Data Protection Top Ten Concerns


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Protection Top Ten Concerns

  1. 1. Data Protection THE TOP TEN CONCERNSHISI CONFERENCE, DUBLINW E D N E S D A Y , N O V 1 6 TH, 2 0 1 1
  2. 2. Introduction The Data Protection Rules Areas for Concern  The Global Village  Obligation to Notify  What to prioritise? Protecting Privacy Capability and Compliance
  3. 3. The Data Protection Rules Personal Data must be…  Obtained Fairly  Processed for a Specified Purpose  Processed in a Compatible Manner  Kept Safe and Secure  Kept Accurate and Up-to-date  Processed adequately, not excessively  Retained only for as long as necessary  Stored to enable easy retrieval
  4. 4. The Data Protection Rules Obtained Fairly Processed for a Specified Purpose Processed in a Compatible Manner Kept Safe and Secure Kept Accurate and Up-to-dateProcessed adequately, not excessivelyRetained only for as long as necessary Stored to enable easy retrieval
  5. 5. Challenge 1 – Safe and SecureIncreased access to Increased Risk ofdata & information Breach, Leakage, Theft Improved service provision Reputational damage More timely interventions „Brand‟ damage More appropriate response Breakdown in trust Better management of Risk to clients Impact on Commercial Performance Billing and Account Data most at risk
  6. 6. Challenge 1 – Safe and SecureChallenge is … Technical Physical Emotional
  7. 7. Challenge 2 – Breach Notification “… an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data“ “Must give immediate consideration to notifying the data subjects” Intended to redress the balance of control Some discretion is left to the Data Controller Reputational, Commercial, Professional impact „Doing Nothing‟ no longer an option
  8. 8. Fewer than 50 of breaches are detected 50%(Ponemon)Fewer than 40 of these are reported 40%(Ponemon)Corollary:Up to 80% are off management‟s radar
  9. 9. Challenge 3 – Ambassadors and Assassins Biggest Data Biggest Data threat „Customers‟Champions for “new ways of working” 52% of breaches caused byDrive ROI on investment in tools unintentional actions (Ponemon)Help drive the agenda re: use of data. 10% were „intentional, non- malicious‟ (Ponemon) Will institutions pursue their „star‟ practitioners?
  10. 10. Challenge 4 – How to Prioritise?People who believe automation increases risk of data loss or theft 92% % of issues blamed on inadequate resourcing 71%<3% % of budget allocated to data securityChallenge: Increased demands on reduced budgets
  11. 11. Challenge 5 – How to value data? Cost to acquire?  Value placed on accuracy? Integrity?  Tolerance for duplication? Obsolescence? Cost if lost?  Average cost per lost record - €107k  Average data lost per incident – 1769 records  Costs between $6.5m and $15m where media cover the loss Penalty clauses in Data Processor contracts?
  12. 12. Challenge 6 – Quality of Data? Multiple Sources, opportunity for error Multiple system interfaces, data mapping Assessment of data integrity, completeness New phenomenon of „facilitated‟ data 77% cannot control physical access to stored data
  13. 13. Challenge 7 – The Temptation to Share Outsourcing of all aspects of data management  Acquisition  Processing  Analysis  Evaluation  Security  Storage Non-prescriptive Processor contract Adequacy of protection at overseas destination Undermined reputation of Safe Harbor „Trust … but verify!‟
  14. 14. Challenge 8 – The Cloud – opportunity or threat? Fastest growing new sector Significant savings in maintenance, resource and licensing Super-jurisdictional processing, storage Different from historical supported models Ultimate onus remains with Data Controller
  15. 15. Challenge 9 – Who has our data? Imbalance of Sensitive Personal Data Multiple channels for data transfer Status of third-party and sub-contracts How and when to anonymise
  16. 16. Challenge 10 – Should it stay or should it go? Retain for duration of specified purpose The temptation to retain indefinitely Possibility of „undefined future use‟ Storage costs no longer a decision driver Verifiable destruction?
  17. 17. When is enough enough? Core set of policies and procedures Integrated processes – „joined-up thinking‟ Staff awareness Consistent Policies across faculties, departments Appropriate templates Regular audit / review Data Controller‟s best endeavours
  18. 18. Data Protection – Inhibitor or Enabler? Improved awareness of data quality, integrity Increased accuracy of data Reliability of analysis and decision-making Heightened awareness of Data Subjects‟ rights Protects brand, reputation, credibility, trust