BI use require compliance, privacy checks

Enterprises today are harnessing the power that data mining and advanced analytics could potentially bring to their organizations, but they will need to exercise great caution when mining data and using the information to their advantage, say industry watchers.

This is because the issue of privacy continues to be a subject of great scrutiny in today's increasingly connected world, said Teh Lip Guan, executive director of PwC Advisory Services. One of the common pitfalls among businesses which mine the data is that they are not able to keep abreast of the many changes to the global regulation landscape.

"The International Organization for Standardization's (ISO) and Asia-Pacific Economic Cooperation's (APEC) efforts in developing a harmonized Privacy Standard and Privacy Framework, respectively, will likely take some time to complete," he said.

Managing overlapping regulatory regimes
As an extension to the challenge of a constantly evolving privacy landscape, Teh said the establishment of an internal informed source ensure compliance, particularly when overlapping legislations are in place, is also likely to be a challenge.

For example, the PwC director noted that when processing credit card transactions of healthcare institutions, both the Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA) standards apply. The PCI-DSS standard aims to protect the customer sensitive information such as the name, card number and card verification value (CVV) in transmission and also in storage, while the HIPAA aims to protect patient information such as eligibility to a health plan and premium payments.

"The common intent here is the preservation of the privacy of the data subject," he said. He added that an organization's control may involve multiple departments, and changes would need to be made to the respective processes to ensure that they work.

The challenge of keeping up with regulatory compliance standards was also highlighted by Amran Hassan, senior executive at Accenture Malaysia.

He said an increasing number of countries have enacted stringent privacy and data protection laws and the growing complexity of regulations leaves business intelligence and analytics firms subject to prosecution, fines, reputational damage, and individual legal actions for non-compliance.

"Companies need to invest time and resources to understand the privacy and data protection acts of the geographies where they operate," he said.

Additionally, Hassan said companies need to invest in developing comprehensive data privacy compliance and management programs. These include policies, procedures, oversight, and monitoring all aimed at creating awareness among employees to adhere to data protection principles.

Getting users' assent
The Accenture executive also noted that the analytics industry needs to ensure adherence to regulatory environments as many vendors use in-house technology that does not provide the right tools to authenticate, authorize, and account for customers' personal data.

"These companies need to start defining the blueprints which will enable them to comply with the changing regulatory environment," Hassan said.

Besides this, he said with companies embracing social media and online networks to interact with their customers, the lines are starting to blur between corporate and public data due to the usage of these channels.

As such, companies need to ensure that as they reach out to customers directly to extract data for analytics purposes, they adhere to data protection regulations and remain sensitive to public concerns and perceptions.

Sarabjeet Singh, director of professional services at SAS Malaysia, noted that as an analytics vendor, one of SAS' core expertises is to help its clients mine information from their customers' bases."Questions such as 'How best to service the customers?' or "How to grow the customer base and income from the customers?' are often asked," he said.

The company believes that, fundamentally, the kind of data that can be mined is unbounded by law as long as it is maintained and processed under the regulations of governing agencies, Singh added.

Shyam Prasad Baddepudi L., head of business analytics & technology at SAP Southeast Asia, agreed. He told ZDNet Asia that SAP works with many large retail, healthcare, and utility customers, which record the transaction and personal data for billing and other business purposes.

"[It's fine] as long as they state the usage policy and get the [customers'] consent to mine the data for better understanding of customers," he said. "These clients comply with the privacy laws in their [respective] jurisdictions they operate in [so as] to protect their corporation's reputation and brand image."

Educating consumers about BI
Hassan also suggested that BI and analytics providers should be prepared to explain the value they provide and demystify their technology to an at-times skeptical public.

"BI and analytics can provide tremendous value to consumers and businesses alike, but companies often overlook the need to make this case to a public who can find analytics technology difficult to comprehend and may make incorrect assumptions about how it is being used."

By providing appropriate transparency and public education in this area, vendors can help to prevent the emergence of reactive new laws based on fears about how BI technology is being used, he added.

Edwin Yapp is a freelance IT writer based in Malaysia.