Data Protection THE TOP TEN CONCERNSHISI CONFERENCE, DUBLINW E D N E S D A Y , N O V 1 6 TH, 2 0 1 1
Introduction The Data Protection Rules Areas for Concern The Global Village Obligation to Notify What to prioritise? Protecting Privacy Capability and Compliance
The Data Protection Rules Personal Data must be… Obtained Fairly Processed for a Specified Purpose Processed in a Compatible Manner Kept Safe and Secure Kept Accurate and Up-to-date Processed adequately, not excessively Retained only for as long as necessary Stored to enable easy retrieval
The Data Protection Rules Obtained Fairly Processed for a Specified Purpose Processed in a Compatible Manner Kept Safe and Secure Kept Accurate and Up-to-dateProcessed adequately, not excessivelyRetained only for as long as necessary Stored to enable easy retrieval
Challenge 1 – Safe and SecureIncreased access to Increased Risk ofdata & information Breach, Leakage, Theft Improved service provision Reputational damage More timely interventions „Brand‟ damage More appropriate response Breakdown in trust Better management of Risk to clients Impact on Commercial Performance Billing and Account Data most at risk
Challenge 1 – Safe and SecureChallenge is … Technical Physical Emotional
Challenge 2 – Breach Notification “… an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data“ “Must give immediate consideration to notifying the data subjects” Intended to redress the balance of control Some discretion is left to the Data Controller Reputational, Commercial, Professional impact „Doing Nothing‟ no longer an option
Fewer than 50 of breaches are detected 50%(Ponemon)Fewer than 40 of these are reported 40%(Ponemon)Corollary:Up to 80% are off management‟s radar
Challenge 3 – Ambassadors and Assassins Biggest Data Biggest Data threat „Customers‟Champions for “new ways of working” 52% of breaches caused byDrive ROI on investment in tools unintentional actions (Ponemon)Help drive the agenda re: use of data. 10% were „intentional, non- malicious‟ (Ponemon) Will institutions pursue their „star‟ practitioners?
Challenge 4 – How to Prioritise?People who believe automation increases risk of data loss or theft 92% % of issues blamed on inadequate resourcing 71%<3% % of budget allocated to data securityChallenge: Increased demands on reduced budgets
Challenge 5 – How to value data? Cost to acquire? Value placed on accuracy? Integrity? Tolerance for duplication? Obsolescence? Cost if lost? Average cost per lost record - €107k Average data lost per incident – 1769 records Costs between $6.5m and $15m where media cover the loss Penalty clauses in Data Processor contracts?
Challenge 6 – Quality of Data? Multiple Sources, opportunity for error Multiple system interfaces, data mapping Assessment of data integrity, completeness New phenomenon of „facilitated‟ data 77% cannot control physical access to stored data
Challenge 7 – The Temptation to Share Outsourcing of all aspects of data management Acquisition Processing Analysis Evaluation Security Storage Non-prescriptive Processor contract Adequacy of protection at overseas destination Undermined reputation of Safe Harbor „Trust … but verify!‟
Challenge 8 – The Cloud – opportunity or threat? Fastest growing new sector Significant savings in maintenance, resource and licensing Super-jurisdictional processing, storage Different from historical supported models Ultimate onus remains with Data Controller
Challenge 9 – Who has our data? Imbalance of Sensitive Personal Data Multiple channels for data transfer Status of third-party and sub-contracts How and when to anonymise
Challenge 10 – Should it stay or should it go? Retain for duration of specified purpose The temptation to retain indefinitely Possibility of „undefined future use‟ Storage costs no longer a decision driver Verifiable destruction?
When is enough enough? Core set of policies and procedures Integrated processes – „joined-up thinking‟ Staff awareness Consistent Policies across faculties, departments Appropriate templates Regular audit / review Data Controller‟s best endeavours
Data Protection – Inhibitor or Enabler? Improved awareness of data quality, integrity Increased accuracy of data Reliability of analysis and decision-making Heightened awareness of Data Subjects‟ rights Protects brand, reputation, credibility, trust