How Can Managing Three Underrated Data Pitfalls Help Organizations Avoid Epic Data Privacy Risks?
Data is a vital resource for all organizations, and we see more organizations embrace digital transformation to improve their products, services, and operational efficiencies. As more data floods into enterprises via new technologies, Data Privacy risks will naturally increase. Unfortunately, many organizations believe that if they have all the requisite forms and check all the tick boxes, they are less likely to encounter pitfalls that could create unexpected and massive risks for them when managing data. However, the reality of handling some of the most sneaky and devastating Data Privacy risks that often fly under the radar means organizations are far from perfect in dealing with this particular Data Privacy or Data Protection challenge. Three areas of Data Privacy risk that many organizations often miss dealing with are implementing new technologies, retaining data beyond its purpose, and failing to dispose of data-bearing assets properly.
#1 Data Privacy Risk Pitfall: Implementation of New Technologies
All organizations want to find ways to do things more efficiently and embrace technologies that make their work easier and more effective. Although I applaud and support organizations as they take their digital transformation journey, digital is different. For example, using a piece of paper to write a letter and then placing it into an envelope to mail it is very different from creating an email on a computer to send it to someone. An email has more digital dimensions than a paper letter and has much additional data and information that a paper letter can never embody. The same is true when organizations move from old ways of doing things to new ways with technology. For example, in a recent case7-Eleven breached customer privacy by collecting facial imagery without consent in Australia, and the Office of the Australian Information Commissioner (OAIC) found that the organization was out of line with Data Protection Regulations due to the new types of information that an in-store digital tablet was capable of collecting that would not have been possible when using more traditional or analog methods of collecting customer surveys. In this case, the technology used with the in-store tablet could capture the faces of individuals, create face prints (like fingerprints), and try to match the face against other faceprints taken. Although there is nothing wrong with leveraging new technologies, it can become a Data Privacy Risk when new capabilities are used that may impact the data collector's duty and the data stakeholder's rights. In these situations, companies must evaluate the features of these new products and the risks. Organizations must not use every feature in a new product to reach their goals. Think about ways to limit data collection when possible by either disabling certain features or looking for privacy-preserving products that fit your needs.
#2 Data Privacy Risk Pitfall: Data Retention Beyond Data Purpose
Data retention is often the most underrated Data Privacy risk because organizations have not historically been accustomed to the requirement. Many Data Privacy regulations worldwide require organizations to delete data once its purpose expires. Also, most applications used by organizations today were not created in a way to make it easy to remove or delete data. When does the data purpose expire? This question has to be answered by each organization as someone should be accountable for making sure there is a plan in place so that organizations know when data can be deleted and follow this data throughout the data lifecycle from start to finish. The end of the data lifecycle is often where organizations that excel in other parts of the data lifecycle management fall before they reach the finish line. In a recent T-Mobile data breach, a list containing personally identifiable information of individuals who applied for cellular accounts was breached and released onto the Internet. The data was many years old and likely had a very low current business value to the company. Still, this data posed a tremendous business risk to the organization due to the data breach. I often tell organizations that it can often be a high Data Privacy risk when they have data with a low business value.
#3 Data Privacy Risk Pitfall: End of Data Lifecycle Data Asset Management
Where do organizations have aging data-bearing assets, like old computer hard drives and optical media? Where do they go? Often these assets can end up in back rooms, donated, sold, or thrown away. However, how many organizations know how to dispose of data-bearing assets to ensure that the data from those assets are removed in retrievable ways? This is often a forgotten part of the data lifecycle that is taken for granted. Data-bearing assets must be disposed of or repurposed properly using a qualified service provider to delete the data from these assets or destroy the assets if they cannot be safely repurposed. On Data Diva Podcast episode 85, I spoke with Mark Dobson IT Asset Disposition (ITAD) Program Manager of NextUse about a Morgan Stanley case in which the improper data disposal of over 4,000 data assets that would have cost $100,000 cost the company 120 million dollars in fines and lawsuits due to the exposure of data belonging to Morgan Stanley clients. The Morgan Stanley case is one of the public examples of why this end-of-life of data-bearing assets is vital to organizations getting data protection right. Many companies fail at this part of the data lifecycle, but this is a risk that organizations can minimize with proper planning and knowing when to use companies that specialize at this end of the data lifecycle area.
When companies can avoid the Data Privacy risk pitfalls of implementing new technologies, retaining data beyond its purpose, and failing to dispose of data-bearing assets properly, they can begin to make Data Privacy a business advantage.
