Managing Data Integrity
Regulatory environments for privacy that impact data management of personally identifiable information (PII) continue to tighten around the world, but conversely data democratization that leverages the benefits of the pervasive use of data is also moving in the opposite direction at an accelerated pace. This means that special attention needs to be focused on the full alignment of privacy against your underlying business imperatives. This will require us all to think through the physical, logical, and legal location of data in the context of what information can be stored, by whom, and for how long.
As a starting point here are 5 points to consider for maintaining data integrity and hence privacy:-
#1. Understand the Impact of Not Maintaining Data Privacy
Data leakage causes pain and we should all think through how to consistently maintain data privacy as financial penalties, reputational damage, class actions (some jurisdictions) and remedial costs might all be triggered through privacy loss.
Data loss can occur through the existence of unprotected systems, inadvertent clicking by employees on hyperlinks containing malware, unprotected USB loss or through incomplete process flow design faults that contain outwardly facing unlocked cloud containers. The purpose of any malware is to immediately lock systems for ransom, or if more targeted to gain access and then to move horizontally across applications & files to your more private data assets.
Associated media messaging from any publicly known loss of privacy event might be brutal and any disclosure only needs to be at a high level to negatively influence opinions on whether a corporate can be fully trusted, can adversely impact your stock price, and all irrespective of whether a breach has been driven by internal or external parties.
Disclosure of private information might occur prior to corporate acknowledgement to the breach in question. This is in fact increasingly happening as threat actors leak limited data sets to prove that there has in fact been an actual breach.
#2. Proactively Manage and Control Data Processes End to End
Privacy is typically explained at a very macro level, and rather obviously, as data no longer being private, whether that be caused through unauthorized system access, unauthorized modification to any underlying metadata, or indeed simply through any form of unauthorized data disclosure.
Considerations for privacy are not an add-on but need to be built as an integral part of your corporate culture, against a backdrop of deepening general awareness by everyone pertaining to data privacy rights, and against a continuous backdrop of privacy creep that sees technology push the privacy envelope.
Designing end-to-end processes for privacy needs to be fully thought through and engineered into systems from day one, and thereafter managed rigorously on a continual basis, noting that various parties are able to leverage and enforce privacy rules relating to PII data
#3. Understand Data Notification Rules
Data breach notification to designated privacy bodies & regulators for an “event” is becoming more of the norm these days, as opposed to these events being hidden from public view. For example, regulations might include both voluntary and mandatory breach notifications to regulators, or to specific individuals that are impacted from any data leak.
Underlying complexity is not static and continues to evolve and increasingly one country's privacy laws are challenging adherence to those of another country, with one recent example being the implications of the US Cloud Act on European rules where data being stored overseas in Europe with a US cloud provider can be accessed based on this act. In another case the underlying ramifications of data arrangements within the emerging Australia-Singapore Digital Economy Agreement have caused some concern. Some have referred to these emerging geo creep concepts as the beginnings of the splinternet, as data location and government driven competitive arrangements challenge the concept of an open internet, with all the ramifications of additional costs for compliance. Stakes are high as data is the new oil!
Solving complexity sees global corporations typically aiming to meet the most stringent privacy requirements to pre-empt any subsequent iterative changes in jurisdictions that currently have less strict rules. Gartner predicts “that by 2021 more than 60% of large organizations will have a privacy management program fully integrated into the business, up from 10% in 2017” to handle the ever changing privacy landscape. https://www.gartner.com/en/legal-compliance/trends/upholding-privacy-by-design
#4. Understand and Minimize Your Data Needs to Reduce Risk
Unless a corporate knows what data it is collecting and for what purpose, then how can it in fact protect any underlying information both today and in the future. Conversely at the same time all of this comes against a practical backdrop of decreasing data storage costs, the result of which today sees many corporations just simply throwing more money into storing everything for speed of execution and for fear of deleting something important.
This broad brush strategy of collecting everything is now being challenged by these tightening privacy arrangements. This conundrum is not new as many major corporations in financial services will attest to, but the fact is that more detailed data management is now having to be applied far more pervasively across business sectors than ever before. It is very expensive to get wrong, so this continues to focus mindsets on data classifications and risks associated with each data type.
#5. Choose a Reliable Vendor for Data Management
Vendor partner selection is an important part of your overall privacy focused strategy, as you can only be as strong as your so far undetermined weak link. There are different types of risks and risk mitigation that can arise with any solution deployment that might in itself include apps + applications + API’s across different vendor eco systems eg bank interfaces, multiple cloud deployments, iOS & Android app versions etc. All come into play when managing the double sided coin of privacy and cybersecurity.
Additionally your solution deployments will be a mixture of on-premise, cloud, as well as hybrid systems. With this complexity comes the responsibility to ensure that the privacy of data is maintained end to end, and as an extreme example that no provider is in a position to leverage or market your PII data on to a secondary information 3rd party portal.
At the end of the day privacy and cybersecurity are intertwined and become a partnership between vendor and corporate with each playing a critical role. With these changes more thought will need to be applied, within each end-to-end process, on what information needs to be stored, by whom, and for how long, as well as thinking through the physical, logical and legal location of both live data and backups. A game changer to get right!!
Ashley Clarke, COO, FlexSystem Ltd