Today’s consumers are wising up about online privacy—but many of the enterprises handling consumer data are struggling to balance these new demands with their own data science and analytics needs, particularly as they migrate systems to the cloud.
That’s one of the takeaways from a recent survey of 100 Fortune 500 executives about cloud, data security and access control. In the survey, released earlier this month, 58% of executives said their businesses experienced conflict between data science and analytics teams requesting data access, and the need to balance customers’ privacy and security.
In addition, 70% of the respondents reported that cloud migration and analytics—actually leveraging data to meet business goals and better serve customers—was made “more complex” due to complying with privacy regulations. That’s significant, considering that many companies are now running operations on multiple clouds, leading to a higher risk of data being siloed, and therefore more difficult to access and analyze. The survey was conducted in the first quarter of 2021 by Privacera*, a data-governance company.
Indeed, the push-and-pull over data and privacy is playing out in numerous arenas, from courts to boardrooms and the press—a phenomenon that is shaping our investment thesis around data and data management in multiple ways.
On the one hand, companies focusing on warehousing, moving and leveraging data are booming: Just witness the IPO of data giant Snowflake last year, which is now worth $58 billion, according to CapIQ data. On the other hand, companies like Facebook, which use detailed data to target advertisements and other content to its users, have come under intense scrutiny for selling user data. Many users also deserted Facebook-owned messaging service WhatsApp earlier this year after WhatsApp changed its privacy policies to allow the app to share more user data with businesses. (One beneficiary was competing, private messaging app Signal, which passed the 100-million installation milestone in late March.)
Meanwhile, regulators, particularly in Europe but also in the U.S. and elsewhere, are passing more-stringent privacy laws to protect consumers. Europe’s GDPR regulations forced many companies to spend millions on stepped-up compliance and spawned an entire new market in GDPR compliance software. In 2018, California enacted the California Consumer Privacy Act, which helped people prevent the sale of some of their personal data. Canada is reviewing its national policy act, and even Brazil has enacted new data- privacy legislation.
So how can companies cope? Clearly, protecting data privacy is not optional; it’s also the right thing to do. But with data now such a core currency in just about every industry—enabling players in finance, healthcare, retail and even manufacturing to operate more efficiently and better serve customers—companies need to find better ways to balance these sometimes-conflicting interests. We see a few key lessons here.
1. Enterprises need better tools to support privacy. Regardless of who’s pushing the buttons, teams inside enterprises must implement controls to ensure consistent, scalable data security without inundating IT teams with unmanageable workloads and untenable processes. In the Privacera survey, only 17% of respondents said they had “fine-grained access control” and “row filtering” for data security that did not impede data science and analytics. Translation: Only a small percentage of respondents felt they continued to have robust analytics after applying measures to protect their data in light of business needs and regulations. Compliance and analytics have been a trade-off in the past, and they shouldn’t have to be going forward.
The cost of not implementing more-sophisticated technology can be high. If a data scientist is forced to wait one week for an IT team to process a data-access request, for example, that’s one week of lost productivity—and also represents a significant monetary loss. A single data scientist with specific subject-matter expertise can command an average annual salary of $200K. Left idle for a week, that costs the organization $4,000 in salary, never mind the loss of business insights the organization was looking to achieve to drive their business forward.
2. Companies should internally involve all relevant stakeholders and establish clear ownership over data issues. While complying with regulation may feel like a chief compliance officer’s responsibility, it is the IT and security teams are burdened with the workload of making privacy a practical reality. At the same time, chief data officers are tasked with delivering the critical insights for the next “aha insight” that cannot be impaired by delays from waiting for IT teams to secure control data access.
Privacy initiatives must be consistently applied across an enterprise and thus encompass a wider set of stakeholders than a typical data security tool. Creating consensus across multiple parties is more difficult due to the natural conflict between analytics teams requiring access to data, and security teams mandated to lock down data access. Per the Privacera survey, 58% of Fortune 500 organizations report conflict between data scientists and data security and compliance teams due to access restrictions–so it’s critical that all relevant stakeholders are involved in the decision- making to purchase new tools.
3. Now is the time to develop a privacy strategy. It’s well understood that the modern enterprise is undergoing a transition to hosting data in the cloud from being on-premise. But with the cloud comes increased infrastructure complexity. This is leading, in many cases, to massive data sprawl and inevitably creates a fractured approach to privacy as the data-security options for each cloud provider are uniquely configured and managed. The survey found that 70% of respondents believe migration to hybrid, multi-cloud environments will force companies to invest more money in automated tools to ensure data governance and control within the next one to three years. The strategy for how to approach these privacy and regulatory requirements begins well ahead of tools selection–so it’s critical to start thinking today.
Battery Ventures provides investment advisory services solely to privately offered funds. Battery Ventures neither solicits nor makes its services available to the public or other advisory clients. For more information about Battery Ventures’ potential financing capabilities for prospective portfolio companies, please refer to our website.
*Denotes a past or present Battery portfolio company. For a full list of all Battery investments, please click here. No assumptions should be made that any investments identified above were or will be profitable. It should not be assumed that recommendations in the future will be profitable or equal the performance of the companies identified above.
Content obtained from third-party sources, although believed to be reliable, has not been independently verified as to its accuracy or completeness and cannot be guaranteed. Battery Ventures has no obligation to update, modify or amend the content of this post nor notify its readers in the event that any information, opinion, projection, forecast or estimate included, changes or subsequently becomes inaccurate.