How to increase data privacy and keep your information safe
In this article, we discover the crucial role played by big data privacy, and we spoke to leading industry experts to discover which practices and principles they champion in their business strategy.
Using data to expand business operations has become common practice, in the modern technological age. However, due to the exponential growth of data streams and the influx of new information, it’s a process that now provides you the opportunity to gain unlimited insights into your performance.
The previous talking points surrounding big data centred on how a business would handle the sheer amount of information that it generates. But now, the focal aspect is big data privacy and, in particular, how your company accumulates data, and the practices and principles put in place to protect it.
As a technology, big data will continue to advance, and it’s this progressive attitude that will keep your business on its toes. Following the introduction of new processes, many organisations realise they’re unable to keep up with the implementation of new procedures.
It’s also due to these advancements that you’ll need to introduce new data privacy and security principles, to keep your data safe from outside threats.
The collection of data is becoming a vital part of everyday business operations, and to enable your organisation to use that information successfully, there are many rules and regulations that you should be following.
Failure to comply with these guidelines, especially when it comes to data privacy, can lead to disastrous consequences. But it doesn’t always come down to the practices and principles when dealing with big data, and as expert Raffael Marty comments, it can also take a lot of work to build a system to cope with data volume while also determining which regulations apply to your business.
“We have seen an increasing amount of these regulations imposed on companies that deal with information about people, and often it’s really hard to understand what regulations apply and what exactly has to be done to comply with all of them,” he says. “In some cases, there might even be contradictions, such as the need to keep certain data for a minimum amount of time, when other regulations ask for a right to be forgotten.”
It’s from this lack of understanding that an issue with data collection can arise. However, with the impending introduction of new statutes that will completely change the face of data privacy, your company will need to brush up its privacy protocols to completely compliant.
Confidence is currently high with business leaders that they can securely protect their data, and if your organisation readily collects customer information on a daily basis, you’ll probably be well versed in the current practices of data privacy.
However, if you’re still unsure on the first steps to take when it comes to implementing privacy practices surrounding data collection, your first step should be to set out a strategic list of rules, and below we’ve listed some of the critical points to help start your privacy journey.
Have a plan in place
When gathering any data, you should first ensure you have legitimate grounds for collecting, acquiring and using the information, especially if the data contains details that fall under personally identifiable information. By having a plan in place you’ll also only collect the information your business requires.
In terms of the planning process, the advice to follow is to start out small when collecting data. This will guarantee you acquire the correct information, but it will also provide you with an opportunity to test out security protocols and make relevant changes to allowing you to protect your data comprehensively.
Be transparent in terms of data collection
Throughout the data collection process, it’s only natural your business will want to improve aspects of data protection and privacy. To continue this development, one area you should be completely transparent in is what data you want to collect and how you want to use it.
Keep your data safe
The safety and security of your data should be your top priority when it comes to data collection, and it’s a crucial part of any data acquisition campaign. You should set out which practices and principles to follow in your data privacy strategy, and having these in place should allow you to keep a lid on any security threats.
On average, there are over 2.5 quintillion bytes of data generated on a daily basis. Watching this information are hackers who will look to exploit the gaps in your security network, so you need to ensure your encryption layers are up to scratch.
The imminent introduction of the general data protection regulation (GDPR) has caused quite a shakeup. Currently, your business has until 25th May to declare itself ready, and demonstrate that you’re entirely compliant with the new rules and regulations detailed in the legislation. If you haven’t got the ball rolling regarding GDPR, you’re way behind the curve — you could be facing a hefty fine if you fail to demonstrate the exact requirements associated with data privacy and protection.
If your business operates in an industry where you regularly deal with personally identifiable data, or specific sensitive personal data that can lead to the unique identification of a person, such as biometric or genetic data, then under the new laws set out in article 5 of the GDPR, the data you collect is required to be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purpose or statistical purpose shall not be considered to be incompatible with the initial purpose
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
To help your business thoroughly prepare for GDPR, Jeff Cotrupe, Industry Director, Big Data, and Analytics at Stratecast[JPC1] | Frost & Sullivan, advocates the implementation of a GDPR survival plan in his privacy blueprint. “We believe that GDPR may have a chilling effect on business,” he says. “But it will also challenge organisations to be at the top of their game data-wise, which is not a bad thing.”
First and foremost, said Cotrupe, no one should think they are immune to the GDPR as ‘something that impacts the EU.’ In truth, he said, “Any company anywhere on the planet with data in its systems about citizens of the EU — or the UK, which even post-Brexit, is honouring the GDPR — can thus be subject to the GDPR.” He cited as an example a bank in the US. An EU citizen in the US on business accesses his or her account via an ATM at the bank, which by definition requires the system (and an international banking network) to process potentially sensitive personal data in order to conduct the transaction. Should that EU-based consumer later come back and request a copy of their data, that their data be erased from the system, or to exercise other provisions of the GDPR, the bank must comply — or be in violation of the GDPR.
Cotrupe advises that your business should “conduct an audit, determine exactly what personal data (as defined in the GDPR) you are currently collecting, where you are storing it and how long you are retaining it.” He also recommends destroying any personal data that you cannot justify for essential business purposes.
“This must apply to all personal data held on citizens of the EU, but your organisation would do well to consider implementing at least some of these best practice with regards to all personal data, EU and otherwise,” said Cotrupe.
“Train every employee on privacy,” he added. “Your company’s posture on privacy is only as strong as its weakest link.”
If you want to read more from Jeff on data privacy, take a look at Stratecast, Our Detailed Privacy Blueprint: What All Parties Should Be Doing Right Now to Protect the People and Organizations They Care About (SPIE 2017-28, 11 August 2017) here https://is.gd/czAylB
The rules and regulations of GDPR are there in black and white for your business to follow. However, even if you’re prepared for its introduction, there may be stumbling blocks. Phil Husbands, Founder of Saltare, believes an issue will arise when a company does not understand why personally identifiable data is still coming through into its data streams. “I foresee a lot of situations where an organisation will be looking at data which it thinks might be personally identifiable. It may deal with it, but still have some nervousness on whether or not it’s been properly cleansed and accounted for downstream,” says Phil.
“It’s all about the data flow that exists in organisations, all of that source data which is subject to GDPR,” he adds. “The business is going to need to show confidence that whatever has been done to that data as they’ve moved it through the business has been the right things, so that the information isn’t posing any risks.”
“I think we’re going to see a lot of hesitancy in the BI consumer space,” Phil continues. “When organisations are looking at the piece of information they are about to take some action on or make decisions based on, they should think ‘hang on a minute, I’m going to pause and double check that I’m really risk averse when it comes things like GDPR.’”
Further challenges can arise if your business is based outside of the EU but deals with customers and clients who reside in Europe. Your company will need to adhere to the rules and regulations in the GDPR guidelines, and failure to do so could result in you receiving a fine, so we advise you double check your privacy procedures to ensure they’re in line with GDPR.
The most significant issue to affect everyday operations following the introduction of GDPR could be the fact your business will need to notify the relevant DPA within 72 hours if it falls foul of a data breach, and to demonstrate complete compliance, your underlying network infrastructure may require a complete overhaul.
This process can require a significant investment of time and money. However, following this initial outlay, it will provide your business with increased security measures, allowing you to identify if a breach has occurred, quickly halt the threat, and then distinguish whether hackers have gained access to personally identifiable data.
Data privacy regulations don’t stop with the introduction of GDPR, and as big data continues to grow, the volume of information will also increase.
New data varieties will partner this escalation of volume following the proliferation of new devices connecting to a network. Due to the injection of these data streams, your business will be required to formulate new security practices.
We advise you start out small with big data projects. Although this may sound counterproductive, selecting which data to collect under the new regulations can stem from trial and error, so collecting only the minimal amount of data will allow you to exercise the right practices and principles to ensure compliance.
As with any data collection procedure, protecting the privacy of customers and clients should be at the top of your to-do list. Ivanka Menken, CEO of the Art of Service, explains that there are many areas of security to consider in data privacy, as security threats can lie in and around technical, procedural and organisational security
“In addition to it being a security threat, it can also be a financial and legal threat to the business,” she adds. “If a company is proven to lack privacy-related documented processes and procedures, or if members of staff did not follow those processes and procedures, financial fines can be up to 4% of turnover.”
“Big Data privacy is all about safeguarding processes and procedures,” she continues. “Make sure you have processes in place around availability and accessibility of data and clear delineation of authority and tasks to find out who has access to personal data, as if a big data service is known to store personally identifiable information, the service may become the target of security attacks.”
In the current age of the digital transformation, IoT devices are becoming more common, and by 2020 it’s expected that there will over 24 billion devices across the planet. So if your business is new to this technology, it’s worth noting which risks can arise.
As your business expands, you will accumulate more data in your storage stockpile, and it’s from this influx that privacy issues can arise. IoT devices generate over 500 zettabytes of data each day, so to keep your information safe, it will come down to how your business can work with the devices to regulate them successfully.
The natural environment for IoT devices is one filled with sensors and readers, so they are prime technology for the healthcare sector, as they can lead to better patient monitoring and care. When used in this scenario, each device will store personal patient information which, if not protected correctly, can be accessed by hackers looking to bypass your data privacy protocols.
When using this technology in any business, safeguarding the data you collect should already be part of your data management strategy. However, adding further security such as an encryption layer, which your business can self-regulate, can lead to better overall data privacy if you have the right professionals in place.
A further point to consider when implementing IoT is that 59% of devices fail to explain how data is collected, used and disclosed. If you plan to make full use of the tech, this is one fact you should pay close attention to, particularly when it comes to GDPR, as if you lack the credentials on how you collect personally identifiable data, you could face severe penalties.
Still unsure how IoT devices can impact on your business? Take a look at this informative white paper from Trend Micro.
Unfortunately, the issues surrounding data privacy can’t be pushed to the back of your mind, and to remain compliant our advice is to face them head on. Following the new rules and regulations is only one piece of the puzzle, as there are other means of privacy protection that your business can utilise to remain compliant.
Employ a data protection officer
Following the introduction of GDPR, Article 37 requires all businesses that collect personal data to employ a data protection officer, and it is a mandatory process if:
- You are a public authority (except for courts acting in their judicial capacity)
- Your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- Your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions.
Even if your business doesn’t operate in any of these categories, you’ll still be under the same pressure to appoint a data protection officer and to stay regulatory compliant, a move that is advocated by James Aberley, Managing Director of SO Marketing. “A Data Protection Officer will be responsible for monitoring internal compliance of the GDPR within your organisation,” says James. ”Unless you’re carrying out large-scale processing of personal data, a suitably informed in-house member of staff should be perfectly sufficient for this role.”
“The introduction of GDPR may seem intimidating,” he adds. “But it’s important to remember where it comes from. At its core, the GDPR is about protecting people from a myriad of risks across the internet. The internet is still a highly unregulated space that needs far greater levels of international legislation, and GDPR is a significant contributor to this.”
If you’re still unsure how a data protection officer can help your business, take a look at this advice from the ICO.
Introduce a cloud management system
The cloud is no longer just an industry buzzword, and when partnered with big data can open up new avenues for your data privacy practices. Implementing a cloud storage platform and migrating your data across to that system can allow you better control over who has access to your data, and limit the chance for data privacy to be overridden.
If you choose to follow this formula, it can incur substantial business costs, particularly with new build infrastructure and a team of staff to manage the platform upkeep. However, investment will be small when compared to the cost of not following the new regulations or facing a security breach.
- Include an explanation of cookies and what information you collect from website visitors
- This should consist of personally identifiable information such as:
- Contact details
- Credit name number
- And whether your business is keeping track of customer orders or browsing habits
- Why you are collecting the information
- Acceptance or rejection of cookies
- Information security
- Your company contact details
You should also be aware that is should be written in plain English and easily understandable with any legal jargon removed.
Data privacy is becoming such a highly diverse field that if your business fails to immerse itself in the practices and principles, not only will you get left behind regarding data security and protection, you could also face hefty penalties and fines. If you have yet to begin the implementation process, we advise you start quickly, as although you may believe your data is secure and carefully protected, chances are there will still be more you can do to increase your data privacy.
Tell us your top data privacy solutions in the comments below and don’t forget to sign up to the Churchill Frank blog.