Carraghyn - Chartered Directors

Valuing Information and Data

Our stewardship of “things” - assets of some sort - normally depends on value. We will take better care of a MontBlanc fountain pen than a Bic biro, we pay more attention to the management of large funds than the change in our pockets, and we apply far more rigorous accounting processes to the goods in our warehouses than the items in our stationery cupboard. In determining our approach to stewardship we pay significant attention to value, how then do we value the data and information we hold in our organisations?


A study by IT security Symantec in 2012 calculated that in the average company data assets represented c. 49% of the company’s value. On the face of it this claim seems fanciful, IT industry hype - but is it?

What would be the impact on your organisation if it no longer knew who its customers were? Which orders were due for delivery? What monies could be invoiced? Suddenly data or information can appear to be very valuable.

What’s the difference between data and information and are they valued differently? In an earlier post I wrote “Information is data which has been processed and presented appropriately for the context in which it is to be used”. Information therefore has transient value, it is relevant for a purpose at a point in time. Some information may be persistently valuable, we can use it repeatedly, for instance a list of customers. Other information is very temporal, a list of outstanding invoices ceases to have value as soon as those invoices has been paid. Data however is the source from which information is manufactured, it is inherently persistent. The temporal nature of information and data is a factor in valuation.

This could be a very long article, so I’ll cut short the philosophising there. How do we value data and information? Basically we measure the worth of its loss. Ask yourself these questions, however improbable they might seem:


  • What would be the financial impact on the organisation of losing its data? You can do this as a whole, or divide data into classes and value them separately, but don’t be fooled into the mistake of assuming that the sum of the value of the classes of data is the same as the sum of the whole.
  • What would be the financial impact of losing data for a period - a week, a month? Essentially this temporal measure will indicate the value of ‘current’ information, that which you would need to use soon.
  • What would be the cost of recreating lost data? For instance if you lost your customer records? How much research would you need to do to recreate them? Would you even be able to recreate them or would you be denied access to past customers unless they came to you again?
  • What would be the impact on your organisation if one of your competitors acquired your data or information? If they knew what you had supplied to whom at what price, how many of your customers could your competitor convert into their customers and at what loss of value to you?


In answering these questions you may generate frightening numbers. If your business depends on repeat custom, either the supply of goods or services as most businesses do, you may conclude that the value of your data is a substantial proportion of the value of your business. The 49% claimed by Symantec above suddenly seems very possible, and it becomes easy to understand why such a high proportion of companies that suffer a major IT failure or data loss subsequently go out of business.

There are other questions you could ask, considering reputational damage, regulatory & legislative liabilities and a range of other factors. You can design your own valuation method appropriate to your needs and circumstances, but the financial questions are generally easiest to grasp.

Understanding the value of data and information is a pre-requisite to determining your approach to data governance, information governance and IT governance. The realisation that the IT manager may hold half the value of the company in his or her hands is sobering. It will change your perception of who they are, what they do, how they execute stewardship of what is most organisations most valuable asset, and how you supervise their execution of their responsibilities.



+2 # RE: Valuing Information and Datawilfred tomlinson 2013-04-04 16:04
This article discusses the value of information and data from the perspective of an organisation.
The concern of an individual whose data is held by a company, in whatever form, is that personal information is stored safely and securely.
In the Isle of Man the Data Protection Act 2002 provides a degree of consumer confidence for the safe storage of personal information.
Legislation is lacking however to address significant breaches of accidental information disclosure. In January 2013 a skip, full of personal record files, was found on the side of the road in Douglas. The Data Protection Supervisor was impotent in being able to name or fine the offending organisation.
The IT industry itself ought to be lobbying to strengthen the power of the DPS to provide significant monetary penalties for miscreant organisations
Reply | Reply with quote | Quote | Report to administrator
+2 # RE: Valuing Information and DataSteve Burrows 2013-04-04 16:26
I agree that as a data subject I want any data held about me by companies to be limited to the bare minimum necessary for the continuance of my relationship with them, to be stored securely, and kept up to date. The IoM DP Supervisor needs access to appropriate penalties, however what evidence is there that he hasn't? My reading of the incident that you refer to was that the DP Supervisor essentially said no harm, no foul and the offender was responding actively and responsibly so he chose to not name or fine or prosecute the offending company, rather than his being impotent to act against them.

There were proposals flying around to the effect that the IoM would adopt a similar or stricter standard than the proposed 2013 EU DP Regulation, which would imply fines as follows:

Up to €250K or up to 0.5% of the annual global sales for intentionally or negligently not responding to requests by the data subject or the DPA,
Up to €500K or up to 1% of annual global sales for intentionally or negligently not complying with GDPR
Up to €1,000K or up to 2% of annual global sales for intentionally or negligently not complying with specific GDPR regulations.
Reply | Reply with quote | Quote | Report to administrator
+2 # RE: Valuing Information and Datawilfred tomlinson 2013-04-05 12:26
The DPS was only able to act in accordance with the provisions of the 2002 Act - he was not able to 'name & shame' or apply fines.
There is no provision for the DPS to impose penalties, for negligence, similar to those to which you refer.
The incident was serious - imagine a skip, full of files probably containing personal KYC information.
I repeat: 'The IT industry itself ought to be lobbying to strengthen the power of the DPS to provide significant monetary penalties for miscreant organisations'
Reply | Reply with quote | Quote | Report to administrator

Follow Us:

  • Facebook: Carraghyn
  • Google+: 107302261143529823760
  • Linked In: company/carraghyn-ltd
  • Twitter: carraghyn


You are here: Home Carraghyn's Blog Valuing Information and Data