The Equifax data that was breached was not big data. However, big data is a major privacy concern for IT because so much of it is coming into enterprise data repositories from so many sources; and it comes in many shapes and sizes.
After Equifax, CIOs can rest assured that their CEOs and boards will be following their work in data privacy closely—and big data is one of the areas they'll be most concerned about.
What operational steps can IT take to assure at a grass root level that sound data privacy practices are employed for their big data?
SEE: IT leader's guide to big data security (Tech Pro Research)
1. Continuously vet your big data cloud-based vendors for data privacy
Many cloud vendors can provide the levels of privacy and security that you want for your big data—but you have to demand and be willing to pay for it. Never assume that by default your cloud vendor will automatically apply best practices. Your staff should carefully evaluate the privacy protections that each of your big data cloud vendors offers and determine whether these data protection levels meet your own internal governance standards. If a cloud vendor's data privacy practices don't meet your own governance standards, pass on the vendor. Also ask your external IT auditors to review all cloud-based vendor data protection and security practices as part of the IT audits that the auditors perform for your company. Vendor data protection and security levels should minimally be checked on an annual basis.
2. Use private clouds
Most public cloud vendors offer private cloud services, too. Placing your data in a private cloud is more expensive than being a multi-tenant customer in a public cloud, but the private cloud deployment better separates your organization's data from that of others. Cloud-wise, it is the next best thing to keeping your data on premises.
3. Anonymize data
You can the protect the data privacy of your customers and still perform critical trends analysis. One way that this anonymization can be accomplished is by encrypting data elements that personally identify someone. Another way is by identifying data from individuals with similar values (let's say that the value you are are measuring is income) and then averaging them into a composite income value that gets pulled into a larger data analysis. Other methods are data redaction or masking
SEE: Special report: Turning big data into business insights (free PDF) (TechRepublic)
4. Locate all the big data enclaves in your company and vet these for data privacy
As organizations distribute big data throughout departments and business units, there is always a risk that the data held within departments is changed so that data privacy levels are no longer met. The department responsible for big data governance and administration should regularly identify and track the big data marts that are distributed throughout the company. These localized big data marts should also be periodically audited by external IT auditors for data privacy compliance. If business units and other non-IT departments are using cloud-based services, the data privacy practices of their vendors should be verified for compliance to corporate standards. Cases of non-compliance should be immediately documented and mitigated.
5. Set your sights on GDPR
If you're a North American company and you aren't doing business internationally, you might not immediately have to concern yourself with the European Union's General Data Protection Regulation (GDPR).
The GDPR, which aims for more stringent protections of individuals' data, goes into effect in May 2018. According to a Gartner prediction, over 50% of companies affected by GDPR will not have met its requirements by 2018. The fines for non-compliance are hefty - up to 4% of annual revenue.
Keeping GDPR in sight matters because even if your company doesn't do business in Europe today, it might in the future; and GDPR is where data privacy practices are headed in the future. If you comply with it now, you're ahead of the game.
6. Perform social engineering audits
It's the dark side of IT, but the reality is: employee sabotage of critical data happens, as does inadvertent and sometimes purposeful inappropriate data sharing between employees and with individuals outside of the organization. All are reasons to include a social engineering audit along with your annual IT audit when your external auditor arrives. A social engineering audit looks for phishing attacks, phone and physical entry attacks and other types of technical and social deception that can often be traced back to your own employees. You can uncover potential areas of vulnerability, and also use the audit as means of identifying the types of employee training that could be helpful.
- Big data privacy is a bigger issue than you think (TechRepublic)
- EU General Data Protection Regulation (GDPR): The smart person's guide (TechRepublic)
- Nearly 50% of organizations willing to pay extra for security guarantee from cloud vendors (TechRepublic)
- Big data privacy must be fixed before the revolution can begin (ZDNet)
- Choosing the best big data partners: Eight questions to ask (ZDNet)
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.