increased cybersecurity threats to international data transfer conundrums. Just around the corner is the activation of several U.S. State privacy laws and European "data economy" Regulations (Digital Services and Digital Marketing Acts). The U.S. Congress once again renewed its evergreen debate about Federal Privacy Legislation. Against this backdrop the IAF’s policy work will focus on reframing and modernizing long-standing principles about risks and benefits to people from the use of advanced analytics and machine learning, the concurrent challenges to corporate research and innovation. We are bringing governance to the forefront of executive conversation – centering on data sustainability and organizational resiliency. 

From where I sit, privacy officers would benefit from taking a closer look at these policy frameworks. After all, stakeholder analysis is not new to the IAF. The IAF’s early work on the difference in risks associated with "thinking with data" -- general research, versus "acting with data", -- the decisions and actions that organizations take that impact people.

The rising wave of data policy and regulation makes incorporating risk balancing an imperative.

I’m proud, energized and honored to be named the President of the Information Accountability Foundation, as Founder and Executive Director Marty Abrams takes a step back (but not away!) to focus on the major policy issues of today and tomorrow. After initially joining the IAF as COO in April 2021, my role will expand bring programmatic and structural focus that complements Marty’s policy vision, leading the organization while Marty conceptualizes what policy should look like in the future so data might serve people. We will refresh IAF branding, increase communications and reinvigorate convening multiple stakeholders. The latter will be crucial to our success as organizations move out of pandemic restrictions. The challenges today are greater than they were in 2013 when the IAF was founded. We see the new leadership model enhances possibilities for policy innovation for 2025 and beyond.  https://informationaccountability.org/2022/08/iaf-leadership-continuity/

Only a select few reach the pinnacle of their profession. I am immensely proud to have received the IAPP Vanguard Award for 2022, which recognizes IAPP members each year who have scaled new heights in leadership, knowledge and creativity in the field of privacy. It was a special privilege to share the award stage with the one-and-only Elizabeth Denham CBE, former U.K. Information Commissioner, and recipient of the IAPP Leadership Award awarded to those in the public sector committed to an “ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession.”https://iapp.org/news/video/a-conversation-with-2022-iapp-vanguard-award-winners/   

What an amazing 3 years as part of Looker, which now come to an end. The Google Cloud acquisition is complete, along with the privacy functionality transition. https://cloud.google.com/looker 

In that time we (Looker) established a privacy program that worked for Looker and for its customers and partners, and also earned the respect of the Google Cloud acquisition team. We established something novel - a data ethics review board - focused on ethical and responsible data use and responsible third party relationships, with diverse representation from multiple functional groups. It's a reusable template for future efforts to establish data use or similar review boards.

Although the shadow of the Covid-19 pandemic remains, the next opportunity, like the spring, is here. 

 I’m deeply grateful and appreciative of my time at Looker! It was truly a one-of-a-kind and inspiring time - the people, the product and the place. 

Now comes a new type of challenge as I take on the role of COO at the Information Accountability Foundation. What a treat to be able to work alongside Marty Abrams!

Digital Stewardship Strategies may now take clients on a limited basis. 

Sometimes you seek the good and sometimes the good finds you. A quick high-impact GDPR consulting project brought me in early 2018 to values-driven Looker Data Sciences. I could not have found a better place with smarter and thoughtful leadership, who truly lives the values. In beautiful Santa Cruz! Fun, challenging and exciting times lay ahead as I take on the role of Chief Privacy and Data Ethics Officer at Looker Data Sciences. 

Digital Stewardship Strategies will be on hiatus indefinitely.  

**Republished from an IAF Blog dated March 2018, in anticipation of the GDPR compliance date**.

As the race to EU GDPR enforcement date in May heads into overdrive, should companies start looking around the corner to what's next? 

GDPR implementation has required deep focus on technical and procedural legal compliance.  Yet recent pronouncements from the EU Data Protection Supervisory Ethics Advisory Group and the UK ICO are reminders that ethical considerations are part of data protection programs:

On December 7, 2017, UK ICO Liz Denham said: “The GDPR does not specifically reference data ethics, but it is clear that its considerable focus on new technologies – particularly profiling and automated decision making – reflects the concerns of legislators about the personal and societal effect of powerful data-processing technology. It’s hard to separate data protection by design from data ethics by design…Companies must ask themselves questions that identify the risks they are creating for others and mitigate those risks. There is every reason to include ethical considerations as part of that process. The most innovative companies will go further and use these tools as a springboard to think of ways they can integrate their data protection and ethical assessments.  That just makes common sense.”  https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/12/techuk-data-ethics-summit/ 

On January 25, 2018, the EDPS Ethics Advisory Group wrote:  “…’data rich’ public and private organizations will have greater ethical responsibilities towards citizens and customers.”

Ethics-based, stakeholder-focused data stewardship requires enhanced transparency and accountability, enabled by the specific application of ethical considerations.  Look for more soon on a project I'll be leading with the IAF, bringing my extensive years of experience as a CPO and business process expertise.  The objective is to provide a framework and tools that help companies transform from pure compliance to accountability, ethics and stakeholder-focused data stewardship. The GDPR will push organizations to towards more robust, demonstrable and accountable data governance.

September 2017 starts a new chapter as I launch Digital Stewardship Strategies, LLC, a boutique consultancy focused on providing strategies and operational guidance to organizations that wish to establish or expand privacy and data use programs aligned with data stewardship and data ethics. Cross-organizational programs centered on data stewardship enhance customer trust and support business opportunities and growth.

This new adventure begins in tandem with formal acknowledgement of a long career in privacy - 18 years and counting! I've been accepted as an inaugural IAPP Fellow of Information Privacy (FIP). The official list can be found in the IAPP public online directory* of esteemed FIPs. I am honored to have received this recognition - thank you IAPP!