Offense, not defense: As data regulation evolves, organizations should get on the front foot

Fast Company

13-05-2025

Few, if any, leaders would dispute the importance of data to their organization's success. In fact, a robust and effective data strategy has become central to everything from improving customer experiences and retaining top talent to unlocking the full potential of technologies like artificial intelligence (AI).
Yet, as the use of data has exploded, so too has the regulatory landscape surrounding it. Since the arrival of GDPR (General Data Protection Regulation) in Europe and the CCPA (California Consumer Privacy Act) in California, we've seen a raft of new legislation passed at state, sector, and federal levels that makes the risks of noncompliance increasingly severe.
Likewise, nobody's slowing down in the hacking game. If anything, cybercriminals are becoming more aware of the value of consumers' personal information and, therefore, more relentless and sophisticated in their attempts to illegally obtain it.
For organizations, the result is a tightrope walk. On the one hand, they have to continually (and rapidly) innovate their data strategy to keep up with advancing technology and meet the product and service expectations of customers. Yet at the same time, they must be seen to be doing everything possible to protect stakeholders' personal information and comply with an ever more complex regulatory landscape.
This balancing act is supercharged in the most high-stakes and heavily regulated sectors, like health care and financial services. But it should also be a priority for organizations in other, less scrutinized industries. After all, even a retailer's loyalty program can house all kinds of sensitive details around buying patterns, family members, memorable dates, and personal preferences—information bad actors may use to target customers in other areas of their life.
PERSONAL PERSONALIZATION?
Not that consumers are saying 'no' to surveillance capitalism completely. If you travel a lot to New York and get an offer for great hotels in the city at low prices, that's probably the kind of deal you want to see. But any lack of transparency or hint of overstepping in how their information is captured, shared, or deployed will quickly evaporate trust and ultimately result in people opting out of it for good.
To complicate matters, personalization itself is personal. What one person is OK with from a targeted marketing perspective might be too intrusive or frequent for someone else, and vice versa.
Any data strategy must therefore be based on a carefully weighed decision about the value it could drive for the organization versus the value it could lose by crossing over a consumer's (or regulator's) perceived line of usage.
THE TOOLS OF SUCCESS
So, how do leaders get the tightrope walk right?
The first step is understanding the data privacy rules and regulations that exist in their jurisdictions, be that geographic or by sector. With legislation constantly evolving, this requires consistent monitoring, usually by CISOs and CDOs, to ensure the organization's practices don't contravene the rules.
Awareness of what data is being held has also become table stakes. To retain their stakeholders' trust, organizations must demonstrate in-depth knowledge of how, when, and where that information is captured and managed, including a fine-grain understanding of lineage and provenance.
The sheer volume of that information is also increasing significantly. As AI enables the creation of more data from more sources, it's important to consider how to manage those insights with the appropriate level of transparency and control.
Here, dynamic data tagging provides a potential solution. It lets firms mark and manage the purpose of data across various analytics platforms, making it easier to distinguish between appropriate and inappropriate use based on context while helping mitigate the risk of reidentification among multiple downstream uses.
Similarly, synthetic data, which mimics real data without using actual personal information, is becoming a valuable tool in any organization's arsenal. By eliminating the risk of exposure, synthetic data helps address privacy and anonymization concerns while supporting the development and testing of new AI models.
INVEST FOR TOMORROW, TODAY
Above all, organizations should adopt an offensive approach to data governance, not a defensive one. That means rather than being driven by the need to address legal and/or compliance issues, leaders should focus on value (i.e., how to use the right data to deliver the right outcomes at the right time).
Policymakers at the state and federal levels can play a supportive role here, too. Right now, privacy laws and data legislation often lag technological advancements, which, in turn, stifles innovation, particularly in highly regulated industries. More open conversation between regulators and business leaders would help better balance progress and governance while promoting a greater tolerance for risk in areas where harm is unlikely.
Adopting this offensive approach will take more firepower, both in terms of the capital resources organizations devote to data management and the types of roles and skills they recruit for and develop within their workforce. Getting on the front foot may seem like a significant investment now, but the rewards it delivers for marketing effectiveness, customer engagement, security, and regulatory compliance in the future will be worth it.