Against a backdrop of rising costs and risks, organisations are already looking at ways of divesting liability for processing personal data relating to staff and customers.

But to do so safely, they’ll need to devise an approach that puts such data at arm’s length while still maintaining legal accountabilities, according to Gartner.

By 2019, 90 percent of all organisations will have handed control of some employee and customer data to third parties, the analyst firm estimates in a new report.

“The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years,” Gartner research vice president Carsten Casper said.

Security risks of personal data

That shift is being driven by the cost of administering personal records, mounting volumes of private information from customers, and fears about the target such data presents to computer criminals.

“We’re not saying all this data goes away. But one way or another, most organisations will have given away some of this personal data. Some have already today. They’re still accountable for that data but they don’t own and control the underlying infrastructure – the IT systems,” Casper said.

“This trend will continue, especially in the light of new data-protection legislation, putting the burden increasingly on organisation to protect all this data, so the less you have of it the better.”

According to Casper, businesses currently adopt a blanket approach to information security, lumping personal records in with sensitive corporate data, such as intellectual property.

“The lines are blurred. But in a situation where you explicitly hand over personal data to an external party, you need to know where exactly to draw a clear line between personal data and other data that’s worth protecting,” he said, and highlighted five ways to define and secure this data:

1. Differentiate personal data

Making that distinction is the first step in creating a privacy strategy for handing over personal data to third parties.

2. Ring-fence personal data

Next, Casper suggests organisations should put a specific protective fence around information relating to individuals, wherever it is located – in the cloud, on mobile devices or on-premise. Tools exist to perform the task of locating, identifying and protecting relevant data. Plan for situations where you cannot be in control and plan for negative events.

Encryption is the most widely used approach but creating separate virtual machines for enterprise and private use can also play a role, along with secure apps, containment technologies and mobile data-management products.

3. Avoid general-purpose systems

The next measure, according to Gartner, is to use specialised software for storing personal data, such as HR, CRM or ERP systems, rather than, say, spreadsheets or office documents.

4. Stick to privacy standards

The fourth step involves ensuring the organisation and its partners adhere to privacy standards, such as AICPA privacy principles and US-EU safe harbour agreements. These standards cover issues such as the transfer of data across national boundaries, and simplify information exchanges, control frameworks and audits.

5. Clarify location rules

Finally, Gartner suggests companies and service providers move towards a more pragmatic approach when discussing the complexity of international transfers of personal data, rather than relying on physical or legal locations.