Data Ownership in Digital Transformation: Key Insights

In digital transformation efforts, data is key. Indeed, Prophet’s 2023 State of Digital Transformation Report found that 32% of respondents identified “Procuring, storing, and managing data from multiple digital sources and making insights accessible across the company” as their first priority in their digital transformation journey. But before considering questions around data infrastructure, management, and analytics, there’s a more fundamental question to answer: who owns the data?

Don’t be misled by its simplicity — data ownership is far more complex than it first appears. Fully grasping who owns your data involves identifying and evaluating internal stakeholders; understanding the legal frameworks that your particular business operates within; and addressing access and management permissions of third-party vendors in your tech stack.

This primer will walk you through the fundamentals of data ownership in a digital transformation project, and emphasize why considering data ownership is critical for your organization and the people that it serves. For more support in your digital transformation journey, you can follow our Digital Transformation Roadmap for State and Federal Agencies, and visit our services page to learn more about how organizations across industries are tackling digital transformation.

What is the role of data ownership in digital transformation?

It’s helpful to think of data ownership as who has possession of and responsibility for information within your organization. “Possession” here doesn’t refer to where your data is physically stored — it refers to who can access, store, and use your organizations’ data. “Responsibility” refers to who is accountable for managing, storing, safeguarding and quality controlling your data.

It’s also important to consider how ownership varies across the full range of data that your organization handles daily. This includes customer data — such as personal details, forms they’ve filled out, and contact information — as well as product data, financial data (particularly in e-commerce or banking), and even operational data used to run internal systems. Today, data is generated and stored at every touchpoint, from online purchases to marketing analytics and customer interactions. This ubiquity often makes it easy to overlook that all this information needs to be properly stored, secured, maintained, and authenticated — a critical concern as organizations undergo digital transformation.

It’s also important to consider both internal and external data ownership. Internally, we recommended intentionally ascribing who has permission to access, edit and create data, as well as who is responsible for storage, security, and maintenance. Historically, this was solely the domain of IT departments — but increasingly, ownership is shared between IT and business stakeholders. If your organization has a Chief Information Officer (CIO) or Chief Data Officer (CDO), they’ll likely be ultimately responsible for data ownership.

External ownership refers to permissions and data responsibilities that lie outside of your organization. This includes any third-party solutions you use in your technology stack, such as cloud infrastructure providers, software as a service (SaaS) providers, or content management systems (CMS). Data housed by third parties also requires stewardship from within your organization, to oversee and maintain the data.

Many digital transformation projects touch on these data ownership issues by design. Whether you’re redesigning your tech stack and information architecture, or redefining roles and responsibilities, your digital transformation efforts give you the opportunity to bring your data further under your control.

As part of your transformation efforts, some key data ownership questions to consider include:

• Who owns your organization’s data?
• Who has responsibility for security, maintenance, and quality assurance, and how is responsibility assigned?
• Is there anyone within your organization who should have a stake in ownership, who is currently excluded? What access permissions and responsibilities should this role have?
• Is your data ownership policy compliant with the relevant legal frameworks?
• What rights and permissions do third-party organizations have with your data? Does this present security or compliance risks?

Legal and compliance frameworks governing data ownership

Having a clear understanding of who owns and controls your organization’s data is a vital part of ensuring compliance with federal, state and international data privacy regulations. For all businesses and institutions — but particularly those in the U.S. — there are myriad different privacy regulations to be mindful of.

These include:

• Federal laws and regulations. The U.S. doesn’t currently have one comprehensive data privacy bill. Federal agencies are subject to a number of federal laws, OMB memorandums and circulars, and Department of Commerce policies that stipulate what information can be recorded and how it should be stored.
• State laws. 20 U.S. states have signed their own data privacy laws, and a further four have bills in committee. Many of these laws grant state citizens the rights to request, amend, and withdraw their data from businesses, while also imposing increased fines for violations.
• Industry-specific laws. Healthcare providers are subject to HIPAA; there are specific regulations around storing the data of minors, as specified by COPPA and FERPA (for education records); and banks and financial institutions are subject to the guidelines around GLBA.
• International laws. 137 countries have their own data privacy laws, and 79.3% of the world’s population is covered by data privacy laws. International organizations also have their own regulations — probably the most well-known of these is GDPR, stipulating how EU citizens’ data can be gathered, stored, amended and deleted.

When your organization relies on third-party services such as cloud providers, SaaS platforms, or APIs, data often flows across borders — being created, processed, and stored in different jurisdictions. This can raise important questions around cross-border data flows and ownership, particularly if your organization handles data from multiple regions. Depending on where data is stored or processed, it may be subject to foreign government access or different legal standards. To mitigate potential legal and security risks, it’s essential to thoroughly review your third-party providers’ data policies and ensure compliance with relevant laws governing cross-border data flows.

Technologies and data ownership

Most digital transformation projects involve revamping your organization’s tech stack, often driven by the need to replace old and obsolete technologies.

When selecting the new technologies, data ownership is important not just in choosing which tools directly handle your data, but also in understanding the complexities introduced by third-party hosting providers and software vendors. When working with external providers, you devolve some of the responsibility for handling and safeguarding your data. In each instance, consider if the privacy policies and service license agreements (SLAs) align with your own data policies and legal requirements.

The role of open source in data control

Using open source software — software that allows for free distribution and modification of source code — can simplify some of the complexities of data ownership. As well as allowing you to customize such software to meet your needs, open source solutions offer several key advantages when it comes to data ownership:

• Transparency. Open source code means you can see exactly how your data is being handled.
• Security. With more people inspecting and actively contributing to the code, possible issues that could lead to data breaches are more likely to be found and addressed quickly.
• Access. Many third-party vendors offer their software via “per seat” licenses, limiting who within your organization can actually access data. Open source solutions don’t impose these restrictions.
• Hosting flexibility. With open source software, you have the freedom to choose your hosting provider, ensuring greater control over where your data is stored and how it is managed.

It’s for these reasons that the U.S. Digital Services Playbook recommends evaluating open source solutions wherever possible in your stack.

Drupal: A solution for data ownership

At Palantir, we build our solutions in Drupal: a highly adaptable and secure CMS. Over 1 million developers have contributed to Drupal, and it has a reputation for ensuring high security — which is why it’s used by governments in over 150 countries worldwide. Drupal also has modules to help with many compliance regulations, including GDPR and COPPA.

Its active contributor community means that Drupal is not just rigorously maintained and governed— new tools and features are regularly being added, including ones which limit the amount of additional third-party tools you need at your disposal. For example, we at Palantir have recently been working on EditTogether: an open source collaborative editing tool in Drupal. This tool allows you to edit, comment, and track changes exactly where you publish — but without third-party tracking, with full user access controls, and full CCPA & GDPR compatibility by default. Eliminating the need for third-party text editing software and ensuring compliance as standard lessens some of the burden of data ownership complexities.

Takeaways: Navigating complexities around who owns the data in digital transformation

As organizations’ digital presences continue to expand in scope and complexity, data ownership gets harder to manage. A digital transformation project provides the perfect platform for reassessing data ownership. Re-evaluating internal and external responsibilities and permissions, understanding compliance requirements, and leveraging open source solutions where possible provide a solid foundation for addressing complexities around data ownership.

At Palantir, we have 25 years of experience guiding organizations through digital transformation journeys — and delivering secure, streamlined solutions that are resilient to the ever-changing fields of legal compliance and technological advancement. Get in touch today to learn how we can help your organization transform.