How important is data?By Barry McMahon,
As data becomes the watchword of business, data protection has become more important than ever.
Data protection is becoming more important – and the industry knows it. BT Ireland commissioned Amárach Research to gain insights into how important data has become and discovered that the concerns of Ireland’s IT leaders around privacy and security have grown as data has become not only voluminous, but central to business operations.
Data protection – what it is and why is it important?
For the IT department security and privacy are now seen as the most important issues in business.
Data has become so important that 67 percent of CIOs and IT leaders believe that, in the future, company statements to investors should specifically address data management capabilities, bringing into focus how organisations protect, manage and store data.
A data breach is rated, by CIOs and IT leaders, as four times worse than the CEO unexpectedly walking out the door, a major profit warning, or even a product recall.
The background to this is the governmental, and indeed intergovernmental, response to the growth of data as a driver of business as well as a subject of public concern. New regulatory regimes are about to come into place, such as the EU’s General Data Protection Regulation (GDPR) due to come into force later this year and the EU-US Privacy Shield, which will replace the Safe Harbor agreement that has become invalid following a European Court of Justice judgment on the Schrems vs. Facebook case.
Recent high profile breaches significantly impact businesses
There have been a number of high profile breaches. These significantly damage the brand and the company but it could be argued that the residual impact is felt more by the customer whose data has been compromised. That’s not something that can be undone. It is clear that customers do move away from companies that have been breached.
A recent survey showed 33 per cent of people would close an account if that provider had a data breach.
Some recent breaches have gone undetected for a long time: five months in the case of a US-based home improvement and construction service provider that had 59 million credit and debit card details and 109 million records stolen.
In the past 14 months, five breaches accounted for 77 percent of all breaches globally, in terms of records taken.
The external threat isn’t the only one, however. Disgruntled employees and poor security practices also provide an opportunity for breaches. One global telco lost 280,000 records in an internal breach and 2013 saw the government of the state of Rhineland-Palatinate in Germany buy – for four million euros – a CD-Rom of data on German account holders in Swiss banks.
The fact that it may come from the inside-out is not always considered, but an internal breach may be more damaging, as access to data is greater and the employee can walk out the door.
What do organisations need to do?
But what to do about the issue? The EU’s GDPR will give legal clarity as it will be an EU-wide regulation, rather than a directive, written into national law at the discretion of the various parliaments. A key difference with the GDPR compared to its predecessor will be the level of financial penalties due to non-compliance with fines up 4 per cent of turnover, or up to 20 million euro, whatever’s largest. That will ensure organisations sit up and take notice.
Internal procedures should be scrutinised and a holistic view of data protection requirements should be taken.
The objective for many organisations is to try to define what they mean by data security. Infrastructure people talk about backup and disaster recovery, but what happens if somebody decides they want to invoke their right to be forgotten? Security professionals want to put in place identification access management policies, but are the policies correctly implemented if people aren’t set to the right access levels? Are the privacy people just working to legal rule?
Regulators are going to use the new regulation to change the way business is conducted. The EU is going to take this very seriously when they bring it in this year. Everyone will have two years to comply with it, but it’s not going to be easy for a lot of organisations to take on. They will have to up-skill staff, take on data protection officers and get accreditation.
It’s not all bad news. Yes, there are challenges, but there are organisations out there that will use the requirements for data protection as a way to differentiate their products.
When you look at the BT Compute portfolio (data centre and cloud services), we have 19 data centres across Europe where you can host your services and keep your data. The choice is yours. That’s not the same for every provider and when the GDPR ruling comes in, data location will become a growing requirement.
Accreditations such as ISO 27001 and ISO20000 will become the minimum for data centres and hosting providers. The maturity of such accreditations will be brought into focus – are they embedded in the organisation or recently acquired?
So what’s the advice? Nobody is an expert in all elements of data protection but if you must be compliant due to the nature of your business, you need to explore if this compliance can be obtained via a 3rd party partner for services such as hosting, cloud and data storage. This will go a long way to meeting your own needs and the needs of your customers; potential and existing.
In conclusion, many of the global players will have a position on how to be compliant, so why not leverage the investments they make, if it suits your business to do so.
*Edited from original publication in the Connected SBP Magazine – 03/04/2016.