Big Data is revealing itself to be an extremely powerful tool that can deliver growth, efficiency, and competitive advantage for organisations.
But it has the potential to cause damage if it is not used properly. One of the areas of potential harm centres on privacy.
Enterprises that seek benefits from Big Data use have a responsibility to protect the privacy of personal data that are gathered and analysed, according to a new white paper produced by global IT professional association ISACA.
Any Big Data initiative needs to focus on risk and maintaining sufficient mechanisms to govern and protect privacy, the white paper says.
“Competitive pressures of business quite often motivate boards of directors as well as senior management,” said Richard Chew, senior information security analyst at US-based Emerald Management Group, who helped develop the ISACA white paper.
“So they seek new tools and technologies and processes like Big Data. CIOs may rush to satisfy those desires as a matter of survival. But at the same time, the more astute CIOs are smart enough to engage the board as well as senior management with a structured approach.”
The growth in Big Data use and storage has led to numerous regulations designed to protect the privacy of users. The 1998 UK Data Protection Act, the US Health Insurance Portability and Accountability Act and the Federal Data Protection Act in Germany are examples of regulations that global companies may need to comply with.
Running afoul of regulations can lead to fines, reputational repercussions and the loss of customers. But there are ways to minimise the risk while taking advantage of the opportunities Big Data offers. The ISACA white paper says organisations need to implement a data privacy solution that prevents breaches and enforces security, helping enterprises to:
- Identify all sensitive data.
- Ensure that sensitive data are identified and secured.
- Demonstrate compliance with all applicable laws and regulations.
- Proactively monitor the data and IT environment.
- React and respond faster to data or privacy breaches with incident management.
Although a sound infrastructure, good governance and risk management are essential, Chew said, risk managers need to be enablers, not impediments.
“I would have to say that most organisations that have remained competitive and have been competitive are risk-takers,” Chew said. “But there is something called managed risk. And that’s what we’re advocating.”
Chew talked in detail about five questions boards and senior executives should ask to properly govern Big Data privacy:
1. Can we trust our sources of Big Data? “As far as protecting organisations from being accused of providing data streams, identity streams, etc., there are ways to anonymise data,” Chew said. “… Anonymisation is one facet. Another facet would be to tag the data [to show how individuals agreed for their data to be used].”
2. What information are we collecting without exposing the enterprise to legal and regulatory battles? “If the information happens to be collected from, let’s say, European countries, there are cross-border issues about how data is shared or transmitted across those borders,” Chew said. “So a lot of times we need to look at things like safe harbour [a process companies can follow to comply with privacy directives], for example. A strong compliance person with a good privacy background that includes European privacy law is a good person to have as part of the risk-assurance team.”
3. How will we protect our sources, our processes and our decisions from theft and corruption? Ironically, there are security tools that use Big Data to protect Big Data and its privacy. The tools help determine the intent of users who enter company networks. “Are they trying to plant data or malware?” Chew said. “Are they trying to steal something? A lot of Big Data is being used today … to analyse and predict.”
4. What policies are in place to ensure that employees keep stakeholder information confidential during and after employment? “Nondisclosure agreements, when we sign on as employees as well as contractors, are binding,” Chew said. “The thing about nondisclosures is … even though we have fair employment laws in various states like California, it doesn’t allow people to go ahead and steal that information and use it for personal benefit or corporate benefit of others.”
5. What actions are we taking that create trends that our rivals can exploit? Employee awareness is a key, Chew said, and technology exists to protect against data leakage. “The proposition is not cheap,” Chew said. “But the technology is out there to do it.”
—Ken Tysiac (firstname.lastname@example.org) is a CGMA Magazine senior editor.