Data ownership is a complicated topic, much more complicated than most might think. We often talk about data security in possessive terms of “my sensitive data”, “my health information” or “my Personal Identifiable Information (PII)”, but what does ownership of that data actually mean? There are likely countless copies of that data in many locations, ranging from your doctor's office and bank to your gym membership.
Do you own every copy, or does the organization hosting the data own it? For that matter, do you even know where all “your” data is? Who really owns data, where it is stored, and who has the right to access it is far from straightforward.
Handling employee and customer data requires security executives to understand what data is being stored, how it is being used, and who has access to it. More than ever, organizations must demonstrate proper data handling in order to stay compliant with an increasing number of security regulations.
Data ownership can be tricky
A KMPG survey found that 87 percent of Americans believe that data privacy is a human right and 54 percent don’t trust companies to use personal data in an ethical way, but as mentioned, data ownership is far from straightforward. For example, I use a Garmin watch to track my exercise goals daily. When I see my personal information on my Garmin application, who owns that data? The watch shows how far I’ve walked, how many steps I’ve taken, my heart rate, and more. One might conclude that this data is mine since it is about me. However, would I have that data if I wasn’t using the Garmin watch? Garmin is doing the monitoring and measuring, counting my distance, speed, and location, so do they have an argument to say it is their technology enabling the collection of data, and the data would not exist without their product? Can they claim it is actually their data?
Do I own the data on my smartwatch?
Let’s take the example further. I run the Garmin app on my IoS smartphone. Does Apple then have a claim to the data? After all, without their operating system, I would not be able to visualize the information. What seemed like an easy data ownership question now has lots of possibilities. So how do we define data ownership in a way that satisfies all parties?
Avoid the contentious concept of ownership, and focus on data rights instead. When we think about how we want data to be used, rather than who owns it, it becomes easier to set parameters around different use cases. Following our earlier example, an individual should have domain over their own personally identifiable information (PII) but Garmin should have the right to use the information generated by their proprietary technology. Garmin might want to aggregate user information for product development purposes or Apple may use underlying application usage information for their business trends. There are many use cases where all parties benefit from a collaborative approach to sharing information.
Rather than trying to define data ownership, we need the appropriate guardrails set around each individual’s right of use. By doing so, we avoid the more emotive issue of thinking of data as property and instead focus on how the data is used and by whom. This is primarily how data privacy laws and regulations think about data, making it clear that data custodians must set clear rules for how they will use a customer's data. When companies violate these data rights they can fall foul of legislation. One recent data rights example is where Meta is being sued by the State of Texas. Texas claims the company collected facial recognition data without customer consent, shared it with third parties, and did not destroy the information in a timely manner — all in violation of state law.
Integrated risk management tools you can leverage to track data
Many organizations leverage integrated risk management solutions, such as the Ostendio MyVCM platform to manage their data security programs. These solutions enable organizations to know what data they have, where it is located, and who has access to it, thereby streamlining the task of these data security rights rules. With these solutions, organizations can track data and operate in line with various regulations and standards and be confident in their ability to manage and handle data appropriately.