How to reinforce data privacy, not just the security of information

EY CIO blog author Dr Schultze-MellingNew metaphors are needed to describe the mind-blowing amounts of data that will be generated in 2014. Petabytes, exabytes and zettabytes of data are being accrued with every passing day. Sky-high piles of phonebooks, truckloads of printed paper crisscrossing the earth or multiple times the amount of data in the Library of Congress will soon be insufficient to describe clearly just how much information there is.

While this issue may be fairly meaningless to most of us, when the information in question is actually about you and me, it’s far from anecdotal. In today’s hyper-connected world, personal data not only represents a growing proportion of the vast amount of data, but also poses new questions about the fundamental right to privacy. This kind of information says who and what we are. It shapes our online and offline reputations and may even affect our personalities. In the 1990s, there was a joke that, on the internet, no one knew you were a dog. But this era is over: now our very identities are becoming far more transparent and, if you happen to be a dog, everybody will soon know!

The practical problem is that companies have to change the way they think about this data, and how they handle it. The actual protection of this data – how we encrypt, password-protect and hence guard it from theft, hacking or accidental loss – is only part of the challenge. Typically, these issues are the responsibility of the CIO or the CISO, and probably rank quite high on their list of priorities. But the challenge is also about protecting the privacy of such data. This refers not to firewalls and nested demilitarized zone (DMZs). It means upholding our individual right to privacy and ensuring that personally identifiable information is collected and processed in accordance with applicable laws and regulations.

Why should we worry about this? Growing piles of personal data incur rising costs and risks for those who store it. Also, when existing data is illicitly enriched with information from social media networks or allegedly publicly available sources, there is a chance that the legitimacy of your whole database will be damaged. Also, applicable laws and regulations require personal data to be actual, correct and up to date. If data quality is poor, and especially if data is not discarded or anonymized as soon as it serves no further use, serious regulatory and reputational issues may kick in. And of course, if such de facto commercially worthless data is ever lost, stolen or misused, and companies still find themselves exposed to legal liabilities and regulatory fines, this represents a bad case of capital waste.

To resolve this, I believe a change of mind-set is needed when thinking about privacy. CIOs, CISOs and privacy professionals all need to work closer together. This shift can be incorporated into any wider change management program, to help raise awareness and improve behaviors. Here are four simple points for consideration, to get that process started:

  1. Rethink your approach to data consent forms in order to treat people’s rights to privacy fairly. Although almost nobody tends to read legal disclaimer forms and many simply tick the consent box, this is not a free pass to do whatever you wish with that information. You have to think deeply about how your use of that data will shape consumers’ perceptions of your firm and, ultimately, their valuable trust.
  2. Act with transparency and openness about your intentions. Inevitably, being more honest and up-front about how you plan to use someone’s personal data might mean fewer people consenting to that use. But there is another side to this coin. It also delivers a far more powerful ability to target individuals successfully. Instead of a shotgun approach to marketing, you might be able to build genuine relationships and trust with a smaller, but much more committed and engaged, customer community.
  3. Think of personal data as a business asset, not a commodity. It seems that many people tend to treat data as a simple commodity: IT controls access to it, but no one will accept genuine responsibility for what happens if it is lost or misused in some way. People need to be reminded that personal data is a valuable asset with which they have been entrusted –and it should be valued and treated as such.
  4. Learn to delete. We all have too much bad data: information that is outdated, unnecessary, legally questionable, simply incorrect, or that is stored on inaccessible legacy systems, in file formats that cannot be brought together easily with other data, and that, frankly, nobody would really miss if it was gone. But we’re terrified to delete anything, let alone to take up the mighty effort to focus on generating good data. This is fundamentally wrong. Sound information management over the entire lifetime of the data not only improves its quality and enables us to extract the most commercial value out of it. It also has impacts on remote areas such as customer satisfaction, process efficiency and product quality management. In spite of all ongoing trends, big data is not necessarily good data.

Of course, these few pointers are just the tip of the iceberg. There are many other ways to bring together data privacy and information security. Feel free to share any techniques you use in the comments section below.

4 thoughts on “How to reinforce data privacy, not just the security of information

  1. Great post, thanks! It is especially no. 4 that I find relevant, though I’d rather have regulation for regular deletion. It bothers me that most data can be stored indefinitely and there is few to no control over who is doing what. Curious whether you see any possible solutions to this challenge Dr. Jyn Schultze-Melling?

    1. There are a number of solutions for deletions. These will range from data on the users pcs/ shared drives to databases in your data centres. One would need to have a host of solutions to deal with this problem across the board.

  2. Some really practical advice on how to reinforce data privacy-thank you for sharing. We’ve been looking at statistics from a recent Harvard Business Review survey, which show that more than three out of four respondents claimed information security and privacy issues are more significant than three years ago.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s