data protection top ten concerns
TRANSCRIPT
THE TOP TEN CONCERNS
HISI CONFERENCE, DUBLIN
WEDNESDAY, NOV 16 T H , 2011
Data Protection
Introduction
The Data Protection Rules
Areas for Concern The Global Village Obligation to Notify What to prioritise?
Protecting Privacy
Capability and Compliance
The Data Protection Rules
Personal Data must be… Obtained Fairly Processed for a Specified Purpose Processed in a Compatible Manner Kept Safe and Secure Kept Accurate and Up-to-date Processed adequately, not excessively Retained only for as long as necessary Stored to enable easy retrieval
The Data Protection Rules
Obtained Fairly
Processed for a Specified Purpose
Processed in a Compatible Manner
Kept Safe and Secure
Kept Accurate and Up-to-date
Processed adequately, not excessively
Retained only for as long as necessary
Stored to enable easy retrieval
Challenge 1 – Safe and Secure
Automation
Increased access to data & information
Increased Risk of Breach, Leakage, Theft
Improved service provisionMore timely
interventionsMore appropriate responseBetter management of Risk to
clients
Reputational damage‘Brand’ damageBreakdown in trust Impact on Commercial Performance
Billing and Account Data most at risk
Challenge 1 – Safe and Secure
Challenge is …TechnicalPhysicalEmotional
Challenge 2 – Breach Notification
“… an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data“
“Must give immediate consideration to notifying the data subjects”
Intended to redress the balance of controlSome discretion is left to the Data ControllerReputational, Commercial, Professional impact‘Doing Nothing’ no longer an option
50
40
Fewer than 50% of breaches are detected (Ponemon)
Fewer than 40% of these are reported (Ponemon)
Corollary:
Up to 80% are off management’s radar
Challenge 3 – Ambassadors and Assassins
Biggest Data ‘Customers’
Biggest Data threat
Big Data Users
Champions for “new ways of working”Drive ROI on investment in toolsHelp drive the agenda re: use of data.
52% of breaches caused by unintentional actions (Ponemon)
10% were ‘intentional, non-malicious’ (Ponemon)
Will institutions pursue their ‘star’ practitioners?
Challenge 4 – How to Prioritise?
People who believe automation increases risk of data loss or theft
% of issues blamed on inadequate resourcing
<3%
92%
71%
% of budget allocated to data security
Challenge: Increased demands on reduced budgets
Challenge 5 – How to value data?
Cost to acquire? Value placed on accuracy? Integrity? Tolerance for duplication? Obsolescence?
Cost if lost? Average cost per lost record - €107k Average data lost per incident – 1769 records Costs between $6.5m and $15m where media cover
the loss
Penalty clauses in Data Processor contracts?
Challenge 6 – Quality of Data?
Multiple Sources, opportunity for error
Multiple system interfaces, data mapping
Assessment of data integrity, completeness
New phenomenon of ‘facilitated’ data
77% cannot control physical access to stored data
Challenge 7 – The Temptation to Share
Outsourcing of all aspects of data management Acquisition Processing Analysis Evaluation Security Storage
Non-prescriptive Processor contractAdequacy of protection at overseas destinationUndermined reputation of Safe Harbor‘Trust … but verify!’
Challenge 8 – The Cloud – opportunity or threat?
Fastest growing new sector
Significant savings in maintenance, resource and licensing
Super-jurisdictional processing, storage
Different from historical supported models
Ultimate onus remains with Data Controller
Challenge 9 – Who has our data?
Imbalance of Sensitive Personal Data
Multiple channels for data transfer
Status of third-party and sub-contracts
How and when to anonymise
Challenge 10 – Should it stay or should it go?
Retain for duration of specified purpose
The temptation to retain indefinitely
Possibility of ‘undefined future use’
Storage costs no longer a decision driver
Verifiable destruction?
When is enough enough?
Core set of policies and procedures
Integrated processes – ‘joined-up thinking’
Staff awareness
Consistent Policies across faculties, departments
Appropriate templates
Regular audit / review
Data Controller’s best endeavours
Data Protection – Inhibitor or Enabler?
Improved awareness of data quality, integrity
Increased accuracy of data
Reliability of analysis and decision-making
Heightened awareness of Data Subjects’ rights
Protects brand, reputation, credibility, trust