Issues Related to Information Protection within a Data-Driven Company

Digital transformation started about ten years ago, if not before, depending on the definition we wish to consider. However, the subject had never been as relevant as it is today and many large companies still don’t know how they should reorganize to meet this important challenge, resulting from society’s evolution.

There are many issues associated to data in this context. Among them is the risk of data leaking, which is a major legal and financial issue.

Here are some interesting figures related to data security:

• 900 million data were compromised due to security breaches
• 88% to 90% of incidents are unintentional
• In the United States, identity theft occurs once every four seconds (10 million victims)
• On in 400 emails contains confidential information
• One in 50 files is shared with the wrong people
• One out of 10 laptops is stolen or lost
• One in two USB keys contains confidential information.

Whereas hidden costs resulting from data leakage are frequently discussed, a potential, highly damaging and long lasting collateral effect is often ignored: the loss of client and user trust.

Failing to prevent a security incident inevitably harms consumers’ brand perception. What is at stake is loyalty to the latter, as it is intrinsically related to how the brand is perceived. Consequences on corporate results seem to be left aside by some companies, but the issue is being addressed increasingly and calls for enterprises to take preemptive action to guarantee data protection. According to Forrester, two to three highly ranked executives will be compelled to quit this year due to data theft.

Although all firms can be affected by data leakage to different extents (LinkedIn was pirated in 2012 and VK –Russia’s Facebook equivalent- this year), it is possible to set up a series of measures to reduce risks. One of them is systematically withdrawing obsolete tags with a TMS.

What Data is affected?

Data has become a very popular topic in conferences in recent years, and as time goes by, the differentiation between sensitive and personal information becomes blurrier. Personal data consists of information about an individual; it is associated to them through a customer code, email address or other such elements.
As for sensitive data, it consists of information related to ethnicity, political, philosophical or religious views, health or sexual preferences of an individual, amongst others. In France, Law prohibits collecting sensitive data, except when it is essential to a website’s activity, such as dating websites. Data has become a strategic matter for a large number of firms in France and worldwide, and one of the main concerns linked to it is protection.

What is a Data-Driven Company?

A data-driven company is literally a firm that is fully data-oriented. It is about a strong “data culture”, where data is not only accessible, but is at the core of strategic thinking and drives corporate action. In this context, data is a major asset for decision-making and calls for the company’s full, everyday attention.

A minimum requirement would be setting up daily dashboards adapted to every team’s needs, with a strong business focus and open to all other interested parties and containing key information they might need.

There are some departments that rely more heavily and frequently on data for decision-making than others: e-commerce sites, for example, will base their promotional strategies during sale seasons on data. But data should not be seen only as a tool to make better choices, it should be used to add value, offer better services and improve customer satisfaction.

To make the most of data, companies must stop collecting and storing it in silos, this might compel them to undergo structural and organizational changes. It entails strong collaboration between all teams and modifying the way they work.

In the current context, where data is at the core of every major strategy, observing regulations is paramount.

CNIL, Privacy and Data Protection

France’s data protection watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) [National Commission on Informatics and Liberty] is in charge of protecting citizens personal information and informing them about their rights. It also issues advice to firms wishing to be compliant with new regulations; it warns and punishes non-compliant companies and organizations and anticipates future usage of personal data and information.

CNIL said that 2,800 complaints related to privacy were filed in 2015. Since its creation, the Commission has been consulted and has participated to more than 2,500 decisions and deliberations. Law 78-17 from January 6, 1978 has been modified and now comprises over 70 articles.
At the beginning of 2016, the European Union adopted a ruling on personal data with an aim at better protecting European citizens. It contains several measures and sanctions that are to enter into force in every country in the Union starting 2018.
In case a company would violate rights related to collected data, it would be subject to a fine amounting to 4% of its annual global revenue.

What Principles Must Be Observed?

1. Purpose

An organization needs to have a lawful purpose to collect personal and private information. The use it intends to make of that information must be clear and legitimate.

2. Proportion

Only necessary and relevant information to a well-defined purpose can be collected.

3. Relevance

Collected data must be relevant to the activity of the collector: a website selling socks does not require information such as gender, age, marital status and sexual preferences, whereas a dating website does.

4. Conservation Period

Data should not be stored more time than needed to serve its immediate purpose. After that, it can be stored on a different device/database.

5. Security and Confidentiality

In the United States, data theft occurs twice a day. Data protection and confidentiality are the most sensitive issues for companies, as they are compelled to guarantee secrecy and prevent intrusion, data deterioration and leakage. Security measures must obey to the nature of data and potential risks.

6. Transparency

Collecting parties must always warn users they intend to collect data and share it with third parties.
Users can decide what they share and don’t.

7. Right to Information

Users must be informed at all times about the intended use of the information they share. They have the right to modify it, control it and to approve or deny data collection and sharing.

Minimizing Risks Related to Data Protection

Data Protection Officers (DPOs) must set up the necessary protection measures to prevent data from being “damaged”, misused or accessed by anyone outside the company. Only staff or expressly authorized third parties (governmental agencies, police, etc.) having the required clearance to access and use that information should be able to do so. DPOs should also determine a reasonable amount of time to store private information, should they fail to do so, they are subject to 5 years’ imprisonment and could be fined EUR 300,000.

Minimizing risks related to data protection starts by identifying potential sources of data loss (DLP Data Loss Prevention), security breaches and assessing their importance. This entails mapping all data to protect.

In addition, data whose combination might be potentially sensitive should be coded and stored separately. Encoding keys should be modified on a regular basis and stored in external servers with secured connections.

Finally, data protection strategies must be updated quite often, as information is constantly threatened. Every time an incident occurs, an investigation must be opened to identify the source of the problem and reinforce the established security measures.

There is always a risk and no system could be 100% safe: the human factor is an indirect threat and is hardly controllable (employees are very often responsible for attacks and intrusions without knowing it). However, staff can be provided with essential guidelines and precautions to adopt in their everyday work to prevent data loss.

Who should be in Charge of Security within the Company?

The European Parliament adopted a Ruling on the Protection of Personal Data on April 27, 2016. It compels companies whose activities consist in treating data and require tracking individuals on a regular basis, to designate a Data Protection Officer (DPO) (In-house or not). The DPO must inform the company they work for about rules and obligations regarding personal data, they must speak about and train staff to comply with regulations, provide advice in terms of impact analysis and cooperate and be in constant contact with CNIL.

French firms have two years to be compliant with new Laws.