Capping IT Off

Capping IT Off

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

Data Protection as a Competitive Differentiator – Getting Ready for the General Data Protection Regulation

“...For many online offerings which are presented or perceived as being ‘free’, personal information operates as a sort of indispensable currency used to pay for those services. As well as benefits, therefore, these growing markets pose specific risks to consumer welfare and to the rights to privacy and data protection.”
(Preliminary Opinion of the European Data Protection Supervisor Privacy and competitiveness in the age of big data: The interplay between data protection, competition law and consumer protection in the Digital Economy March 2014)

Loyalty & Trust

Trust is the key to achieving customer loyalty and is itself attained through transparency, honesty and a respect for the individual. In the wake of international scandals such as Wikileaks and Ed Snowden’s outing of the NSA’s practices, one of the most effective ways to gain you customers’ trust is through ensuring their data privacy. Indeed 89% of consumers surveyed in the TRUSTe 2014 U.S. Consumer Confidence Index stated that they would avoid doing business with a company they felt was not protecting their online privacy. In addition to this, the considerable legal financial penalties incurred due to a breach, the ensuing revenue loss and the resultant customer churn of around 4% (Ponemon Institute, 2013 Cost of Data Breach Study) means that ensuring your customers’ data is protected could be a key differentiator that puts you ahead of the competition.

Legal Eagle Eye

In the UK, the Data Protection Act 1998 (DPA) defines the legal requirements for handling personal data. The 7th Principle states that “...appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” This begs the question, what actually constitutes personal data? Well, according to the ICO, the Statutory definition of personal data means data “non-automated records that are structured in a way which allows ready access to information about individuals. As a broad rule, we consider that a relevant filing system exists where records relating to individuals (such as personnel records) are held in a sufficiently systematic, structured way as to allow ready access to specific information about those individuals.”

Until recently the judgment in the case of Durant v Financial Services Authority (Reference [2003] EWCA Civ 1746; [2004] FSR 28; The Times, 2 Jan 2004) was the overriding precedent for more detailed guidance on what comes under the umbrella “personal data”. In this case it was deemed that “personal data” was information of “biographical significance” that had to go beyond a mere mention of an individual's name in a matter which has no personal connotations, such as a meeting request e-mail.  Durant has often been criticised for looking only at the content of the data and not at the context and therefore giving a narrow definition of “personal data” and yielding some unhelpful and unprotective results in the cases that have followed it.  The Court of Appeal judgment in the recent case of (Edem v The Information Commissioner [2014] EWCA Civ 92) states that to define personal data under the act we must look at the context of the data to see if a person can be identified. For example if we saw the name Jeremy Hunt on a database, the name is fairly common and the person is most probably not identifiable. However, if the other names on the list are George Osborne and Theresa May or the database is named “Cabinet Ministers”, then we know what we are looking at and we know that Jeremy Hunt is the Health Secretary.  In other words a name is always personal data if the context in which it appears is sufficient to identify the named individual. How does this impact your business? Well it sets the bar for ensuring data protection higher and means that when you sit down with your lawyers to define your data privacy policy and strategy, you need to consider the context and juxtaposition of the data as well as the actual data content when determining whether or not you have fulfilled your obligations under the Act.

In 2012, the European Commission (EC) published its draft proposal for a General Data Protection Regulation (GDPR), a new pan-European Union standardised law to update and replace the Data Protection Directive of 1995, which was considered to be out of date in light of growing number of US and European data breaches.

The Snowden debacle encouraged the EU to push the GDPR forward quickly and it looked set to become law in May of this year. However the Regulation has now come under attack from external sources and more surprisingly perhaps from within the senior ranks of the EC itself! The UK is lobbying to have the Regulation either downgraded to a Directive or abolished altogether, citing the reasons for the resistance as the need for each nation to determine privacy laws based on national priorities and the possibility that the proposed restrictions will inhibit business innovation.

The Janus Effect

A key element of the GDPR is the concept of the “one-stop-shop” whereby EU citizens would be allowed to file complaints with their own data protection regulator rather than be forced to do so where the company concerned is headquartered.  In December 2013, in a volte-face that infuriated the EU Justice Commissioner, Viviane Reding, who introduced the GDPR, the head of the EC legal service (the somewhat aptly named Hubert Legal) voiced the opinion that the one-stop-shop was potentially an infringement of the European Convention on Human Rights! Ms Reding maintained that the situation had not changed from when the original decision to proceed had been agreed and that the GDPR should progress forward without looking back over old ground.

In light of these obstacles some people have said the GDPR may not come to fruition at all and others that, at the very least, it will be years before it is enacted. So what does this mean for your business? Should you simply continue with your current Data Protection strategy or should you begin to update your privacy policies now in early preparation for the Regulation?

Serious Sanctions

Well consider again the findings that data protection and privacy are crucial to your customers’ desire to do business with you. Then consider that an old 2008 report by researchers Aleecia M. McDonald and Lorrie Faith Cranor found that “Online privacy policies are so cumbersome and onerous that it would take the average person about 250 working hours to actually read the privacy policies of the websites they visit in a year”. Digitalisation and Big Data have only made data protection more complex and difficult to achieve in the last 6 years and there have been few major amendments to the DPA, save refinements made by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which altered the consent requirement for electronic marketing to "positive consent" such as an opt in box rather than an opt out. All this adds up to the situation whereby a lot of companies’ privacy policies are outdated, over complex and not working to win the trust of their customers and prospects.

If the prospect of winning more customers isn’t a sufficient incentive to start preparing for the GDPR then perhaps the heavy sanctions will be! The penalty for a breach of the GDPR will be a whopping €1 million or up to 2% of your global turnover! Perhaps David Smith, Deputy Commissioner at the Information Commissioner’s Office (ICO) put it best in his speech at Infosecurity Europe 2014 when he said he expected the GDPR to be enacted at 2017 at the earliest but advised, “Get your house in order now, under the current law, to ensure you are ready for the coming changes, because the principles are not very different.”

10 Ways to Prepare for the GDPR

1. Do a full audit, take a complete inventory of all your data and create a map of data usage.
2. Ensure that your new strategy is designed around the concept of obtaining explicit consent for all personal data usage and lifecycle.
3. Create a solid data breach system with clear processes and procedures in the event of an unavoidable or accidental breach.
4. Ensure that data loss reporting is fast and thorough as this will become mandatory.
5. Get the whole Board involved and create a culture of privacy and protection so that it is embedded in every part of your business and every member of staff understands its importance from the board room to the post room.
6. Appoint a Data Protection Officer either part time or full time depending on your business requirements, quantity of data, data usage and data testing.
7. Choose a framework that suits your business such as ISO, NIST, or COBIT.
8. Monitor your new system and utilise comprehensive reporting and adjust it accordingly so it works for your business and your customers.
9. Rewrite your Privacy Policy and make it accessible on your website so that it is user friendly and your customers can find it and easily understand it
10. Ensure that you are using data obfuscation and data encryption & decryption at every stage in your test environments in order to maintain integrity, privacy and data protection.

Here’s the key question to ask yourself at each stage: “Is it reasonable to assume that a member of the public would expect their data to be used in this way?”

Managing Privacy in a Test Environment

Businesses should not rush products and services to market without thorough testing and they should listen to their privacy advisors before giving into pressures from the marketing department.” So says David Smith of the ICO and he is right, as for example, a failure to test a fix in a test environment could result in errors  being introduced into the live environment, which could themselves result in a breach of the DPA. However testing itself creates a variety of scenarios where a breach of data privacy is possible; so how should you manage your data in a test environment?

It’s essential to ensure that you extract only the data required for testing and then employ a variety of data obfuscation techniques such as data substitution, number variance, gibberish generation, masking data and synthetic data, in conjunction with encryption. This keeps the data realistic and testable but hides sensitive data from internal staff like application developers and testers. If obfuscated data is lost it could be read by a non-authorised user but they would not be able to ascertain the details of any individual so a breach would be avoided. Your chosen data obfuscation strategy needs to be carefully evaluated to make sure that the obfuscated data is still suitable for testing, to establish how impenetrable the scrambled data is if under attack and to determine how much the strategy will cost. For example if you’re testing an application that requires data validation, data substitution may be a simpler, faster and more cost effective means of obfuscation than creating synthetic data.

Born Ready

So the truth is that many existing privacy policies aren’t truly in line with the current law let alone prepared for the GPDR or designed to promote customer loyalty. Businesses that are not already updating their privacy strategy and making their policies more customer-friendly are missing an opportunity to differentiate themselves in a way that customers currently deem to be very attractive. Similarly investors, venture capitalists and angels are more inclined to invest in a business with an outstanding privacy policy as it significantly reduces a large proportion of risk.  Another major advantage of revising your Privacy Policy now is that you can spread the work and the cost of compliance over the next 3 years before the GDPR comes into play. The bottom line is that the  potential sanctions for non-compliance with the Regulation are so severe that it makes sense to ensure your privacy policy is up to scratch in the next 3 years, and the benefits of improving your privacy policy are so great, that regardless of whether the Regulation comes into force or not, it’s a worthwhile undertaking.

Peace of Mind

The importance of testing increases in parallel with the ever rising expectations of your customers. In light of the complexities of Data Protection and the potential changes to the law, we’ve seen that it’s essential that your test environments are secure. Outsourcing your data testing to a business in which testing is the core competency is a sensible way to ensure speedy, efficient and secure testing with the right level of encryption and obfuscation to give you total peace of mind. Sogeti offers a complete end to end Test Data Management (TDM) Service that:
  • Analyzes organizations’ current software testing and test data management.
  • Proposes what actions and toolsets are needed to improve testing.
  • Helps customers choose the right testing tools.
  • Offers a pilot or proof of concept to show that the selected tools can deliver the test data required and that the proposed process can deliver the expected benefits.
  • Provides a full TDM rollout.
  • Supports and trains customers all the way through the process and even after the rollout.
  • Ensures that the number and size of the test environments are precisely what is required by introducing a smart solution to ensure that the right data is made available for testing.
With our forward-thinking, comprehensive TDM service, we can help you ensure you are delivering quality and value to your customers while conforming to the existing and impending legislation.

About the author

Barry Weston

Leave a comment

Your email address will not be published. Required fields are marked *.