Why Every Company Needs a Data Policy
In a post-GDPR world, operating without a clear-cut data policy is like flying blind in a snowstorm. It is fraught with risk and, more importantly, might cost organizations millions of dollars.
The General Data Protection Resolution, or GDPR, dramatically changed the rules on how businesses must collect, track and store consumer data. Because it applies to every company with customers in the EU, not just those headquartered there, and can impose significant penalties for violations, companies of all sizes have legal and financial incentives to get their data policy houses in order. And that’s just one example of major legislation that impacts how companies work with data today; other policies, including the California Consumer Privacy Act, are coming soon.
While the need for better data governance and transparency is clear, the path to get there is not. In recent months, I’ve had many conversations with leaders at Fortune 500/Global 2000 companies about implementing responsible data policies. Here’s what I tell them:
Take Control of Your Data
The first step in setting up a strong data policy is to create a holistic picture of the data across your organization. This requires assessing the current situation and then taking control of your data and the processes surrounding it. To do this, you need to use a solution that consolidates all data in one central location. Then, you need to put a process in place to manage that data and categorize it (e.g., personally identifiable information, or PII, and non-PII).
More often than not, taking control of the data is where most companies get stuck. That’s because the traditional approaches to sharing data across the organization means making copies of the data. Over time, this replication makes it impossible to keep track of where the data is and who has access to it. Data marts spring up all over the place, including outside of the organizations where they originate, creating a “blast radius” where the data detritus can never be fully cleaned up.
Fortunately for businesses and consumers alike, this data management problem is solvable. Recent advances in cloud computing and encryption technology have created new ways to centralize data and share it without making copies. This means it is now possible to have a “single source of truth” where everyone interacts with the exact same data and access is granted on demand.
Establish Policies that Align with Values
Taking control of your data gives you the means and visibility required to create a sound data policy framework to govern how data can, and cannot, be used.
At the highest level, it’s all about finding alignment between what is possible with the data, good for business and best for your customers. More specifically, you have to understand what types of data usage customers are comfortable with and whether that is consistent with your business model and values. Transparency is essential in this equation.
While data policies are largely company-specific, there are a few baseline questions that every policy should answer:
- Who owns the data?
- What data is appropriate to leverage for business use?
- What data can we share?
- With whom can we share data?
How you answer these questions depends entirely on your business.
Communicate It Far, Wide and Often
Policies only work insofar as they are communicated and respected, both internally and externally.
The most common method for communicating data policies, sending an email, is not enough. Our eyes tend to gloss over this type of text-heavy, complex content, so you need to be creative and persistent to make the policies stick.
At Snowflake, we communicate the same way internally that we do externally. To ensure everyone is on the same page, from employees to partners to customers, we update our security policy, customer code of conduct, and code of conduct for competitive partnerships regularly and post them online. We also collaborate online via user groups and our “Snow Lodge” community platform, and in person at company meetings, social events, and customer council meetings. No one has an office, not even our CEO, so our founders and executives are approachable and present everywhere our people interact.
The point is, policies alone aren’t enough. To put them into practice, you must communicate and distribute them far, wide, and often.
It’s All About Control
Effective data policies are all about control. The control of data on the business side, as described above, is still very much a work in progress. And there’s also control from the consumer’s standpoint. In fact, that is what GDPR and the policies modeled after it are really about. Consumers want to have control over their data, especially their PII, and the technology is now available to make it so.
Every company says they put the customer first. Implementing a data governance policy that gives your customers control of their data will prove to them that your organization truly has their best interests at heart.