Rethinking Data Governance

It’s time to redefine how data is governed, controlled, and shared

This article first appeared in the World Economic Forum’s Agenda Blog.

The first chapter of the Fourth Industrial Revolution has been powered by an explosion of data harnessed by extraordinary advances in technology and the spread of connected devices. As a result, seven technology companies are now among the eight most highly valued companies in the world. The success of the next chapter in the world’s digital transformation depends on governments and companies ensuring data is used in a way that balances benefits across the broader economy and society as a whole.

Pressure is mounting for regulatory and other frameworks that will allow innovation to continue while addressing rising concerns over how data is used. Governments are trying to combat the propagation of fake news and the use of data for illegal purposes, such as trafficking and terrorists’ communications and recruitment activities. In a connected world, companies grapple with the balance between data security on the one hand and innovation, personalization, and interoperability on the other, while consumers are increasingly worried about their privacy.

But how can data be better governed, controlled, and shared?

We have identified five potential futures for public and private stakeholders to consider:


To a large extent, this is where we are today. Companies now use data to add value to almost every aspect of life, enhancing people’s social lives, lowering business costs, and providing services and information that facilitate all manner of daily interactions.

To achieve this, many employ cookies and device-tracking technology to follow online activity and infer information such as preferences. They then use these not only to improve their own services but also to send notifications and targeted advertising. As platforms, their access to unique aspects of data activities, along with the accumulation of data and analytics, has produced deep network effects. Each platform also has its own approach to how much data is shared and how much control consumers have.

Now questions are being raised over the impact of these techniques as digital technology spreads into other industries. If today’s regulatory status quo continues, big tech firms may become even more influential. They could continue to amass data and talent, investing billions of dollars in research and development and acquiring artificial intelligence (AI) startups and companies in traditional businesses such as retail and healthcare.


As firms amass more data, some governments have introduced digital protections. These rules increase data security requirements and controls on personal information and treat the right to privacy as a priority and a human right. If people feel more secure about going online, they may be further encouraged to take advantage of connected digital services, whether commercial or government.

The most prominent example is the European Union’s General Data Protection Regulation (GDPR), under which users can demand that a firm erase their data or transfer it to another company. They can also ask why their personal data is collected, how it is used, and for how long it will be retained.

As these regulations evolve, questions arise about second- and third-order impacts and the resulting trade-offs. For example, increased operational expenses and constraints could raise the cost of doing business and increase barriers to entry, limiting the ability of new competitors  to gain footholds. Restrictions on sharing data with third parties could also make it harder for firms to collaborate on data-driven innovation.



Data utilities could offer a simpler way for users to manage data without having to manage consent with every firm with which they come into contact. Marketplaces, where firms could trade consumer data, would give individuals centralized control over how information about them is used and shared.

Consumer-centric data utilities may not replace the need for baseline data protections entirely, but they could streamline the complex web of data management responsibilities that consumers now have. Models could also emerge that allow individuals not only data control but also data monetization. At least one firm already enables individuals to pool their data for surveys and other uses in exchange for a fee.

Alternatively, data utilities run by coalitions of firms could help businesses exchange aggregate, rather than individual, data. Sharing aggregated data could help alleviate privacy concerns associated with sharing individual-level data and facilitate the sharing of “data insights” that help solve broader challenges, for example, in public health.

All of this naturally raises the question of who would create and run these utilities and for what purpose. Would they be run by companies for profit? Or by governments for the public good? Many other details would also need to be worked out.


Global standards for data rights and obligations could be embedded in the very fabric of the internet through rules and protocols around data exchange.

The internet could serve as a precedent. In its early days, it was restricted and focused on non-commercial exchange. The World Wide Web standards were adopted in 1990, embedding critical principles for the connection of servers including that any person could share information with anyone else, anywhere. After commercial use of the internet was allowed in the mid-1990s, these shared protocols and principles enabled tremendous innovation.

The question would be whether this approach should (or could feasibly) be adopted for handling people’s data, given the complexity and number of constituents and the impacts that new protocols could have on them. Less was at stake when internet protocols were established.

The Sovrin Foundation, a private sector, international non-profit, is currently taking a first step in examining the merits of this approach. It is developing a system to allow individuals to manage their digital IDs online through open-source, self-sovereign identity. This future state requires significant global cooperation, and while there are precedents like the internet, there aren’t many.


Though much data is already crossing borders, governments increasingly consider data and digital infrastructure as critical for national security and economic competitiveness. As a result, just as emerging economies in the past wanted to foster domestic auto production, today many want their own technology industries to thrive.

Some governments have started to write rules on where data infrastructure and technology reside, creating national-level constraints on technology investments by foreign companies or powers, and potentially increasing their means of social control but also their ability to foster local economic development and take advantage of the AI revolution.

Russia’s Data Protection Act, for example, requires operators to store and process individuals’ personal data in databases located in the country. A 2018 law in India requires that certain types of data be physically located in India. China has wide-ranging data localization rules, restricting the transfer of data overseas and limiting data imports, and has looked to develop its data infrastructure and computing capabilities through significant investments. Germany and France have recently announced their own initiative, called Gaia-X, to decrease dependence on foreign data infrastructure.

Such barriers and constraints may prioritize national goals over global innovation and business effectiveness. Finding the right balance between multiple objectives will be crucial.


The second chapter of the Fourth Industrial Revolution has the potential to bring great benefits to people around the world: healthcare that is individualized for maximum benefit at minimum cost and intervention, e-government that enables efficient access to services, and cars that rarely crash.

Delivering the potential of digital technology will require new approaches to data management and, in some cases, new regulations. Governments and businesses will need to find the right balance between safeguarding individuals’ data and ensuring that innovators can keep striding forward.


Douglas Elliott is a New York-based partner and lead of the Future of Data Initiative for the Oliver Wyman Forum.

Lisa Quest is a London-based partner and lead of the Future of Data Initiative for the Oliver Wyman Forum.

Ana Kreacic is a New York-based partner, the Chief Operating Officer and lead of the Futue of Data initiative of the Oliver Wyman Forum.

Rethinking Data Governance