sdecoret - stock.adobe.com

Data protection is critical for all businesses

Companies that misuse data or fall victim to breaches not only risk financial loss, but also reputational damage. There are many reasons good data practice is essential

There is no denying the fact that the internet of things (IoT) ecosystem has grown rapidly in the past few years. According to research from GSMA Intelligence, around two-thirds of the world’s population now have access to a mobile connection.

Meanwhile, more than three billion people are connected to the internet, and analyst firm Gartner predicts there’ll be 20.4 billion internet-enabled products in use by 2020.

However, as technology use continues to increase so will the amount of data it produces. American computing giant IBM claims the world generates an estimated 2.5 quintillion (1018) bytes of data per day. Much of this data comes from mobile phone signals, social media posts, multimedia and e-commerce transactions.

Such a high volume of information has its benefits and challenges. It is generally accepted that companies can gain a better insight into their customers and increase efficiency by tapping into big data. But managing it is not easy, and there are also questions around privacy.

A study from Gigya showed that 69% of consumers have reservations about brands handling their personal information, while nearly half of UK firms were affected by a data breach in 2017.

By failing to implement sufficient mechanisms to protect customer data, companies not only risk incurring financial loss by having to pay hefty fines and mitigate damage caused by breaches, but they also risk reputational damage.

Facebook, for instance, has been criticised for taking a lacklustre approach to data privacy after it was discovered that that the social media site somehow let marketing firm Cambridge Analytica gain unauthorised access to an estimated 87 million user accounts.

With the compliance deadline for the EU’s General Data Protection Regulation (GDPR) on 25 May 2018, most firms should be considering what they can do to boost and improve their data protection procedures and prevent breaches.

Customer trust is paramount

As the compliance deadline for the GDPR looms, firms have increasingly been exploring ways they can improve their security mechanisms. Businesses that fail to adhere to the law face having to pay up to €20m in fines.

Such a sum of money would be damaging for most firms, but 451 Research analyst Sheryl Kingstone believes reputational damage would be more catastrophic to companies. She says consumers put their faith in firms that conduct good data practice.

“While fines will become extremely relevant with the upcoming GDPR mandate, what’s even more important is safeguarding customer trust,” says Kingstone. “Businesses must be more transparent at disclosing not only policies and terms and conditions, but exactly how the data will be used. They need to be more specific in terms of what data is being collected and detail the intended use. Many companies are asking customers for their permission to harvest data, but opt-in mechanisms are vague.”

Kingstone believes consumers are becoming more aware about data privacy concerns, mainly because of news headlines. She highlights the Facebook and Cambridge Analytica debacle as a key example.

“The outcry over the revelation that Facebook had shared extensive user data with Cambridge Analytica shows that applications, more than tracking and collection, are driving consumer privacy concerns,” explains Kingstone.

“Hundreds of millions of consumers have willingly shared personal details with Facebook for many years with little concern. Some of that may have been ignorance about just how much data Facebook – and Google and Amazon and other major internet powerhouses – have on almost anyone spending time online.

She adds: “But it is more likely that it was a ‘ho-hum’ issue for most because the use of that data was viewed as relatively harmless or merely annoying – such as targeted advertising – and integral to the workings of the product itself such as improved search results, product recommendations and tighter news feeds.”

Data protection is a constant operation

Neil Thacker, chief information security officer of US software company Netskope, agrees with the idea that firms can unlock a great deal of potential by analysing personal data. Often, they are able to learn more about their customers and generate personalised products.

But Thacker says many businesses are failing to implement appropriate mechanisms to protect this information. His view is that companies can benefit from personal data only if they protect it from the start.

“Personal data is considered to be one of the most sensitive categories of data an organisation has access to, and perhaps it is the most valuable,” he says. “As the value of personal data increases, so should the controls needed to protect it. Personal data should be processed only with clear consent given by the data owner, with a transparent agreement and an organisation-wide focus on preventing data theft or misuse.”

To identify misuse, he believes firms should constantly analyse their businesses procedures and operations to ensure they are compliant with the latest data protection safeguards. At Netskope, Thacker treats data protection as a constant operation. Firms should not assume that once they have installed or developed a system to protect customer data, they have nothing else to do.

“I recommend enterprises continually discover new and amended business processes, working alongside the business to apply the necessary safeguards needed for protection,” he says. “The aim is to understand how employees – and third parties – are using personal data and to ensure it meets the sole purposes for which it was originally collected.

“This involves managing both the point-of-access and the location where personal data is stored and processed from, which is primarily in the cloud,” adds Thacker. “Complete visibility of what cloud applications are being used by whom and why, has quickly become a CISO’s critical priority.  It is up to the cloud service provider to have a legal contract in place with terms that are agreeable to both the organisation and data subject, which further protects the individual, promotes trust and supports an ethical approach to personal data processing and protection.”

Improving business efficiencies

Like many other big organisations, Liberty Mutual Insurance handles the data of millions of customers every day. As a result, there is crucial need for systems to ensure this information is never compromised by third parties and criminals. The financial firm has therefore implemented electronic file and record management facilities from Alfresco and Amazon Web Services.

Liberty Mutual Insurance CIO Mojgan Lefebvre says these capabilities are not only allowing the company to protect customers, but also to make efficiencies throughout the entire business. She expects the firm to save around $21m over the next five years, thanks to a reduction in paper, printing and document storage costs.

“Don’t underestimate the amount of time required for regulatory discussions,” she says. “Make sure your data privacy and compliance teams are comfortable with any production solution with real customer data in the cloud. We used this initiative to put our records retention policies in place and ensure compliance around the globe. As regulations like GDPR take effect, this has absolutely been a lifesaver for us.”

Camden Council CIO Omid Shiraji believes IT decision-makers should learn from the mistakes of companies such as Facebook and Cambridge Analytica by enforcing the best data protection measures possible.

“The spotlight has been shone on Facebook and Cambridge Analytica around poor data management practices, but this should be a lesson for all,” he says. “No matter how young or old a business is, data governance is an organisation-wide issue which every employee needs to understand. Understanding the value of data is a life skill, not just a professional one.”

Shiraji reckons effective data governance should be taught through the education system. “However, tools are only a small part of the answer,” he adds. “A crucial step in delivering good data governance is through education and while 46% of UK organisations studied by Big Data LDN believe the government has done an excellent job, there is still room for improvement.

“With the GDPR compliance deadline looming, UK organisations should be in the final stages of educating their workforce and deploying the appropriate technology to manage the large swathes of information they hold.”

As masses of devices continue to connect to the internet, it is clear companies will have access to an ever-growing amount of data. If they put the right data protection and management mechanisms in place, they can gain a lot of potential from customer information. But without sufficient safeguards, the risks will keep on growing and firms could find themselves in all sorts of trouble.

Read more on Privacy and data protection