In today’s regulatory climate, be careful about the personal data you retain

Data may be the lifeblood of the modern organisation, but if they do not take proactive steps to protect it, they could end up running afoul of critical privacy regulations.

The concern isn't only cybercriminals sneaking into systems; far too often, corporate data is compromised by employees or trusted partners losing sensitive personal information.

Australia's privacy watchdog, the Office of the Australian Information Commissioner (OAIC), recorded 176 incidents of data loss due to human error in the first half of 2020 alone.

This included 49 cases where personal information was sent to the wrong email address, 40 where it was unintentionally disclosed, 10 incidents where information was wrongly shared because it was not redacted, and four incidents where data was disposed of in an insecure way.

dataprivacy.jpg

These breaches pose major problems for companies subject to privacy rules like Australia's Privacy Act, the new Consumer Data Right (CDR), and the EU's general data protection regulation (GDPR), which can impose significant fines on companies and their executives.

A key part of these privacy controls is mitigating against the inadvertent sharing of sensitive personal data: GDPR, for example, requires companies to "implement appropriate technical and organisational measures, such as pseudonymisation [and data minimisation]… in an effective manner [to] protect the rights of data subjects".

Companies of all sizes and industries are struggling to stop sensitive information from escaping: Australian government agency Services Australia, for one, recently admitted that mishandling of personal information formed a significant part of the 988 "substantiated" privacy incidents it experienced during fiscal 2017-18.

Data control in the era of data regulation

With real financial penalties now possible for privacy breaches, such statistics are a reminder that organisations should take steps to protect data now -- to avoid becoming another data-breach statistic and, in doing so, ensuring the trust of the public and customers are not severely compromised.

Most companies, however, have no way of automatically anonymising personal data or securing the custody change of that data.

Staff can filter or redact sensitive information manually before data is shared, but if they miss any sensitive data, that data will be compromised for good.

Working to fix that situation, TechnologyOne has integrated automatic data filtering and redaction capabilities into its 2020B release -- ensuring that sensitive personal data can be identified and automatically protected across all major modules of its SaaS ERP platform.

This makes it particularly well-suited to supporting the requirements of GDPR -- currently the global gold standard around protection of personal data -- that companies need to collect data only for "specified, explicit and legitimate purposes and [that it is] not further processed in a manner that is incompatible with those purposes".

Data, according to GDPR Article 5, must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed".

Automatic data redaction is a highly effective way of meeting this objective, since it ensures that data subjects cannot be identified from enterprise data. It is also a repeatable, reliable way of iteratively protecting personal data based on pre-defined business rules, saving organisations time and money whilst assisting them to be compliant under their application of the regulations.

This prevents employees from accidentally printing, emailing, or otherwise sharing data that could compromise the privacy of employees, customers, or partners.

"Without a coherent strategy for data protection, businesses leave themselves exposed to potential sanctions under increasingly onerous privacy laws," warned Stuart Macdonald, chief operating officer with TechnologyOne.

Being able to automatically identify personal data has become even more important for Australian companies with the implementation of Consumer Data Right (CDR) legislation, which requires companies in certain industries to provide data to consumers -- or their appointed representatives -- when they request it.

CDR supports Australia's new open banking regime, but its lessons are relevant whether an organisation is directly affected by CDR or not.

Its provisions for data access, for example, echo the freedom of information (FOI) provisions that have long provided for the controlled release of government data. FOI releases are typically screened and sensitive data redacted; for organisations to provide the same level of protection for CDR data, it is equally important to be able to identify and filter sensitive data in the same way.

Protecting the data lifecycle

Protecting data in today's environment is about more than preventing its misuse or accidental leakage.

In today's global business climate, data is rapidly available across cloud services and moved between countries, devices, employees, partners, and customers.

That's why to meet modern governance requirements -- and customer expectations -- organisations need to know what data they have, where it is, why they're using it, and when it is no longer needed.

And most importantly, organisations need to be able to demonstrate this capability to citizens at any point -- confirming that data is only used for specific reasons, and only retained for as long as is absolutely necessary to complete that business use.

In other words, organisations must be able to not only control data through its lifecycle, but have the capacity to destroy it -- and prove that the data has been destroyed -- when it is no longer needed.

Doing so requires a data management framework in which data is visible, manageable, and can be securely shared and destroyed as required.

This is most easily accomplished using enterprise systems with robust personal data management capabilities built in.

Automatic redaction uses templates to identify personal data that can be used to uniquely identify an individual, like tax file numbers, credit card details, personal contact, identity details, and so on.

Access to this data can be controlled using role-based policies that prevent employees from accessing and sharing data they shouldn't be able to access.

Such data is automatically detected and redacted whenever information is read, processed or sent -- providing built-in protection of personal information and related metadata without any involvement by the users in question.

The original data are preserved, providing assurance for business or auditing purposes long after particular information has been processed and shared.

A framework for the future

Redaction joins a host of other data management capabilities helping businesses to stay on top of growing data-management obligations.

With hundreds of customers in the local government and higher education sectors, TechnologyOne's Enterprise Bulk Redaction functionality caters for data protection at many levels, and automatically ensures personal information being held by customers on its SaaS platform (such as university enrolments or rates payments) isn't being retained for any longer than the business requires that data for the intent for which it was collected.

"Adherence to privacy legislation shouldn't be something that needs to be bought or added on," Macdonald added.

"It needs to be part of basic, everyday business – and TechnologyOne allows customers to manage personal data in a way that simplifies their ability to comply with obligations." 

Luckily for data-based businesses, the integration of data-protection capabilities into cloud business platforms can remove the risk of employees using or inadvertently dispersing personal data.

Having a clear data-protection strategy, backed by technology, is essential for businesses to avoid sanctions under increasingly onerous privacy laws -- which is why it's important for organisations to review their personal data protections sooner rather than later.

By using filtering and redacting to enforce data privacy management best practice, you can help your business meet regulatory needs in the short term. And, by being able to provide better control over personal data, organisations will be able to maintain customers' confidence that they are keeping their data secure for the long term.