Managing Personal Information in the Age of GDPR
By Thomas Stocking, Chief Information Security Officer
It’s hard to be a data manager these days. The use of data for business over the last decade and a half has driven a huge explosion in advertising with targeted ads and consumer profiling. Companies look to monetize data streams wherever they can. There’s even a data marketplace on Amazon. Data Scientist is a profession now, and Machine Learning and Artificial Intelligence systems can use the massive datasets that exist today to learn and train models and create algorithms. Data Science is a huge field, and its growth even in the last couple of years is tremendous.
The Consequences of Big Data
An unfortunate result of this growth is that data can be used without regard to its sensitivity. Too often in the business world, advantage is taken without concern for the consequences borne by the “Data Subjects.” The lure of new revenue streams from the vast accumulations of data points many businesses have acquired is too strong to ignore, and until recently there was only a small risk of fines or reputational damage.
Inadequate security has been at least as big a problem as improper use. Many data breaches have been reported over the last decade, and not just from companies that are in the data harvesting business.
You don’t have to be a criminal enterprise to be liable for bad data practices. Even just inept data management will get you in trouble. The GDPR (General Data Protection Regulation) is a globally enforced law that governs how personal data on EU citizens is used, maintained, and secured. The risk of being unethical, or even just sloppy, is finally growing, and by a lot. Fines for violating the GDPR can run as high as 20 Million Euro (about 23 Million USD) or 4% of your revenue, whichever is bigger. That’s a risk that will catch the attention of most companies.
And all of this adds to the burden of data managers.
Best Practices for Data Managers
The good news is that data managers can count on backing from company leadership. Your job is important, and typically this is recognized and rewarded. In many businesses, data is the crown jewel, and resources to protect and manage it properly are provided.
It takes money and time to manage data correctly. Data managers know what they need to do to protect data. It’s a combination of good practices, including:
Education
Make sure your workforce is informed about the GDPR and other relevant legislation. Make sure they know the company’s security and privacy policies, and where to find them.
Cybersecurity
Invest in real life security measures appropriate for your organization’s size and exposure levels. There are plenty of ways to do this, starting with a risk assessment and policy framework, all the way up to complex and effective technologies like XDR, SASE, and DLP, to mention just a few.
Manage the Data
Making sure any Personally Identifiable Information (PII) your organization handles is safe means knowing where it is, and how much of it you have. Minimizing the amount of data you handle to just what is necessary for your business is key. Don’t save data you will never use, and don’t use data for a purpose for which you did not collect it.
Engage the Data Subjects
Your data subjects have rights. Show you respect those rights by describing your efforts to do so. You will build trust and goodwill, and that’s the biggest advantage any business can gain.
Navigating the GDPR and other data regulations can be an onerous, yet worthwhile, task. By steering resources in the right direction, data managers can properly protect and manage their companies’ data.