 Welcome to another episode of DSCI Insights in Action. My name is Marko Kovacevic. We are fortunate to have our three distinguished guests today. Sean Mooma, Director of Supply Chain Innovation and Emerging Technologies of DSCI. Welcome, Sean. Dave Capos, a partner at Carvath Swain and Moore, and former Director of US Patent and Trademark Office. Welcome, Dave. And Kers Webb, an associate of Carvath Swain and Moore. Welcome. Companies today are transforming their operations to make use of data in every aspect of their operations, turning every enterprise, large or small, into a data enterprise, as we can call it. But the transformation in data enterprise is not just a wish or a good thing to do, but it also raises an important question about governance, security issues, and things that business leaders need to address in this new evolving ecosystem. And today, the need for a new understanding of the role of data management is more pressing and more actual. The challenges that are transforming the digital supply chain are underway. And what we would like to talk with our experts in today's conversation is actually how you can tackle those and how we can drive the governance and security into right aspects so every single element within supply chain transformation or supply chain value network can contribute to its growth. So let's start showing with you and let's start from why is supply chain governance and security of increased importance, or we can call it risk, to accompany today and what are the considerations for a good governance in today's world? Thank you, Marco. It's great to be joining DSC Insights once again and great to be here with our colleagues, Dave and Harris. Supply chains today are rapidly transforming, becoming ever increasingly digitally driven, which means that they're data driven. And we're really here to talk today about what it means to be a data driven enterprise and manage a data driven supply chain. So in a digital supply chain, customers' desires and demographics derive demand planning, which is linked to supply chain operations from sourcing through distribution. Whereas demand and demand planning and supply chain management used to be separate. Today they're all integrated and transparency is demanded from end to end. So as everything becomes transparent from the initial customer inquiry through product manufacturing and delivery, transparency is increasingly important, which means that increasingly data is being shared amongst all the players from the customer all the way through the backend to the sourcing and the manufacturing. Today's new customer demands that they have transparency that they know where their merchandise is and when it's gonna be delivered. As a result, every company is both an owner of data and a user of data. And they have an obligation today to be a good data steward and manage and protect that data. And that requires good governance, good governance practices, good data practices start at the top of the business. They must be clearly defined with understandable and implementable practices. And that requires a cultural change. Businesses must understand what data they have or what data they're sharing with whom they're sharing it and what obligations each party has to protect the different types of data. And we broke the data into three different categories for ease of discussion and ease of management. I'm sure Dave and Keras will get into but really you have the competitive advantage data. Those are the keys to your business the things that you wanna protect the most. You're dealing with PII, personal information of your customers. Increasingly there's regulations that differ across the globe on your obligations to PII data. They seem to be changing on a daily basis. And then there's specific use data which you might in fact share with competitors. ESG data fits into this category. Carbon data fits into that category. So that's really the background on really why corporations need to pay attention to data governance and data security. And we'll talk more about that. I'm sure as you get into the additional questions. Back to you, Marco. Thank you very much, Sean. And I like one notion which you actually shared. Everybody is becoming a data steward in that sense. And that brings me to the next question which I would like to address Dave to you. Data is shared within a constellation by you, your suppliers and your customers. So what information protection procedures are needed? What are the rights of use and how do you track your data inventory and ensure compliance with your data sharing agreements and regulatory requirements? Having in mind what Sean also undermined that data exchange, data sharing or even data trading is a way forward. Yeah. Well, hi, Marco. It's great to be here. Nice to be working with you again, Sean. And Keras, nice to see you and have this super interesting conversation. And thank you to DSCI Insights for hosting this. So, Marco, I put the answer to your question into two buckets, essentially. One is like cybersecurity and the protection of information, all kinds of information, any information that's confidential whether it's because it's personal information or because it's trade secrets or confidential for any other reason. In one category, the cyber protection category. And then I would tell you there's a second category which is the management of information according to expectations that are associated with it. So just focusing on that second category, in this constellation, Marco, that you have described for us with suppliers on one side and customers on the other side, probably some that are a bit of both. Other third parties that are part of the value chain and you picture your company sort of in the middle in some way of that constellation. You need to know through clear agreements with all of those parties what information they're sharing with you, what right they have to share it with you, what rights they can convey to you to do whatever it is that you need to do with that information, what further use you can and can't make of that information. And you need to know all of those things and be able to track those things in relation to the information that you are receiving. Then you also on the flip side need to be able to set clear expectations usually in these same agreements for your suppliers could be customers, other third parties in that constellation so that as for information you share with them, there are clear expectations of how they will treat that information. Will they keep it confidential? Can they use it for any other purposes? Can they send it onward to third parties? Can they aggregate it with other information? How long can they keep it? All of those kinds of questions that need to be clearly set forth and answered. And then there's kind of a last component to both the information you take in from the constellation of your suppliers and customers, et cetera and the information you provide them to super important, which is ensuring you're complying with the laws in handling the information, both incoming and outgoing. So there's just lots that's required, Marco. And then coming to the second part of your question, the mechanism for dealing with that, it can't be like hard copy ledgers or we're just gonna try and remember or we'll hope for the best. That no longer works at all in the complex supply chain constellations we're dealing with. You really need some form of a chief information officer in addition to a CSO, Chief Information Security Officer that's on the cyber side. And you need a data management system that can track for each item of data that you are taking in, right? Where it came from, what rights are associated with it, what restrictions are associated with it. And those information management systems exist, but they really need to be very well integrated and they need to act at the interfaces where information is coming in. Because once information is in, if it can't be accounted for and the rights that you have associated with it aren't clearly set forth, you're gonna find when you go seek legal advice from people like Harrison and myself, we're gonna be telling you, you need to go to the least common denominator because if you do anything that exceeds your rights, you're gonna be triggering contractual liability as well as regulator liability, probably in lots of countries. And that's not a thing at all. Thank you very much, Dave. And thank you also for highlighting another important thing and that's in today's world, we think about two components with data enterprise. One is the cybersecurity piece, but another one is just data, data piece where companies should build the structure around. So cybersecurity doesn't cover the overall data and touch points you have. And this also brings me to the next question and I would like to ask you, Karis, having in mind that global supply chain operates across the board, it operates across the borders, it operates across geographies. So how the regulatory landscape appears in that equation, right? It can be really confusing where we have each jurisdiction intacting their own legislation and how does a company make sense of it all and then ensure compliance without impacting its business? Because especially from small and medium size enterprises, these things can be very complex and if they're part of the larger, like the value chain system within supply chain, they can be really stuck. Yeah. Thank you very much, Marco. And I will echo everyone's thanks for having us on to talk about this really timely topic. I will take it a step further than you and say, this landscape is not just confusing, but it's new, it's more rigorous and more demanding at every stage. It's really interesting that Dave brought up the concept of the lowest common denominator because from a privacy perspective, it's really the exact opposite. We started with GDPR, which was at the time and really continues to be a load star for data privacy laws. And we now see jurisdictions across the world, either enacting new laws or refining existing frameworks so that they resemble some of GDPR's requirements. Thinking of Brazil and California, with the fairly new CPRA, and I expect that as continue evolvement happens, data privacy remains a moving target. So to get to your question, how do you make sense of it? I think the one word answer is carefully. The two word answer is probably carefully and very affirmatively means treating privacy and cybersecurity as well as part of business strategy and part of a long-term plan. It means getting the C-suite involved and invested in privacy principles, discussing with stakeholders really at every part of the company, no matter how small. It really needs to be collaborative so everybody has appropriate buy-in. I think about proactivity a lot rather than reactivity, that's also really critical. So rather than thinking about, how do we achieve privacy compliance? Which is an important question. The better question to answer or ask is how can privacy help us achieve our business goals? I think it was interesting that the way you phrased the question was how do we worry about privacy without it impacting our business? But privacy and data more generally does impact the business and it should impact business, right? I don't think it needs to be a negative sum game. Today, investors at every level really have taken a keen interest in data privacy. And so you're much more likely to not only attract customers, but to do more business with existing customers. If you can get on the right side of compliance, it's a really great way to think about boosting your brand and ultimately positively impacting the bottom line. So there's a lot to think about in a really positive way. It doesn't always need to be, oh God, we need to think about data privacy compliance. It can actually be something that's really great for brand recognition. Keri, thank you very much, especially in bringing up the positive aspect of the story, because I think with complexity, people first always see problems, right? But you are underlining these problems in a way of how the business leaders, especially in entrepreneurship, think towards the opportunities. And that can, you know, I love the notion of, you know, being proactive rather than reactive. So trying to build on that note, and it would be a question for all three of you, we always like to close these sessions with a call to action. So I would kindly ask all of you just to contribute from your point of view, what actions or what action, let's say one, if we choose need to be taken today to plan and protect, you know, the future of supply chain resilience. You know, what would be the thing that the companies can start, you know, first with? Sean, let's start with you. Yeah, I can go first. Thank you, Marco. You know, I think being a good data steward is just not optional in the digital world. It's got to become part of your culture. It requires cultural change. You know, for years, large companies have had business practices and do annual certification for those business practices. I think data, you know, adds on to that and is an increasingly important part of good business practices. So that's number one. The cultural change driving it throughout the organization, which means that corporate policies must be defined, operationalized and audible for compliance. As Keras said, this is positive. However, you need to make sure that the internal workings are there, that people understand them and that it does enhance your brand going forward, which means you must have, as Dave pointed out, you must have a data inventory which classifies the data that you have by type and obligations. You want to keep it as consistent as possible, but you need to, you know, the lowest common denominator, but you need to identify the exceptions where there are exceptions and ensure that you're complying with those obligations. And, you know, finally, you need to understand how the data is being used, your data, by whom, both inside and outside your organization and throughout your supply chain. It's a formable task. It's one that needs to be done and it's one that can aid your brand recognition and value going forward. So that Dave and Keras, I'm sure have a lot to add to that, but that's the start. Thank you very much, Sean. Dave? Yeah, sure. You know what I would add to that, Marco, is adopting a notion of continuous improvement. The landscape is changing rapidly. It is evolving. Data practices are improving globally, sectorally. IT systems are improving in their ability to assist us in managing compliance and getting grand leverage out of good stewardship. It's an area, you know, I like to use the old metaphor of the, you know, bear chasing two people through the woods and one of them's running as fast as he can and the other one says you'll never outrun the bear and the first person says, I don't need to outrun the bear, just need to outrun you. The point being you, and to put it in the positive again, you don't need to be perfect, but you do need to take these responsibilities extremely seriously and you do need to adopt a culture of continuous improvement. And if you do that, you'll do extremely well in managing data. You'll be able to get great leverage from it and you'll be able to make it part of your brand in a very positive way. Thank you very much, Dave and Caris. Yeah, I think both Sean and Dave said it perfectly to underscore, right? Data is a key value driver for businesses and so it's imperative that businesses start treating it that way. I think collaboration is the additional thing I'll add, both internally and externally. When I think of clients that have great data governance, it's because there is this cross-functional understanding. Not everybody needs to have the exact same task or role or responsibility with respect to data, but everybody needs to come to the table having harmonized on the principles that underlie how they individually treat that data. I think that's true for the entire data life cycle from ingestion to analysis, monitoring, removal, the whole, everyone needs to sort of understand that. And I think that needs to apply both, as I mentioned internally, but also to vendors as we see, especially with the supply chains that we talk about in the article, vendors are a key part of supply chain resilience. And so involving them as much as is appropriate at every stage of the process, I think only encourages and fosters that resilience as well. Thank you. Thank you very much, Keris. And if I can try just high-level to sum up, what we got as inputs is to, data stewardship is not a requirement. It's basically a must and an actual thing that every organization should do. Creating a team around it and structure, which can then govern the data and also work horizontally through the enterprise or a company is a very important thing to connect all the touch points. Then going towards continuous improvement, as you mentioned, Dave, is something that organizations should take as a lead and nobody will be perfect, but the steps should be made and it should be a puzzle that it's built from various different actions, activities, and also collaborations with the legal partners in order rather to be proactive, as it was mentioned, then reactive because reactive in this sense will cost much more than being proactive. So really, I would like to thank this distinguished group and Keris, Dave, Sean, thank you very much for sharing your knowledge here, also the research you have done together and the practical work in this area. I'm sure we will be coming back to you also in the coming future to see in which directions things are evolving because we see this as an evolution of enterprise or companies in a way which will not stop with what we are seeing today, but actually with all the technology advancement, data touch points with customers and partners and suppliers and the whole network will just increase the complexity, but let's finish on a positive note, it will create new opportunities for the well-organized systems. So thank you once again, and this was another DFCI Insights in action and stay tuned with us, we'll come with more valuable digital transformation, digital supply chain transformation topics in the future.