By Tom Bale, Business Development and Technical Director, Logicalis
Like gold and diamonds, data is a commodity mined by those who see its value. We all have data, and create data, our digital footprint showing an ever more detailed trace of everything we do.
New tools for analysing data, through machine learning and AI, make it possible to find out more about us than we might ever have imagined, turning statistics into patterns, patterns into predictable trends, and predictable trends into new products, services, and opportunities.
While a lot of our online data is theoretically randomised – in reality, as the tools and techniques advance, we are never really anonymous.
Here are 12 things to consider to make your data, and the data you interact with more secure, private, and within your control.
Assume everything you do online is recorded and stored … somewhere
EU GDPR applies to organisations within the EU and to external organisations trading within the EU. The regulation stipulates data of EU citizens should not be transferred outside the EU unless data controllers or processors have put in place legally binding and enforceable contracts to protect the rights of subjects. This means data stored in the cloud should be stored within the EU or within a state that adheres with GDPR standards.
Understand what personal data covers
Personal data relates to data about an identifiable person. This clearly includes data that refers directly to a person, such as date of birth, address, CV, banking details, health records etc. And it also includes data with identifiers such as location data, ISP data or factors about the physical, genetic, mental, economic, social and cultural identify of people. With AI making it ever easier to analyse data, identifying someone by cross-referencing data sets is increasingly common.
Decide who is responsible for data risk management
Rather than finding someone to blame if things go wrong, organisations should identify who is responsible for data risk management to help make things right. While line managers should be involved in determining what data you need and acceptable risk levels, ultimately C-level executives, e.g. Chief Information Officers, Chief Data Officers, or Chief Security Officers need to take responsibility for getting buy-in from the board and to ensure the CEO understands policies and risks.
Delete information you no longer need
If information is no longer required, now is the time to delete it. Assessing what data you have, and why you need it is a vital step in a data audit. GDPR means there is an increased cost to keeping data - not just in storage and back up but in terms of risk, to reputations should data be breached and leaked, and to personal security of staff and clients should hackers steal it and put it up for sale on the dark web.
Back up information you do need
The rise of ransomware makes backing up data even more important so that if hackers encrypt your files, you will be able to go to your back up and retrieve the data. Back-ups need to be constant, so you don’t lose recent data, and in a format that is compatible with current systems so you can restore it as required to ensure it remains accessible, something which applies as much to favourite family photos as to major sales orders.
Consider encrypting sensitive data
Imagine how much simpler life would be during a cyber-attack if you knew hackers couldn’t do anything with your files. Encrypting sensitive data stops hackers, and inside sources, from removing data and leaking it to the media, such as with the ‘Paradise Papers’.
Monitor data flows
GDPR stipulates you should notify the Information Commissioner of a data breach within 72-hours. This means organisations need to step up monitoring, bringing in 24/7 monitoring so someone is keeping watch on your system and can identify unusual activity, investigate, and rectify the problem before it has time to affect more parts of your network.
The vast majority of data breaches are successful because they take advantage of known vulnerabilities that have not been patched or through social engineering. Keeping your systems patched and your staff trained, alert and aware of the risks will give you and your data greater protection against cyber-attacks.
Train and test staff
People remain the weakest link in most systems so training staff about how to stop systems being breached by cyber-attack, e.g. by not clicking links on websites or in phishing emails is vital. Regular testing helps keep cybersecurity top of mind. People also need specific training in new data protocols on how to handle, process, and store personal data to help protect it from accidental or deliberate breaches.
Make consent explicit
While mailing lists and most marketing revolves around ‘opt out’, GDPR shifts the focus to requiring people to ‘opt in’ to receive information. Companies should ensure data collection gains consent from individuals before harvesting and storing their data. Individuals also need to take time to read small print before signing up to services, downloading apps, or using programmes, as ticking boxes without thinking could lead to a greater transfer of personal data. This is even more important when signing up for financial service products as giving consent can now lead to your bank sharing all your financial data with other financial service firms.
Understand the value of your data
Individuals need to understand the value of their data and consider why companies want it. When a shop tries to get your email address to send you a receipt instead of printing it, they’re not just being eco, they’re gathering data on you … and your shopping habits. If a hotel or restaurant asks for your date of birth – ‘so they can send you a gift’ they’re not being nice – they’re looking for a way to extract more data about their customer profile. Always consider if giving up your data is necessary, and whether the people you give it to are likely to look after it properly.
Make data privacy part of the solution
Regarding data rights as a problem, or a compliance burden creates a negative mind-set around data protection. Improving data privacy processes can be a great opportunity for any organisation to re-evaluate security, systems, and procedures, helping make the whole business more efficient, and resilient.