(Preliminary Opinion of the European Data Protection Supervisor Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy March 2014)
Loyalty & Trust
Trust is the key to achieving customer loyalty and is itself attained through transparency, honesty and a respect for the individual. In the wake of international scandals such as Wikileaks and Ed Snowden’s outing of the NSA’s practices, one of the most effective ways to gain you customers’ trust is through ensuring their data privacy. Indeed 89% of consumers surveyed in the TRUSTe 2014 U.S. Consumer Confidence Index stated that they would avoid doing business with a company they felt was not protecting their online privacy. In addition to this, the considerable legal financial penalties incurred due to a breach, the ensuing revenue loss and the resultant customer churn of around 4% (Ponemon Institute, 2013 Cost of Data Breach Study) means that ensuring your customers’ data is protected could be a key differentiator that puts you ahead of the competition.
Legal Eagle Eye
In the UK, the Data Protection Act 1998 (DPA) defines the legal requirements for handling personal data. The 7th Principle states that “...appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” This begs the question, what actually constitutes personal data? Well, according to the ICO, the Statutory definition of personal data means data “non-automated records that are structured in a way which allows ready access to information about individuals. As a broad rule, we consider that a relevant filing system exists where records relating to individuals (such as personnel records) are held in a sufficiently systematic, structured way as to allow ready access to specific information about those individuals.”
In 2012, the European Commission (EC) published its draft proposal for a General Data Protection Regulation (GDPR), a new pan-European Union standardised law to update and replace the Data Protection Directive of 1995, which was considered to be out of date in light of growing number of US and European data breaches.
The Snowden debacle encouraged the EU to push the GDPR forward quickly and it looked set to become law in May of this year. However the Regulation has now come under attack from external sources and more surprisingly perhaps from within the senior ranks of the EC itself! The UK is lobbying to have the Regulation either downgraded to a Directive or abolished altogether, citing the reasons for the resistance as the need for each nation to determine privacy laws based on national priorities and the possibility that the proposed restrictions will inhibit business innovation.
The Janus Effect
A key element of the GDPR is the concept of the “one-stop-shop” whereby EU citizens would be allowed to file complaints with their own data protection regulator rather than be forced to do so where the company concerned is headquartered. In December 2013, in a volte-face that infuriated the EU Justice Commissioner, Viviane Reding, who introduced the GDPR, the head of the EC legal service (the somewhat aptly named Hubert Legal) voiced the opinion that the one-stop-shop was potentially an infringement of the European Convention on Human Rights! Ms Reding maintained that the situation had not changed from when the original decision to proceed had been agreed and that the GDPR should progress forward without looking back over old ground.
In light of these obstacles some people have said the GDPR may not come to fruition at all and others that, at the very least, it will be years before it is enacted. So what does this mean for your business? Should you simply continue with your current Data Protection strategy or should you begin to update your privacy policies now in early preparation for the Regulation?
Well consider again the findings that data protection and privacy are crucial to your customers’ desire to do business with you. Then consider that an old 2008 report by researchers Aleecia M. McDonald and Lorrie Faith Cranor found that “Online privacy policies are so cumbersome and onerous that it would take the average person about 250 working hours to actually read the privacy policies of the websites they visit in a year”. Digitalisation and Big Data have only made data protection more complex and difficult to achieve in the last 6 years and there have been few major amendments to the DPA, save refinements made by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which altered the consent requirement for electronic marketing to "positive consent" such as an opt in box rather than an opt out. All this adds up to the situation whereby a lot of companies’ privacy policies are outdated, over complex and not working to win the trust of their customers and prospects.
If the prospect of winning more customers isn’t a sufficient incentive to start preparing for the GDPR then perhaps the heavy sanctions will be! The penalty for a breach of the GDPR will be a whopping €1 million or up to 2% of your global turnover! Perhaps David Smith, Deputy Commissioner at the Information Commissioner’s Office (ICO) put it best in his speech at Infosecurity Europe 2014 when he said he expected the GDPR to be enacted at 2017 at the earliest but advised, “Get your house in order now, under the current law, to ensure you are ready for the coming changes, because the principles are not very different.”
10 Ways to Prepare for the GDPR
1. Do a full audit, take a complete inventory of all your data and create a map of data usage.
2. Ensure that your new strategy is designed around the concept of obtaining explicit consent for all personal data usage and lifecycle.
3. Create a solid data breach system with clear processes and procedures in the event of an unavoidable or accidental breach.
4. Ensure that data loss reporting is fast and thorough as this will become mandatory.
5. Get the whole Board involved and create a culture of privacy and protection so that it is embedded in every part of your business and every member of staff understands its importance from the board room to the post room.
6. Appoint a Data Protection Officer either part time or full time depending on your business requirements, quantity of data, data usage and data testing.
7. Choose a framework that suits your business such as ISO, NIST, or COBIT.
8. Monitor your new system and utilise comprehensive reporting and adjust it accordingly so it works for your business and your customers.
10. Ensure that you are using data obfuscation and data encryption & decryption at every stage in your test environments in order to maintain integrity, privacy and data protection.
Here’s the key question to ask yourself at each stage: “Is it reasonable to assume that a member of the public would expect their data to be used in this way?”
Managing Privacy in a Test Environment
“Businesses should not rush products and services to market without thorough testing and they should listen to their privacy advisors before giving into pressures from the marketing department.” So says David Smith of the ICO and he is right, as for example, a failure to test a fix in a test environment could result in errors being introduced into the live environment, which could themselves result in a breach of the DPA. However testing itself creates a variety of scenarios where a breach of data privacy is possible; so how should you manage your data in a test environment?
It’s essential to ensure that you extract only the data required for testing and then employ a variety of data obfuscation techniques such as data substitution, number variance, gibberish generation, masking data and synthetic data, in conjunction with encryption. This keeps the data realistic and testable but hides sensitive data from internal staff like application developers and testers. If obfuscated data is lost it could be read by a non-authorised user but they would not be able to ascertain the details of any individual so a breach would be avoided. Your chosen data obfuscation strategy needs to be carefully evaluated to make sure that the obfuscated data is still suitable for testing, to establish how impenetrable the scrambled data is if under attack and to determine how much the strategy will cost. For example if you’re testing an application that requires data validation, data substitution may be a simpler, faster and more cost effective means of obfuscation than creating synthetic data.
Peace of Mind
The importance of testing increases in parallel with the ever rising expectations of your customers. In light of the complexities of Data Protection and the potential changes to the law, we’ve seen that it’s essential that your test environments are secure. Outsourcing your data testing to a business in which testing is the core competency is a sensible way to ensure speedy, efficient and secure testing with the right level of encryption and obfuscation to give you total peace of mind. Sogeti offers a complete end to end Test Data Management (TDM) Service that:
- Analyzes organizations’ current software testing and test data management.
- Proposes what actions and toolsets are needed to improve testing.
- Helps customers choose the right testing tools.
- Offers a pilot or proof of concept to show that the selected tools can deliver the test data required and that the proposed process can deliver the expected benefits.
- Provides a full TDM rollout.
- Supports and trains customers all the way through the process and even after the rollout.
- Ensures that the number and size of the test environments are precisely what is required by introducing a smart solution to ensure that the right data is made available for testing.