New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Data Protection Top Ten Concerns
1. Data Protection
THE TOP TEN CONCERNS
HISI CONFERENCE, DUBLIN
W E D N E S D A Y , N O V 1 6 TH, 2 0 1 1
2. Introduction
The Data Protection Rules
Areas for Concern
The Global Village
Obligation to Notify
What to prioritise?
Protecting Privacy
Capability and Compliance
3. The Data Protection Rules
Personal Data must be…
Obtained Fairly
Processed for a Specified Purpose
Processed in a Compatible Manner
Kept Safe and Secure
Kept Accurate and Up-to-date
Processed adequately, not excessively
Retained only for as long as necessary
Stored to enable easy retrieval
4. The Data Protection Rules
Obtained Fairly
Processed for a Specified Purpose
Processed in a Compatible Manner
Kept Safe and Secure
Kept Accurate and Up-to-date
Processed adequately, not excessively
Retained only for as long as necessary
Stored to enable easy retrieval
5. Challenge 1 – Safe and Secure
Increased access to Increased Risk of
data & information Breach, Leakage, Theft
Improved service provision Reputational damage
More timely interventions „Brand‟ damage
More appropriate response Breakdown in trust
Better management of Risk to clients Impact on Commercial Performance
Billing and Account Data most at risk
6. Challenge 1 – Safe and Secure
Challenge is …
Technical
Physical
Emotional
7. Challenge 2 – Breach Notification
“… an incident giving rise to a risk of unauthorised
disclosure, loss, destruction or alteration of personal data“
“Must give immediate consideration to notifying the
data subjects”
Intended to redress the balance of control
Some discretion is left to the Data Controller
Reputational, Commercial, Professional impact
„Doing Nothing‟ no longer an option
8. Fewer than 50 of breaches are detected
50%
(Ponemon)
Fewer than 40 of these are reported
40%
(Ponemon)
Corollary:
Up to 80% are off management‟s radar
9. Challenge 3 – Ambassadors and Assassins
Biggest Data
Biggest Data
threat
„Customers‟
Champions for “new ways of working” 52% of breaches caused by
Drive ROI on investment in tools unintentional actions (Ponemon)
Help drive the agenda re: use of data.
10% were „intentional, non-
malicious‟ (Ponemon)
Will institutions pursue their „star‟ practitioners?
10. Challenge 4 – How to Prioritise?
People who believe automation increases risk of data loss or theft 92%
% of issues blamed on inadequate resourcing 71%
<3% % of budget allocated to data security
Challenge: Increased demands on reduced budgets
11. Challenge 5 – How to value data?
Cost to acquire?
Value placed on accuracy? Integrity?
Tolerance for duplication? Obsolescence?
Cost if lost?
Average cost per lost record - €107k
Average data lost per incident – 1769 records
Costs between $6.5m and $15m where media cover the loss
Penalty clauses in Data Processor contracts?
12. Challenge 6 – Quality of Data?
Multiple Sources, opportunity for error
Multiple system interfaces, data mapping
Assessment of data integrity, completeness
New phenomenon of „facilitated‟ data
77% cannot control physical access to stored data
13. Challenge 7 – The Temptation to Share
Outsourcing of all aspects of data management
Acquisition
Processing
Analysis
Evaluation
Security
Storage
Non-prescriptive Processor contract
Adequacy of protection at overseas destination
Undermined reputation of Safe Harbor
„Trust … but verify!‟
14. Challenge 8 – The Cloud – opportunity or threat?
Fastest growing new sector
Significant savings in maintenance, resource and
licensing
Super-jurisdictional processing, storage
Different from historical supported models
Ultimate onus remains with Data Controller
15. Challenge 9 – Who has our data?
Imbalance of Sensitive Personal Data
Multiple channels for data transfer
Status of third-party and sub-contracts
How and when to anonymise
16. Challenge 10 – Should it stay or should it go?
Retain for duration of specified purpose
The temptation to retain indefinitely
Possibility of „undefined future use‟
Storage costs no longer a decision driver
Verifiable destruction?
17. When is enough enough?
Core set of policies and procedures
Integrated processes – „joined-up thinking‟
Staff awareness
Consistent Policies across faculties, departments
Appropriate templates
Regular audit / review
Data Controller‟s best endeavours
18. Data Protection – Inhibitor or Enabler?
Improved awareness of data quality, integrity
Increased accuracy of data
Reliability of analysis and decision-making
Heightened awareness of Data Subjects‟ rights
Protects brand, reputation, credibility, trust