THE TOP TEN CONCERNS

HISI CONFERENCE, DUBLIN

WEDNESDAY, NOV 16 T H , 2011

Data Protection

Introduction

The Data Protection Rules

Areas for Concern The Global Village Obligation to Notify What to prioritise?

Protecting Privacy

Capability and Compliance

The Data Protection Rules

Personal Data must be… Obtained Fairly Processed for a Specified Purpose Processed in a Compatible Manner Kept Safe and Secure Kept Accurate and Up-to-date Processed adequately, not excessively Retained only for as long as necessary Stored to enable easy retrieval

The Data Protection Rules

Obtained Fairly

Processed for a Specified Purpose

Processed in a Compatible Manner

Kept Safe and Secure

Kept Accurate and Up-to-date

Processed adequately, not excessively

Retained only for as long as necessary

Stored to enable easy retrieval

Challenge 1 – Safe and Secure

Automation

Increased access to data & information

Increased Risk of Breach, Leakage, Theft

Improved service provisionMore timely

interventionsMore appropriate responseBetter management of Risk to

clients

Reputational damage‘Brand’ damageBreakdown in trust Impact on Commercial Performance

Billing and Account Data most at risk

Challenge 1 – Safe and Secure

Challenge is …TechnicalPhysicalEmotional

Challenge 2 – Breach Notification

“… an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data“

“Must give immediate consideration to notifying the data subjects”

Intended to redress the balance of controlSome discretion is left to the Data ControllerReputational, Commercial, Professional impact‘Doing Nothing’ no longer an option

50

40

Fewer than 50% of breaches are detected (Ponemon)

Fewer than 40% of these are reported (Ponemon)

Corollary:

Up to 80% are off management’s radar

Challenge 3 – Ambassadors and Assassins

Biggest Data ‘Customers’

Biggest Data threat

Big Data Users

Champions for “new ways of working”Drive ROI on investment in toolsHelp drive the agenda re: use of data.

52% of breaches caused by unintentional actions (Ponemon)

10% were ‘intentional, non-malicious’ (Ponemon)

Will institutions pursue their ‘star’ practitioners?

Challenge 4 – How to Prioritise?

People who believe automation increases risk of data loss or theft

% of issues blamed on inadequate resourcing

<3%

92%

71%

% of budget allocated to data security

Challenge: Increased demands on reduced budgets

Challenge 5 – How to value data?

Cost to acquire? Value placed on accuracy? Integrity? Tolerance for duplication? Obsolescence?

Cost if lost? Average cost per lost record - €107k Average data lost per incident – 1769 records Costs between $6.5m and $15m where media cover

the loss

Penalty clauses in Data Processor contracts?

Challenge 6 – Quality of Data?

Multiple Sources, opportunity for error

Multiple system interfaces, data mapping

Assessment of data integrity, completeness

New phenomenon of ‘facilitated’ data

77% cannot control physical access to stored data

Challenge 7 – The Temptation to Share

Outsourcing of all aspects of data management Acquisition Processing Analysis Evaluation Security Storage

Non-prescriptive Processor contractAdequacy of protection at overseas destinationUndermined reputation of Safe Harbor‘Trust … but verify!’

Challenge 8 – The Cloud – opportunity or threat?

Fastest growing new sector

Significant savings in maintenance, resource and licensing

Super-jurisdictional processing, storage

Different from historical supported models

Ultimate onus remains with Data Controller

Challenge 9 – Who has our data?

Imbalance of Sensitive Personal Data

Multiple channels for data transfer

Status of third-party and sub-contracts

How and when to anonymise

Challenge 10 – Should it stay or should it go?

Retain for duration of specified purpose

The temptation to retain indefinitely

Possibility of ‘undefined future use’

Storage costs no longer a decision driver

Verifiable destruction?

When is enough enough?

Core set of policies and procedures

Integrated processes – ‘joined-up thinking’

Staff awareness

Consistent Policies across faculties, departments

Appropriate templates

Regular audit / review

Data Controller’s best endeavours

Data Protection – Inhibitor or Enabler?

Improved awareness of data quality, integrity

Increased accuracy of data

Reliability of analysis and decision-making

Heightened awareness of Data Subjects’ rights

Protects brand, reputation, credibility, trust