Four ways to better data protection
In the latest in a series of monthly columns on information technology issues for businesses, Fifth Step chief executive officer Darren Wray examines four steps to better data protection in a world now battling cyber attacks.
Company boards across Bermuda take note. The need for illustrating how you protect the sensitive data that your organisation leverages in the course of doing business every day is about to explode. Within the next 12 months you will see a drive by the world's regulatory bodies to implement a raft of procedures that will require that every senior executive be able to evidence the steps their organisation is taking to ensure privacy and security.
If it isn't already, data protection should form an increasingly important part of your company's daily risk management function. No longer the sole remit of your heads of IT, knowing that you are securing your data is now a prerequisite for underpinning future corporate success.
Witness the media and customer backlash in the UK to the cyber breaches at TalkTalk and the personal attacks on the CEO and how she has handled the crises. Reports continue to filter through the media focusing on enraged and hurt customers who have had their personal banking details sold to the black internet market. Customers are leaving TalkTalk in droves because they simply no longer trust the company to protect their rights to privacy. The reputational damage to the brand will be immeasurable for the company long-term.
But securing “big data” takes on many forms and is an increasingly complex task that touches every level of an organisation, whatever their size and whatever their business. In Bermuda, the insurance, reinsurance, financial services and banking sectors are of course all highly regulated and the Island has established a solid reputation based on this. Unsurprisingly, the latest data collection exercise by the Department of E-Commerce finds that 97 per cent of Bermuda residents believe that it is important for their personal information to be protected.
Put simply, data privacy is the right that every individual has in knowing that when they share private information, the receiving organisation will keep it safe. Systems protection is one route (not forgetting how critical it is to be able to evidence the checks and balance our C-Suite friends) but another huge area is understanding the geographical landscape.
Most developed nations have data protection or data privacy legislation. However, the grey areas start to appear when you then place national frameworks again at a supranational level such as that of the European Union. Its overriding legislation prevents data being moved outside of the EU region unless it is moving to a location that has the same protection for that data as its own legislation.
The key point here is that data must not move without the permission of the person to whom the data belongs (Note — this isn't the company who collected the data, but the person that the data refers to).
This becomes more relevant to Bermuda as the Personal Information Protection Act (PIPA) continues its progress towards the statute. PIPA has been written to be equivalent with EU data protection legislation. This equivalence allows personal data (once the act is part of the statute) to be sent from the EU to be viewed, stored and otherwise processed in Bermuda.
Why is this so useful to Bermuda-based companies? Two words — Safe Harbor. The Court of Justice to the EU (CJEU) ruled that the Safe Harbor Agreement between the US and the EU, which allowed personal data to flow to the US from the EU, was invalid.
As a result, data that would have previously been allowed to flow freely between the EU and the US is now being stopped. It should be noted, however, that the Information Commissioner's Office in the UK has said that it is not rushing to use its enforcement powers.
Bermuda's geographic proximity to the USA becomes even more of an advantage as a result. If this matter remains unresolved when PIPA becomes law, Bermuda may be able to leverage its regulatory and geographic advantage for US companies that could send people to Bermuda to view personal data from the EU.
An example of where this could happen is with international mergers and acquisitions.
So what steps should you be taking now?
Some Bermuda companies will have processed the information about what the act requires of them following on from the PIPA consultation earlier in the year. Even they, however, still have to prepare for the changes as they become law.
The following are four basic steps that organisations need to ensure are under way now:
1. Understand which of your data is within scope.
Only data that can identify a living individual is within scope. This encompasses obvious things like names, addresses, e-mail addresses etc. It can be more complicated, however, so make sure that your people are familiar with PIPA's requirements. Contact Bermuda's recently formed Information Commissioner's Office who will be able to offer more information as PIPA progresses.
2. Know why your organisation collects personal data.
A founding principle of data protection is that the personal data is collected for a purpose. A simple example may be a competition where people provide contact information to be contacted if they have won a prize. If it is the intention of the company collecting that data to use it for marketing purposes after the competition, it must be made clear to those entering the competition. It can't be a decision that is taken later as this would be a change of use.
3. Check your data retention policy.
Personal data can be retained for a reasonable period to allow the processing of this information in accordance with the purpose for which it was collected. This means that data has to be deleted once this reasonable time has passed. For example, data that was collected with regards to an insurance policy may be kept only for two years after the policy has expired.
4. Check your data security.
Now is a good time to check and update your approach to data security. Ensuring that data is protected and, where appropriate, encrypted makes sound business sense. Being able to illustrate best-practice checks and balances in your attempts to ward off cyber hacks is critical.
The risks of failing to mitigate and protect your organisation's and customer's data security, as recent news events have illustrated, means that you must act now and be able to prove you are responsible for and proactively implementing the highest standards of protection, across all areas.
Darren Wray is the CEO of Fifth Step, and has over 25 years of IT and management experience within the Financial Services and other sectors. Fifth Step operates globally from its offices in Bermuda, London and New York, providing IT Leadership, Change Management, Governance services to executives and senior managers within Insurance, Investment, Legal and Banking organisations of all sizes. For more information about Fifth Step, the team and the services they provide, visit www.fifthstep.com.