Adventures in Data (Mis)Management
Does your role involve data?
It doesn’t matter what you do, the answer is yes. Whether you are a senior leader depending on analysis; someone whose role involves conducting analysis or a data professional, you will find an anecdote here that reflects your experience with information.
I’ve gathered 7 1/2 quick tips based on my decades working in the field.
Don’t accept data beyond the legal scope of use.
Cloud storage makes hanging onto data you don’t have a current use case for relatively inexpensive. You still need to understand what is being sent and whether you are allowed to receive it. It is often easier for small vendors and companies to transmit files that contain more data than they are asked for. They simply don’t have the resources, e.g. time and money, to tailor delivery.
Just because they are sending it, doesn’t mean your organization should be compromised by collecting it. You accept the risk of gathering and storing unknown data on your servers. I recall sitting in a review meeting, watching as a source file was explored and it contained SINs! Not a list of personal transgressions, actual Social Insurance Numbers of Canadians. Neatly compiled next to their complete addresses. Holding onto this data would be a violation of several PIPEDA regulations. For the record, I’ve never witnessed a person attempt to shut down screen sharing faster than I did that day.
Takeaway: Know what data is being collected. It is okay to store data that you have no current use case for, but you do need to ensure there is a legal business case for doing so.
Don’t continue to invest more in analysis without increasing your investment in data governance, management & operationalization.
Unless your goal is to pay analysts to clean data manually, which is a weird take that many organizations seem to follow. Beyond lowering the overall costs associated with your data, and increasing the monetization of information, solid backend data processes mean your organization can easily accommodate any external (see legislated) data requests. These requests include a customer’s right to be forgotten, the right to see all data you have on them or to quickly quarantine compromised data from the enterprise. Related to the prior point, your organization also won’t be caught off guard storing data it shouldn’t have.
Takeaway: Spending more on new analysts won’t get you the ROI you’re hoping for without subsequent investment in data processes.
Don’t exclude an enterprise review of data use from business continuity planning.
Business continuity is a forward-looking plan which assesses risk and determines the stability and ability of an organization to continue operating in the face of disruption. It is often confused with Disaster Recovery, which is specific to maintaining vital infrastructure. The ‘disaster’ could be weather-related (tornadoes, floods earthquakes); people-related (the sudden large-scale shift to offsite work at the start of the pandemic) or other events out of the control of the organization. I’ve seen data treated as solely the domain of IT/Finance in these planning sessions, omitting the data required by each department to simply keep the lights on. Most organizations will have automatic data backups in place, so they don’t lose any or very little valuable information. Backing up data isn’t the same as ensuring access to data.
How long can you go without access? With access to a set amount of information, how long can your work continue? Assuming you know precisely which data is valuable and which data isn’t across an entire organization is impossible without engaging representatives of each department/team. Don’t forget your vendors. Can you ensure payroll is processed if the data spigot is shut off? How would you monitor SLAs (service level agreements) during prolonged disruption? Do you have data vendors? What plans do we have in place?
Takeaway: If you are leading a team that depends on data (or access to data) to keep the lights on, ask questions about your organization’s BC/DR plans and how your team’s operations are protected.
Don’t avoid implementing security measures to permit downloading of movies/tv shows.
Sounds too ridiculous to be true, but it is. Despite pushback from highly competent IT team members, not only did this happen, an entirely predictable successful ransomware attack took advantage of this security gap. More on that very expensive misadventure another day as it involves many overlapping failures.
Takeaway: The person responsible for your organization’s digital security needs to put the safety company/employees/customers first and listen to the expertise of their own team leaders.
Don’t legitimize shadow data.
Shadow data is sourced from unapproved enterprise sources. Shadow data has its uses, don’t get me wrong. The entire process of environmental scanning requires the exploration of alternative information, however, it is not leveraged for actual business reporting until the source has been vetted. I’ve seen the heads of departments present their analytics to the CEO with entirely conflicting results. Their analysts were competent, so I knew it wasn’t a mistake in the calculation. It was the introduction of unvetted data. The problem is two-fold. First, the data source (and information itself) needs to hold up to scrutiny. Is it accurate? Is it aggregated or can you break it down? Is it a reputable source? Secondly, if the data hasn’t run through your organization’s enterprise processes, business rules have not been applied to ensure your analysts are comparing apples to apples.
Takeaway: Shadow data is fine to explore in a sandbox, but data doesn’t belong in your business reporting.
Don’t grant data access without a review process.
If your role includes analyzing organizational data and providing insight, you should be able to explain the business model of your company. How can you advise, based on interpreting the data, without understanding how your organization works? How the information flows? How information is defined? At one organization, to teach new hires how to use our business intelligence system, I developed documentation and a visual representation of the corporate business model. (My version was improved upon over the years and adopted throughout the company.) I designed three different ‘Here’s Our Biz 101’ classes depending on the role of the new employees. The review process also serves to ensure each user has access to what they need, no more no less.
Takeaway: Create a review for all employees accessing data to guarantee they understand your business model and business rules applied to your data.
Don’t avoid security testing and multi-factor authentication (MFA).
Even if it frustrates employees. Scratch that, especially if it frustrates employees and senior leaders. Cracking your data security is as easy as your organization’s weakest link. Not everyone is digitally savvy. Based on the sheer volume of otherwise super-smart people I’ve seen hit ‘reply all’ on emails over the years, or include incredibly private information in a mass email, the need for constant security testing (fake phishing emails) and MFA for system access has not diminished.
Takeaway: Corporate data access shouldn’t be frictionless.
Bonus: If you are able to choose who you work for, avoid working for a company that considers data privacy and data misuse fines the cost of doing business. Those organizations do not care how they treat the people they make money off. Imagine how little regard they have for the people who cost them money through salaries.
Enjoyed this story? Support my writing here, or subscribe below to receive these stories directly in your inbox.
