A Relevant issue for Organisations in 2018

March 2018 will likely be remembered as a big moment in the world of customer privacy and data protection. Each new morning seemed to bring new revelations about how private data has been used inappropriately - likely by the end of the month we were all a bit more cynical and jaded about just who has access to our personal information and habits - and what 'personal' even means anymore. Nevertheless - heading to the hills with a sack of potatoes and fertiliser is not really an option for most - we are now inextricably tied to our various online and social media accounts, and reliant on these kinds of services for both work and social functioning. Our customers will continue to use the internet - how could they not - but perhaps with a degree more caution and cynicism than previously. With this in mind, it is a critical moment for organisations involved in the collection and storage of customer data to sure up processes and security - to avoid becoming another headline in the data breach onslaught. These kinds of breaches can lead to severe consequences and losses via reputational damage, ethical harms, legal liability – referred to as amplified technical impact^1. Importantly for the market research industry - the literature indicates that data breaches by companies may hinder the adoption and use of particular products², as well as customers’ willingness to provide further personal information³. Disaster! So how can we take steps to protect ourselves from becoming ‘those’ companies, who end up in situations where huge amounts of data have either been lost, hacked or inappropriately distributed? In situations like this, it can be helpful to be guided by the literature as to what constitutes best practice when it comes to managing and safeguarding data. A recent article outlined five useful fundamentals where it comes to protecting customer data – these are: anonymisation, encryption, access control and monitoring, policy and governance frameworks⁴.

Anonymisation

This is perhaps the most critical aspect of dealing with large quantities of data – ensuring that all sensitive information is removed from a set of records, as well as possible identifiers that might emerge if the data were cross-referenced.

Encryption

Encryption is a major solution to ensuring that data remains protected, with the use of Fully Homomorphic Encryption (FHE) allowing data to be stored in the cloud and for new data to be encrypted if needed.

Access Control

Adequate access mechanisms are important for protecting data, with operating systems restricting access to information – however this can be an issue if the system is hacked. It is recommended to use encryption with access control for greater security. It is also important to have real time security monitoring, to ensure that no unauthorised access is occurring.

Policy Approaches and Compliance

This relates to organisations’ use and collection/protection of sensitive information, and how compliant they are with regulations (for example, data being stored for longer than is needed). Other things to consider are third party storage of data and ensuring that these providers are compliant with data storage laws.

Governance and Frameworks

Adequate governance framework is important to ensure that information is collected and categorised in a structured way, with an eye to the purpose of the data collection and storage. A challenge exists with governance in that it is a relatively new field, so there are few existing policies and procedures. So how can we ensure that we are following best practice with storage and management of data, while also supporting employees to report any issues? As noted above, encryption and solid processes around storage and collection of data is important, as is a clear and unambiguous reporting process for employees who suspect a data breach or who see issues. We are certainly able to learn from companies who have ‘got it wrong’ in the past, and looking at these cases reveals poor norms or communication from employees, and a distinct lack of governance in terms of data organising and collection.

Remember - this is such a new field that a lot of regulations are still catching up with the progress - hence the unprecedented and unregulated events that have occurred over the past few years. It may be up to companies to police themselves while regulations catch up.

It is likely that this field will expand even more in the future, and an organisation’s livelihood and brand will continue to depend on its ability to responsibly store and protect customer data – so now is the ideal time to consider some of the issues above. What kinds of lessons has your company learned from data storage or customer information in the past? Please feel free to comment below.

References

1. ISACA (2014). Generating value from big data analytics. White Paper. Retrieved from 〈http://www.isaca.org/Knowledge-Center/Research/ ResearchDeliverables/Pages/Generating-Value-From-Big-Data-Analytics.aspx〉.
2. Tao, Y.-H., Chen, C.-P. and Chang, C.-R. (2007), Unmet adoption expectation as the key to e-marketplace failure: a case of Taiwan’s steel industry, Industrial Marketing Management, 36, 1057-67.
3. Nam, C., Song, C., Lee, E. and Park, C.I. (2006), Consumers’ privacy concerns and willingness to provide marketing-related personal information online, Advances in Consumer Research, 33, 212-7.
4. Lafuente, G. (2015) The Big Data Security Challenge. Network Security, 1, 12–14.