Risk and compliance: The importance of data, and its protection

25 May 2016

As data becomes the watchword of business, data protection has become more important than ever, says BT Ireland’s Barry McMahon.

Data protection is becoming more important – and the industry knows it.

BT Ireland commissioned Amárach Research to gain insights into how important data has become and discovered that the concerns of Ireland’s IT leaders around privacy and security have grown as data has become not only voluminous, but central to business operations.

For the IT department, security and privacy are now seen as the most important issues in business.

Data has become so important that 67pc of CIOs and IT leaders believe that, in the future, company statements to investors should specifically address data management capabilities, bringing into focus how organisations protect, manage and store data.

A data breach is rated, by CIOs and IT leaders, as four times worse than the CEO unexpectedly walking out the door, a major profit warning, or even a product recall.

The background to this is the governmental, and indeed intergovernmental, response to the growth of data as a driver of business, as well as a subject of public concern. New regulatory regimes are about to come into place, such as the EU’s General Data Protection Regulation (GDPR), which came into force on 24 May 2016 and will apply from 25 May 2018; and the EU-US Privacy Shield, which will replace the Safe Harbour agreement that has become invalid following a European Court of Justice judgment on the Schrems v Facebook case.

Breaches can be inside jobs

There have been a number of recent high-profile breaches significantly impacting businesses. These breaches damage the brand and the company, but it could be argued that the residual impact is felt more by the customer whose data has been compromised. That’s not something that can be undone, and it is clear that customers do move away from companies that have been breached; a recent survey showed 33pc of people would close an account if that provider had a data breach.

Some recent breaches have gone undetected for a long time – five months in the case of a US-based home improvement and construction service provider that had 59m credit and debit card details and 109m records stolen.

In the past 14 months, five breaches accounted for 77pc of all breaches globally, in terms of records taken.

The external threat isn’t the only one, however. Disgruntled employees and poor security practices also provide an opportunity for breaches. One global telco lost 280,000 records in an internal breach and 2013 saw the government of the state of Rhineland-Palatinate in Germany buy, for €4m, a CD-ROM of data on German account holders in Swiss banks.

The fact that it may come from the inside-out is not always considered, but an internal breach may be more damaging, as access to data is greater and the employee can walk out the door.

Changes in regulation

But what to do about the issue? The EU’s GDPR will give legal clarity as it will be an EU-wide regulation, rather than a directive, written into national law at the discretion of the various parliaments.

A key difference with the GDPR compared to its predecessor will be the level of financial penalties levelled for non-compliance, with fines up to 4pc of turnover, or up to €20m, whatever’s largest. That will ensure organisations sit up and take notice.

Internal procedures should be scrutinised and a holistic view of data protection requirements should be taken.

The objective for many organisations is to try to define what they mean by data security. Infrastructure people talk about back-up and disaster recovery, but what happens if somebody decides they want to invoke their right to be forgotten?

Security professionals want to put in place identification access-management policies, but are the policies correctly implemented if people aren’t set to the right access levels? Are the privacy people just working to legal rule?

Regulators are going to use the new regulation to change the way business is conducted, and the EU is going to take this very seriously. Everyone will have two years to comply with it, but it’s not going to be easy for a lot of organisations to take on. They will have to upskill staff, take on data protection officers and get accreditation.

How to stay compliant

It’s not all bad news. Yes, there are challenges, but there are organisations out there that will use the requirements for data protection as a way to differentiate their products from the competition.

With the GDPR ruling coming in, data location will become a growing requirement, and accreditations such as ISO 27001 and ISO 20000 will become the minimum for data centres and hosting providers. The maturity of such accreditations will be brought into focus, with clients wanting to know if they are embedded in the organisation or recently acquired.

So, what’s the advice? It’s hard to find an expert in all elements of data protection but if you must be compliant due to the nature of your business, you should explore if this compliance can be obtained via a third-party partner who has compliance built into services, such as connectivity, hosting, cloud and data storage. This will go a long way to meeting your own needs and the needs of your customers – potential and existing.

In conclusion, many of the global players will have a position on how to be compliant, so why not leverage the investments they make, if it suits your business to do so.

By Barry McMahon

Barry McMahon leads the data centre and cloud proposition for BT Ireland. Having successfully launched BT’s Global Cloud IaaS into the Irish market, McMahon strives to address the voice of the customer and the wider market trends through product innovation, proposition design and partner capabilities.

A version of this article originally appeared on the BT Ireland Blog.

Padlock image via Shutterstock