EU

Five ways to put personal data out of harm's way

Handling personal data can be costly and hazardous for businesses, which is why they are increasingly looking for an exit strategy that shifts the burden onto third-party providers.

Against a backdrop of rising costs and risks, organisations are already looking at ways of divesting liability for processing personal data relating to staff and customers.

But to do so safely, they'll need to devise an approach that puts such data at arm's length while still maintaining legal accountabilities, according to Gartner.

By 2019, 90 percent of all organisations will have handed control of some employee and customer data to third parties, the analyst firm estimates in a new report.

"The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years," Gartner research vice president Carsten Casper said.

Security risks of personal data

That shift is being driven by the cost of administering personal records, mounting volumes of private information from customers, and fears about the target such data presents to computer criminals.

"We're not saying all this data goes away. But one way or another, most organisations will have given away some of this personal data. Some have already today. They're still accountable for that data but they don't own and control the underlying infrastructure - the IT systems," Casper said.

"This trend will continue, especially in the light of new data-protection legislation, putting the burden increasingly on organisation to protect all this data, so the less you have of it the better."

According to Casper, businesses currently adopt a blanket approach to information security, lumping personal records in with sensitive corporate data, such as intellectual property.

"The lines are blurred. But in a situation where you explicitly hand over personal data to an external party, you need to know where exactly to draw a clear line between personal data and other data that's worth protecting," he said, and highlighted five ways to define and secure this data:

1. Differentiate personal data

Making that distinction is the first step in creating a privacy strategy for handing over personal data to third parties.

2. Ring-fence personal data

Next, Casper suggests organisations should put a specific protective fence around information relating to individuals, wherever it is located - in the cloud, on mobile devices or on-premise. Tools exist to perform the task of locating, identifying and protecting relevant data. Plan for situations where you cannot be in control and plan for negative events.

Encryption is the most widely used approach but creating separate virtual machines for enterprise and private use can also play a role, along with secure apps, containment technologies and mobile data-management products.

3. Avoid general-purpose systems

The next measure, according to Gartner, is to use specialised software for storing personal data, such as HR, CRM or ERP systems, rather than, say, spreadsheets or office documents.

4. Stick to privacy standards

The fourth step involves ensuring the organisation and its partners adhere to privacy standards, such as AICPA privacy principles and US-EU safe harbour agreements. These standards cover issues such as the transfer of data across national boundaries, and simplify information exchanges, control frameworks and audits.

5. Clarify location rules

Finally, Gartner suggests companies and service providers move towards a more pragmatic approach when discussing the complexity of international transfers of personal data, rather than relying on physical or legal locations.

About

Toby Wolpe is a senior reporter at TechRepublic in London. He started in technology journalism when the Apple II was state of the art.

2 comments
dave
dave

>> such data at arm’s length the responsibilities that the original company has. As Mattel has found out just because you farm out toy manufacturing to China doesn't absolve you of any responsibility when they use lead paint. Same for data. If you out source your data and the provider you selected has a breach its still your name on the credit card or whatever. You will still get dragged into court.

jsargent
jsargent

Articles like this grossly underestimate the task, planning responsibilities and fail to explain anything of real value. The Safe Harbor is law if a company intents to share data between the US and the EU. In addition, within the EU there are the European data protection and privacy directives that must be followed by law. At the very least a company should follow the law. The article should have explained this and just goes to show how ignorant the author is wrst the contents. A little basic research into the subject might have saved the article before hand.