Arrow Icon
blog header pale blue image blog header abstract shape

Heart of Advice

Insights and best practices for successful financial planning engagement

left arrow Back to All Articles

Chief Data Officers, Data Strategy and Risk Mitigation: A Cross-functional Solution

Sarah Miller September 20, 2021

financial data privacy

The Chief Data Officer Evolution

The nature of data inside companies has changed dramatically over the last 10 years. In response, the corporate C-suite created the role of the Chief Data Officer in an attempt to centralize data oversight and make the use of data more strategic.

In fact, 65 percent of companies have a CDO today compared to 12 percent in 2002.1 But the function of the role across organizations is inconsistent and as a result, CDOs tend to have short tenures. One person, usually a new hire, is expected to strategize and manage the implementation and execution of all cultural, technical, and governance components of data.

Executives are looking for an easy solution to a very complex problem by assigning all things data to a CDO. But as most companies are completely data-driven, with the data being the product, the analytics, the technology, and the risk, is it realistic for one person or office to manage all these use cases?

The CDO role was originally created as a response to data risk, and, in most organizations, data governance is still seen as a function of the CDO role. But, in a pendulum shift away from attorneys who specialize in risk mitigation toward data architects who provide product-driven results, organizations are looking at the data architect CDOs to manage legal repercussions of data use in addition to all the other functions.

A Data Strategy Without Risk Mitigation

The problem with this model is that the legal risk of data use is growing exponentially. If companies do not prioritize risk mitigation and appropriately embed it in the data strategy at its inception, they must allocate more resources to fix issues retroactively, potentially delaying or cancelling product roll-outs, and introducing unwanted and unnecessary liability.

Deprioritizing legal and risk factors in an increasingly unpredictable and evolving environment is likely to initiate a domino effect of unforeseen results.

By the nature of their background, most CDOs are not comprehensively trained to fully understand the legal risks or appropriately prioritize risk mitigation relative to all their other objectives.

When CDOs do prioritize risk, they will most likely focus on data breach protection since it is the most significant threat from a cost and reputational perspective. But the CDO and information security team can’t be expected to understand or manage the legal consequences of a breach completely.

Appropriate security incident analysis and response requires a proactive and cross-functionally engaged legal team to specifically apply the product functionality to the applicable regulations, contracts, and other legal considerations.

Legal Problems in the Data World

Attorneys cannot be as proactive and effective if they are brought in exclusively as a consultant after a strategy has been defined or, as is often the case with outside counsel, looking only from a regulatory perspective. They must understand the intricacies of the business to avoid a one size fits all approach.

Businesses have more data-related legal implications than data breaches alone. The other legal consequences of data use, such as regulations, contractual terms and conditions, and legal implications of product use, are on the rise.

Data is quickly becoming more and more regulated. New privacy regulations that focus on data use, transparency, and consumer consent must be incorporated into all elements of the product workflow. Privacy by design requirements compel businesses to include privacy considerations at every level, including architecture and other areas of technology.

Beyond Regulated Data Use

Legal obligations don’t stop with regulations. There are many contractual terms and conditions that must also be considered.

For example, outdated client agreements often contain confidentiality terms (that were historically applied only to trade secrets and financial terms) that add significant liability to an already risk-heavy environment simply because new technology was not contemplated. Many of these agreements include client data in the definition of confidential information, dramatically increasing liability despite a company’s compliance with security practices and protocols if they are maliciously hacked.

If left as is, contractual client restrictions can also limit new product advancements such as data redistribution or cloud storage because those use cases didn’t exist when the contract was drafted.

But the reason for the omission is irrelevant. The contractual risk of client agreements should be mitigated through thoughtful legal data strategy including updated templates, amendments, terms of use, and product evaluations. The same analysis must occur with agreements that formalize relationships with data suppliers.

Data Use As Applied to Financial Services

In finance, market data suppliers (who supply data related to a trade such as EOD price, security description, and CUSIP), who used to generate most of their revenue from trade execution, have also redefined the industry in the last decade creating additional legal consequences.

As trade revenue dissipated, market data suppliers identified and replaced trade revenue with licensing fees. For individual firms, market data prices increased anywhere from 967 to 2,916 percent or more, just to get the same data in 2018 they were getting in 2010.

The costs are rising in part because data that was once freely used within an enterprise is now narrowly, contractually scrutinized at a product level. Old agreements are typically silent on newer use cases such as API redistribution because the technology wasn’t developed at the time the contract was drafted.

The silence is usually interpreted as a limitation on a permitted use. As a result, organizations that redistribute licensed data are responsible for ensuring data recipients have the appropriate rights or could face additional liability just by sending data to a third party as directed by a consumer.

Data that is misused pursuant to supplier agreements can lead to contractual breaches, expensive lawsuits, or audits.

Consumer data is also changing in terms of how it is collected, thereby imposing additional legal requirements on data aggregators. Historically screen scraping was the standard, but today, proposed regulations and heightened security and privacy principles are driving formal agreements between data aggregators and financial institutions with consumer accounts.

Many of these agreements impose significant operational requirements including pass-through terms, notification requirements, and vendor and security obligations that must be understood, implemented, and operationally maintained throughout the organization.

Incorporating Legal Data Strategy into Business Data Strategy

All these legal considerations (and many more) should be contemplated in a cohesive data strategy. For those who aren’t subject matter experts, it can be difficult to adequately integrate the complex nature of the legal data strategy into an already over-complicated environment.

It is just as dangerous for CDOs to have sole responsibility for data governance as it is for the legal team to own it in a silo. One individual or business function cannot be expected to be accountable for the data strategy in its entirety.

A critical foundation of a sound data strategy is cross-functional input by technology, product, and analytics professionals, as well as the incorporation of a thorough legal data strategy as represented by data and privacy attorneys, and enterprise risk and compliance professionals.

A thoughtful legal data strategy should incorporate regulatory analysis, contractual risk mitigation, product use reviews, and ensure compliance in a coordinated effort with other business units and strategic representatives.

Every executive, not just a CDO, should understand their data ownership and corresponding responsibilities. Data strategies and roadmaps should be evaluated cross-functionally through a formal program that holds individuals and business units accountable.

Practical Steps for Considering Data Risk

Before hiring a CDO, organizations should ensure the following steps have already been completed to provide clarity and sustainability around the position and more importantly, define the overarching data strategy to promote efficiency and tactical alignment across the organization:

    1. Include a senior attorney or privacy officer in business strategy discussions so the legal data strategy can be appropriately contemplated and incorporated into the larger business roadmap.
    2. Create a data map that demonstrates the cross-functional nature of the data itself and ensure each business unit understands its roles and obligations within it. Understand the legal possibilities and limitations in the same way financial, product or architecture considerations are evaluated.
    3. Create a cross-functional data governance and privacy organization that reviews new data use cases and serves as a bi-directional forum for analysis, accountability, and education.
    4. Incorporate data governance and protection into every vertical within an organization so there is a comprehensive evaluation of data use and an appropriate organizational response.
    5. Encourage partnership between business and legal as opposed to a checkbox, obstacle, or referee who throws flags late in the game so legal is appropriately viewed as a strategic partner who can be forward-thinking. By taking this approach, the business will have the opportunity to gain a competitive advantage by advertising their industry-leading privacy and data governance infrastructure as an asset while allowing attorneys to appropriately mitigate risk.
    6. Ensure enterprise risk and data governance programs are incorporated into the product and business workflows or AGILE framework early so issues are identified and resolved proactively through a repeatable and sustainable long-term process.

    Once an organization has a cross-functional data strategy that equally pursues business objectives and mitigates risk, the organizational gaps will reveal themselves and become the center of the business remediation effort.

    If a CDO is part of that work, the nature and responsibilities of the role will be clearer, enabling them to focus on the components of the effort where they are a true expert in the field, thereby minimizing the turnover and disorganization of the role.

    After this analysis, the company is left with a sound data strategy that is proactive, collaborative, cross-functional, and satisfies the strategic intent that prompted the creation of the role to begin with.


    1. Bean, Randy. “The Journey to Becoming Data-Driven | A Progress Report in the State of Corporate Data Initiatives.” NewVantage, 2021. January 4.

DISCLAIMER: The eMoney Advisor Blog is meant as an educational and informative resource for financial professionals and individuals alike. It is not meant to be, and should not be taken as financial, legal, tax or other professional advice. Those seeking professional advice may do so by consulting with a professional advisor. eMoney Advisor will not be liable for any actions you may take based on the content of this blog.

Image of Sarah Miller
About the Author

As Associate General Counsel, Data Governance and Protection, Sarah oversees the data and privacy legal organization including legal data strategy, data agreements, data governance, and everything privacy related.

You may also be interested in...

A financial advisor candidate interviewing for a position.

Navigating the Hiring Process: Best Questions to Ask Financial Advisor Candidates

Hiring a new financial advisor for your firm requires a strategic process to ensure a seamless match for your team… Read More

Young woman receiving good news in a letter.

Best Practices for a Successful CFP® Exam Result

CERTIFIED FINANCIAL PLANNER™ professionals have achieved a prestigious designation that signifies a high level of expertise and a commitment to… Read More

Diverse Team in Data Strategy Session

Prepare Now for AI Use in Financial Planning

With the introduction of such generative artificial intelligence (AI) tools as ChatGPT, Gemini (previously Bard), and others, speculation about future… Read More

eBook: The New Advisor Value Proposition

Download our latest eBook and learn how top advisors are combining Fintech and FinPsych for superior client outcomes.

Download Now

Sign up to have the most popular Heart of Advice posts delivered to your inbox monthly.

Heart of Advice by eMoney Advisors

Welcome to
Heart of Advice

a new source of expert insights for
financial professionals.

Get Started

Tips specific to the eMoney platform can be found in
the eMoney
application, under Help, eMoney Advisor Blog.