Risk Management vs. Compliance
What matters is your ability to govern access to the data. That’s the IT asset: your ability to keep others from using that stolen iPad, or stolen access credentials. The asset is your collection of policies and procedures to evaluate relationships, study data usage patterns, raise alarms about suspicious behaviour, provision or de-provision user access, and so forth, and your database of customer interactions and records.