Collecting, reviewing and then acting up on it – what data actually means for businesses

The hot topic of data protection hit a high note in 2018 with countries and companies scrabbling to ensure proper implementation of the EU General Data Protection Regulation (GDPR). As EU and international businesses struggled to ensure they were in compliance, one big question emerged: how many businesses realised the power of what it was they were actually protecting? “For you to be able to realise the power of data,” says Cláudia Fernandes Martins, “you need to first realize what data actually means”.

Businesses know that data-driven decision-making can have multiple returns, including a better understanding of the circumstances at stake, assessment of alternative options, benchmarking, etc. But she points out that while businesses are very aware that they need to collect ‘data’ and understand it as a strategic asset, many struggle with how to process that into ‘insights’ or take the further step of using it to benefit their business. “This is likely explained by the fact that many do not have a solid governing structure enabling them to use/align data they collect along with their business requirements and goals.”

Younger generations are infinitely more prepared to ride this challenge. Businesses collect their data via a range of sources from mobile communications and smart phones, emails and IoT to YouTube videos, blogs and Skype. “These are tools that the younger generation has grown up with,” says Cláudia Fernandes Martins. “We definitely see a difference between the  understanding of Start Ups and young entrepreneurs versus traditional companies, for whom all this is still very new.”

Not just personal

Many see ‘data’ as just referencing ‘personal data’, but there is so much more, she says. “Business information is data, company secrets are data – businesses cannot lose focus of the wealth of data they have access to every day. While dominating the processing of personal data is an important starting point, businesses need to start investing in data and AI (artificial intelligence) tools to understand how to use all of the data they collect, interpret their insights and then act upon it. That’s where the true value of data is.”

The implementation of the GDPR has certainly brought to light the issue of ‘data protection’, but Cláudia Fernandes Martins finds that many Portuguese companies are still unclear on what actually constitutes ‘personal data’ and falling foul of compliance with the GDPR. “Large companies – retail, health, banks etc. – are in compliance, but there are many small to medium sized businesses that are not. They (or some of them) have implemented formal measures, but in practice there is still the risk that they are not applying them properly.”

In the summer of 2018, the Portuguese Data Protection Authority (CNPD) issued two fines totalling €400 million to the Hospital Barreiro following a data protection audit, for amongst others, failure to respect patient confidentiality and limit access to patient data. This raised fears among many public entities and businesses, she explains, as this will not be a unique case, with predictions for further fines in the near future, especially with new legislation coming into force in Portugal (probably in May 2019) implementing further parts of the GDPR.

Her main question from clients at present, is therefore how to implement the GDPR, which she tackles this with a three-step approach. First, reviewing the current status, then implementing measures, such as privacy policies, reviewing contracts etc, and finally, training, from the top-level down. The benefits of ensuring compliance are being able to make full use of any and all customer data collected, she adds. “This knowledge can enable businesses to better understand their customers, to satisfy their needs and to be able to provide the answers and solutions they require.”

The data evolution

From personal data to commercial and now through to AI, the evolution of data is constantly bringing new challenges. “Organizations will increasingly need to use a range of tools based on algorithms, data and AI – the so-called ADA-based technologies – to strengthen their business relationships with customers,” says Cláudia Fernandes Martins, “which brings with it new issues including about the level of transparency in the use of data algorithms and the responsibility for errors”.

Strategies need to be employed now to ensure not to get left behind. And there is no ‘one-size-fits-all’ approach she adds. “Using company-wide training is a starting point, as well as taking into account ethical core considerations, mainly focused on developing business culture and values and ingraining them through every level within the organization, from the most junior to Board level.”

Ethical core considerations were recently the subject of draft guidelines laid out by the EU High-Level Expert Group on AI - ‘Ethics Guidelines for Trustworthy AI’ – including transparency, non-discrimination and human agency and oversight. While there will be no obligations on companies to follow these, says Cláudia Fernandes Martins, these guidelines clearly show the key requirements that the EU will be monitoring going forwards.

The potential commercial value of data cannot, therefore, be underestimated and remaining in the dark is no longer an option. Data itself, regardless if personal or business, is just a collection of ‘facts’, she concludes. “Alone, they are worthless. To ensure that they take advantage of the data evolution, businesses need to understand that the power of data is only harnessed by reviewing and acting upon it.”