Skip to content

Mitigating risk in the age of big data

  • Over 87 per cent of company value today is now in intangible assets.
  • Less than 0.5 per cent of data is actually ever analysed and used.
  • In unlocking the value of big data there are some significant technical, legal and reputational risks and challenges to navigate.

It’s been said that in a digital century, ‘data is the new gold’ and there is no question that data, correctly leveraged, can deliver huge benefits. Over 87 per cent of company value today is now in intangible assets, and data together with brand, software code and confidential information are critical to everyday business.

Customer lists; inventory management systems; purchasing information — all data. In fact many of a company’s most basic functions from invoicing to advertising would grind to a halt without data.

Data analytics promises efficient supply chains, better product design and individualised marketing to name but a few opportunities. For example it has been estimated that each Fortune 1000 company could on average generate an additional $65 million annual net income through a ten per cent increase in data accessibility to its workforce. Whole business models have sprung up around selling data — check out for example.

In other cases the value of the company is the data. For example, in a recently completed a sell-side mandate for a 30 year old financial services company. The owners had originally been advised the company would sell for no more than four times EBTIDA. After analysing the business we realised that the company’s most valuable asset was not even on the balance sheet — it was the 30 years of data it had collected. So instead of targeting people who wanted to buy the operating business we targeted people who wanted the data — a completely different set of buyers with much bigger cheque books. The result: the business sold for 32 times EBITDA.

This is not an isolated incident: in 2013 when Caesar’s Palace went into bankruptcy the data (again not on the balance sheet) was conservatively valued at US$1 billion, making it the single most valuable asset in the entire company. When online retailer Kogan’s bought the failed Dick Smith’s customer database and brand there was commentary to the effect that Kogan made 15 times their money in under three months.

It’s unsurprising then that many c-suites and boards have begun to ask ‘we’ve collected all this data — what are we doing with it? What could we do with it? Can we sell it? Are we sitting on a gold mine?’

However, before you reach for the shovel to stake your gold rush claim there are some significant issues to be aware of. These divide into three groups:

  1. technical (what can and can’t be done from a technical perspective)
  2. reputational (the brand impact of using data in ways that customers may not expect)
  3. legal (what can and cannot be done legally).

Technical challenges

The inconvenient truth that less than 0.5 per cent of data is actually ever analysed and used. As Todd Park, ex CTO for President Obama points out ‘data by itself is useless. Data is only useful if you apply it’. A key driver here is that frequently data is collected, but not in a useful form. Sometimes the data is in deep silos that make integration impossible or prohibitively expensive; other times small but persistent inaccuracies can render data sets effectively useless. For example, 75 per cent of businesses think that the customer contact information they hold is incorrect.

On other occasions the problem is that expected insights just aren’t there. Data Scientist, Maksim Tsvetovat states ‘there has to be a discernible signal in the noise that you can detect and sometimes there just isn’t one’. Sometimes the problem is not the absence of a signal but the absence of people who can interpret it — CapGemini found that 37 per cent of companies have trouble finding skilled data analysists to make use of their data.

Perhaps the most significant technical challenge is ‘recency bias’, a cognitive bias that gives greater weight to more recent events. Given that 90 per cent of the world’s data was created in the last few years this is a serious problem because new data tends to unquestioningly replace older data even when they are equivalent or older data is superior.

Reputational damage

Businesses face significant reputational damage if customers (consumer or business) discover that their information is being used in ways they never anticipated or approved. In the rush to exploit data, the potential benefits need to be carefully weighed against risks to the broader customer relationship.

Take the relatively new $24 billion industry for selling data. Many telco’s facing diminishing subscriber growth are looking to exploit the tremendously rich stream of data they receive as their customers surf, text and call throughout their daily lives. Similar initiatives are being driven by other major data accumulators such as banks, utilities and insurance companies.

There are very significant reputational risks here: not the least of which are whether customers have actually given their consent to these kind of practices. With the advent of social medical brand velocity (the speed at which brands are built and destroyed) has increased dramatically in the last decade. It takes only small but highly publicised mistakes to do significant brand damage: witness when Target’s big data practices sent coupons for pregnancy related products to a teenage girl who had not yet told her parents about the impending arrival.

It’s unsurprising that many c-suites and boards have begun to ask ‘we’ve collected all this data — what are we doing with it? What could we do with it? Can we sell it? Are we sitting on a gold mine?

Legal risks

There are also some potential legal risks involved when trying to unlock the value of big data.

Under both Australian privacy law (the Privacy Act 1988) and New Zealand privacy law (the Privacy Act 1993), there are restrictions on the use of ‘personal information’ which means any information about an identifiable individual.

For ease of analysis, most commercial data can be divided into one of four types:

  1. ‘meta data’ — data about your data
  2. ‘B2B data’ — data about individual businesses which are your clients, suppliers or contractors
  3. ‘anonymised B2C data’ — data about individual consumers, but for which identifiers such as address, date of birth or name have been removed
  4. ‘personal information’— data about individual consumers which has not been anonymised.

What you can (and can’t) legally do with ‘your’ data is heavily dependent on the type of data you hold and how you came to have it.

Among other things, the Australian Privacy Act governs how information can be collected, used, stored and disclosed. The information:

  • must only be kept as long as it may lawfully be used
  • a company is restricted to using data for the purposes to which the individual consented, and
  • must be satisfied as to its accuracy before using it.

The good news is that under current law, these restrictions only apply to the fourth type of data (personal information), not metadata or B2B data. Both types of data can be highly valuable (as the case studies above high light) and despite typically being absent from company balance sheets they should be regarded as potentially important assets. Efforts should be made by Boards and Management to determine if such data is valuable and how that value could be unlocked.

However on the downside the fact metadata and B2B data fall outside privacy regulations does not however mean companies are free from risk.

Anonymised data: Not so anonymous?

Anonymised B2C data, lives in a somewhat grey middle zone and presents unique challenges. First, at a purely practical level anonymised data may be of little use to many types of businesses, just how useful is a customer list without any contact details?

Secondly ‘anonymisation’ isn’t a get out of jail free card. For example, car-driving data is being continuously collected by many devices to our cars. In a study completed last year, just 15 minutes of driving data was sufficient to create a driving ‘fingerprint’ able to identify an individual driver out of 15 drivers, with 100 per cent accuracy. Fifteen minutes of the brake pedal data alone gave a 90 per cent identification rate.

Mandatory reporting of data breaches

In Australia, a further area where companies face significant legal risk are mandatory data breach notifications. Companies and government agencies that determine they have been breached or have lost data will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach. Failure to do so comes with stiff penalties.

When Target was hacked in 2013 and the personal information of 100 million customers was compromised it was estimated not only did the retail giant sales drop three to four per cent but it suffered an estimated $1 billion in fines and other related expenses.

The take-outs

Most companies are likely already sitting on valuable data sets (as well as other important intangible assets). Often these assets will be off balance sheet, under-utilised and under-valued. Conventional reporting and analysis will often fail to identify significant opportunities. Management and boards have a legal obligation to generate a return on all assets, including data assets. There are very significant opportunities to unlock value and drive increased performance from such assets.

However there are also very significant technical, legal and reputational risks and challenges to navigate. These issues require specialised business-centric expertise that measures the potential benefits against these risks: just because something is technically ‘viable’ or is legally ‘acceptable’ does not mean it is the right business thing to do.

So the data gold rush is on but it seems that simply buying a shovel to dig up those data nuggets is not quite as simple as it seems.

Paul Adams can be contacted via email at or via

Material published in Governance Directions is copyright and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.

New bill to ground illegal phoenixing

Next article