Data management: turning risk into opportunity


We recently conducted a survey to understand how organizations manage data today and how they envision this evolving in a post-COVID world.

We learned that while many organizations will continue to manage their data through a risk management lens, many also expect data to be treated increasingly as a strategic driver of innovation, growth and competitive differentiation. This trend appears across multiple sectors and has become more urgent as companies pivot to digital strategies for stay-at-home customers1.

Over the course of the pandemic crisis, we have worked with clients on the difficult task of adapting their operations iteratively, re-inventing their plans and processes in lock-step with governments’ responses to the pandemic. This has included quickly migrating their workforce to “work from home”, transitioning back into a partial or tightly-managed “return to work” mode, or preparing for some hybrid interim approach in response to regional outbreaks or a “second wave”.

Working through this organizational upheaval, especially while trying to manage privacy and cybersecurity obligations, represents a unique opportunity in data governance: to transform the use and management of data assets from a mainly risk-based approach to a more balanced framework that also focuses on data as an opportunity.

The following summarizes the key findings from our data management survey results and includes some recommendations for organizations looking to seize upon these nascent opportunities.

Key findings

Current organizational focus is on risk and governance

  • Not surprisingly, organizations’ key focus is understanding data-related risks, including privacy compliance, cybersecurity and third-party related risks.
  • Most organizations have:
    • developed a data governance plan or strategy; and
    • made progress with respect to their data-related goals, with a majority of organizations noting that they are around the mid-way point.
  • Data-related responsibilities are usually cross-functionally managed across multiple business units. This multi-disciplinary group almost always includes the information security team, frequently acting in conjunction with the organization’s legal or risk groups. Other teams that play a role in data management include compliance, marketing, and data analytics.
  • In terms of the immediate future (next 1-2 years), most organizations’ approach to data will focus on:
    • adopting or increasing the use of artificial intelligence and predictive technologies;
    • identifying new uses of data; and
    • focusing on data governance as well as allocating more resources to data-based initiatives.
  • Organizations have also been leveraging their data through data analytics to identify opportunities (e.g., to improve marketing) and improve customer engagement (i.e., through improved customer experiences such as personalization) as well as for governance purposes.
  • Very few organizations have focused on commercialization of data to create new products and services. This is not surprising because: 1) there is no universal “data ownership right”; and 2) regulatory and legal regimes governing ownership rights in data are still in flux2.

Organizations worry about things that get missed

  • Data breaches are considered the biggest risk to organizations, followed by missed opportunities and privacy compliance.
  • Records management (retention and destruction) was identified as top “blind spot” followed by organizational monitoring and employee training.

Owning the future through data governance

COVID-19 has brought about a public awareness of data management that likely is here to stay. News stories, social media blasts and press conferences about “the new normal”, “flattening the curve” measures and contact tracing have become as commonplace as the weather. Through new technologies, existing and novel data, organizations that can smartly process in near real-time their response to pandemic-induced changes in customer behaviour and market forces will not only be more successful in weathering this crisis, but will also be in a better position to tackle future uncertainties.

The crisis has also forced organizations to undergo changes that previously would have been considered near impossible. In migrating their organizations to work-from-home and back again to the office, stakeholders that previously did not work together have coalesced around issues of data management that used to be overseen by a smaller group of specialists. They now have an opportunity to learn from this experience. To capture more value out of organizational data, organizations should:

  • update their data strategies to incorporate improved data governance used during the pandemic, including better use of technology to segregate, protect and retain data according to its risk rating and intended use;
  • consider leveraging organizational structures (such as committees or working groups) that were assembled in response to the COVID crisis to implement longer-term goals, such as using data governance to improve their employees’ and customers’ experiences;
  • use recent success in making rapid changes to pilot new commercial strategies that used to seem far off, such as piloting technology to anonymize data in order to enhance data analytics and third-party information sharing initiatives; and
  • analyze post-pandemic data opportunities, such as whether a migration in customer engagement to digital channels provides richer data for analysis, customer service, or product development.


1 On June 2nd, 2020 we hosted a webinar exploring privacy and data governance implications of returning to work during the COVID‑19 pandemic. Many of our guests responded to our follow-up survey in which we asked about their perspectives on data management. We are grateful for this valuable insight into how their organizations manage data today and how they envision this evolving in a post-COVID world. Sectors included: technology, financial services, private equity, life sciences, infrastructure, media and communications, and retail.

2 Although there is no general data ownership regime in Canada, several existing legal frameworks impact data ownership and control: 1) copyright and intellectual property law; 2) the law of confidential information and trade secrets; and 3) data protection and privacy. In addition to these, depending on the AI application other regulatory regimes may also affect the control of or rights to data; for example, competition and consumer protection laws as well as any sectoral specific legislation (healthcare, banking etc.).

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now