How to Classify Risk of Web-Analytics Data and Assign Responsibilities in Your Organization

Data is the new oil, to steal the legendary Ann Winbland’s quote. Treated as an economic asset, it can, and does indeed, get monetized, and while we’re observing a heated debate around data ownership, the practice of sharing information with third parties is also becoming common. As information ecosystems are getting more complex and you need to implement proper risk classification system, how can you be sure your company is fulfilling all of its data-related obligations? What methods can help you assign such responsibilities?

Sharing information has become a daily practice for many companies relying on external resources for data collection, processing, or analysis. Third-party agents either help enrich that data or are an essential part of a property transfer; in the latter, they become co-owners of the data. As we explain in our whitepaper, businesses acquire data through a trust relationship with subjects who, in exchange, expect responsible usage. Thus, it is correct to say the real price for information disclosed to companies is certain responsibilities they have to incorporate into their data-management processes.

The scope of obligations for companies will depend upon the type of data they collect, process, and share. Such liabilities then influence which departments should get involved over the course of the data-risk assessment. A popular example of a responsibility-assignment method comes in the RACI model, which stands for Responsible, Accountable, Consulted, and Informed:

Another method useful in certain contexts, especially for the privacy aspects of data uses, is Privacy Impact Assessment (PIA). It typically consists of workflow-based questionnaires used by companies to identify and contain risks from the beginning. However, it’s important to mention that PIA efficiency can be under threat when terms and conditions of digital tools change or relevant legal frameworks lose validity, just to recall the Safe Harbor renouncement in autumn 2015. This implies a responsibility to monitor the contractual side of digital tools — an obligation that usually resides between procurement and legal counsel.

Fluid privacy regulations, changing terms and conditions, excessive power of counsel, and misunderstanding of legislation may indeed cause some companies to come to an analytical halt. On the other hand, certain organizations are also playing with fire by ignoring legal warnings, mainly in the mobile arena.

Therefore, assuming analytics and other elements of your digital setup should be seen as fluid, responsibility could be divided into three main areas linking to the RACI model we mentioned above. Relating this to customer relationship, data-risk classification could be seen as follows:

Or in other words, the above classification looks something like:

1. Green: An individual comes to a digital property and leaves a data trail.
2. Orange: A company wants to take a look at which individuals come back and what their technical environment is like; e.g. using cookies.
3. Red: A company wants to stitch digital touch-points together — one view of the customer, where the individual is recognized through probabilistic data-matching techniques and/or data is swapped with another legal entity for cookie-syncing, for example.

Data-Privacy Expert Advice: Aurelie Pols of Mind Your Privacy

“The trick is to understand when Green, Orange, and Red protocols are best applied to optimize data-privacy management. Remember, context remains of essence to assure privacy rights are respected.”

For a full discussion of risk classification according to the above color codes, please read our latest whitepaper.