GDPR and the End of Reckless Data Sharing

Originally posted: https://www.securityroundtable.org/gdpr-end-reckless-data-sharing/

The European Union’s General Data Protection Regulation (GDPR) will put every company with a digital strategy at risk of significant financial penalties. Any company that processes any personal information on EU citizens—whether as customers, employees, or business partners—and fails to comply, could face fines up to four percent of their annual global revenues, as well as severe reputational damage. And compliance will require much more than simply encrypting this data.   
The GDPR, which kicks in on May 25 of this year, harmonizes national data-protection laws within the EU. It seeks to ensure that personal data is protected against misuse and theft and gives EU citizens control over how their data is used.
Most companies today are at risk of non-compliance, since few, if any, actually have full control over their customer’s data. While many organizations have made strides in protecting the data that sits in their primary repositories, they might not take into account the myriad ways in which they share that information today. Companies are more reliant on ecosystem partners and technology providers than ever before, and the looming GDPR deadline underscores a broken model of data sharing among companies and their partners.
The scope of the GDPR is far-reaching, covering any information that can be linked to an identifiable individual (search engine queries, employee authentication, payment transactions, closed-circuit-television footage), in any format (structured or unstructured) and held in any medium (online, offline, or backup storage). As a result, the scope of data protection, companies must now put in place must be much broader than that under current standards.
Hope is not a strategy
Most companies must share data with their suppliers, customers, insurers, distributors, and advisors to compete and deliver superior customer experience today. And they share that data in one of three ways, none of which fully protects it:
  • Pass the data fully over to the partner with a legal contract detailing the degree to which the partner must apply protections to the data. However, that does not ensure that the partner will comply 100 percent.
  • Encrypt the data and grant access with passwords, which helps protect the data from hackers and others who may attempt to access the data , but once the files have been given to the trusted third party, it might be duplicated, shared with other systems, or otherwise exposed .
  • Programmatically grant access to the data via an application programming interface (API), which is a more automated approach to data sharing. The API method, nonetheless, typically leaves the partner with the ability to store the shared data locally or duplicate it, again risking exposure.
In effect, companies are simply trusting—and hoping—that their partners will properly protect customer data. The forthcoming GDPR laws, however, make clear that such hope will not be an effective strategy for compliance.
The cloud is not a panacea
Ecosystem partnerships are not the only weak link in the data-protection chain. Companies also face significant data-exposure risk because of the software and service providers that have access to their customer data.
An increasing number of companies today use software-as-a-service (SaaS) solutions for sales, customer service, ecommerce, email, and more to improve their agility, responsiveness, and customer experience. Unfortunately, many business users sign up for these services without a clear understanding of whether the provider can comply with the GDPR or other data regulations. They quickly accept the terms of service without reading through the multiple pages of eight-point text detailing the rights they have granted the technology provider—a partner that may not be eager to stand by their side in court for exposing personally identifiable information. So, while many will argue—and rightly so—that major providers of cloud services spend more on data privacy and security than a single company could afford to invest in its own data center, third-party solutions must, nevertheless, be scrutinized.
A responsible approach to data sharing
What companies must do to address these risks, ultimately, is to take full responsibility for the protection of their customer data—wherever it goes, wherever it resides. That’s no small task in an era in which data sharing within digital ecosystems is all but a requirement to thrive in today’s marketplace. Every company must work collaboratively within its ecosystems to ensure compliance, understanding that protecting customer data remains its responsibility—even when it is in their partners’ possession. Some actions companies can take to handle this include:
Create a cross-functional GDPR task force. Most GDPR programs lack clear ownership. Ensuring compliance requires an approach that cuts across functions and businesses units. Stakeholders who understand that current state of data sharing and associated risk—legal, compliance, line of business leaders, IT, risk management, information security—must commit to, and share responsibility for, a road map for change. Senior leadership approval and buy-in is vital so that the program is securely anchored to your company’s overall strategy.
Map the customer data-sharing journey. McKinsey & Company has advised that companies build what it calls a “golden record” of personal data processing: where it comes from, what is done with it, what the regulations are for processing it, and with whom it is shared.
Employ data hubs with secure connections. Companies can store customer data in systems they control, such as co-location data hubs in the metropolitan areas where the company operates, for example, and employing private, secure interconnections with partners, ecosystems, or cloud service providers. In this way, third parties can query the system for required customer information without gaining full access to the customer’s personal or private data.
Share insights instead of data. An even more secure approach is to shift the focus from data sharing to “insight sharing”—in other words, passing along the data-derived intelligence required to deliver an effective customer experience rather than the data itself. For example, if a reseller needs to know how many customers in what cities have inquired about a new product offering, the company can provide aggregate results that detail the location and types of customers without exposing names or contact information. This approach empowers the ecosystem without exposing sensitive data and putting you at risk for GDPR non-compliance.
If your company’s customer data is exposed, it is unlikely to matter to GDPR enforcers that it was the result of a lapse on the part of a business partner or technology provider; your company will be held responsible for compliance. Now is the time for global firms to reassess their data sharing processes—or risk major consequences.

Comments

Post a Comment

Popular posts from this blog

Why Equinix? Multicloud Is Everyone's Reality

Image
I’ve had  lots of people ask me  why I would leave a high profile job as  Chief Strategist  for Microsoft’s  Cloud+Enterprise division . The answer stems from the over 400 customer engagements I had during that time, where nearly every enterprise told me they were connected to  at least four cloud services . Where IT would bring in Azure,  Okta ,  Office 365  and  IBM Watson , the line of business would bring in  Salesforce ,  Demandbase ,  Amazon Web Services ,  Box  and many others. And none were going all-in on cloud. Thus the key challenge nearly all these companies expressed was a need for better integration between these services. And that’s exactly what Equinix excels at. As Gartner analyst  Bob Gill  puts it, in his  July 28, 2016 report , "Digital business is enabled and enhanced through high-speed, secure, low-latency communication among enterprise assets, cloud resources, and an ecosystem of service providers and peers. Architects and IT leaders must consider carri
Read more

Apps are No Longer Apps

Image
There’s been significant debate over the last couple years about where the future of application design will land -  serverless , containers, microservices,  bots  or something completely new. The real answer - none of the above. The future of application design, and frankly the reality today, is hybrid.  Apps aren’t self-contained code anymore. Apps today are really workflows that integrate multiple components to deliver a defined customer experience, address a business need or enable a product or service capability. These workflows often involve a mobile app talking to a SaaS service, connected to an on-premise data or a legacy tool. For example, look at the architecture of  GE Predix . It’s inherently hybrid, bringing together data from on-premise resources and field locations to empowering remote workers and smart devices through the CloudFoundry microservices platform. While Predix is a platform, your use of it is what creates your hybrid app.  This isn’t to say that the em
Read more