Adrian De Luca

Privacy Defined IT: Business & Technology Predictions in Asia Pacific for 2015 (Part 6)

Blog Post created by Adrian De Luca Employee on Mar 3, 2015

(This is a continuation of a previous blog)

 

Have you ever been surprised by how much your bank knows about you when speaking to a customer service representative? If you have been unlucky enough to have your mobile phone lost or stolen, how long does it take before a cold sweat breaks out when you realise your entire life is sitting on there? And how many times have you Googled someone to find out more about them?

 

The fact is each time we use a service, take a photo or write a comment on social media we leave a digital footprint about who we are and more often today, where we are.  There is no doubt the digital age has made our every day interactions more convenient, but at what cost? Over the past few years we have witnessed an acceleration of personal identity fraud, targeted hacking of high profile orgnanizations like Sony and Apple, as well as increased surveillance between nations such as the scandal that engulfed Australia last year with Indonesia. With such breaches making headlines almost every week, consumers and citizens are rightfully questioning exactly how their personal information is being protected? 

 

Technology is more than just pervasive within our society, it's deeply embedded and largely invisible.  The livelihood of individuals, the reputation of companies and indeed the confidence in economies depend on adequate custodianship of data. We have reached a tipping point where digital privacy can no longer take a back seat. This serves as my final prediction for the year ahead;

 

As information technology drives more implications for personal privacy, business will increase investments to address compliance

 

Over the past two years, data privacy regulation has really come of age across Asia Pacific.  Multi-national organisations operating in the region are the most concerned, with a recent study revealing almost 4 out of 5 believe privacy or data protection represent the biggest risk to regional laws.  To allay such concerns, Governments have been responding by stepping up policy.  Although mature countries like Australia, New Zealand, Hong Kong and Japan passed data protection laws in 1990's, many of them have been updated recently to deal with increasingly digital access practices.  We have also seen countries like Singapore, Malaysia, the Philippines, South Korea and Taiwan enact new privacy laws in the past three years that enforce the treatment of personal data.

The Chinese central government has passed a raft of new legislation to encourage compliance to data confidentiality rules, but broader state secrecy laws still represent confusion for many for businesses. For example, state secrecy laws prohibit the transfer of information deemed to be of economic value, however there is little qualifies as a "state secret".

Over in India, rules and standards have been defined to data privacy laws introduced back in 2011 to help increase adoption.  In particular, Section 43-A and 71-A of the act which primarily deals with compensation for negligence in implementing and maintaining reasonable security practices as well as procedures in relation to sensitive personal data or information (SPDI) strengthen the legal requirements on commercial organisations.

apac_privacy_heat_map.png

In the past, the priority for organisations was to protect their own commercially confidential data by safeguarding valuable intellectual property.  However in the new era of privacy, doing this is not enough.  In order to secure the confidence of the people that use your products and service as well as the reputation of your brand, you need to demonstrate you are following best practices in protecting your customers personal information too.

So where are the biggest sources of privacy breaches and what can we do to better protect personal information?

 

Traditionally, the vast concentration of personally identifiable data has resided within the databases of enterprise applications like CRM's, eCommerce, Marketing, HR or office applications (ie. email, documents and spreadsheets) on file servers.

 

However smartphones have emerged as the biggest source of valuable personal information.  Unfortunately, they also happen to be one of the least secure devices with a recent study uncovering 85% of mobile apps are not up to scratch.


But protecting personal data involves far common IT security practices which focus on deploying solutions to secure applications in the data centre and the perimeter.  It requires a much broader approach.  Here are four steps I recommend;


1. Assess your risk

Start by conducting an audit to assess your organisation’s state of compliance.  Study the latest laws and regulations and ask each of the company functions what personal information they collect, manage and store. From there, understanding your exposure and what policies should be applied (ie. Retention, disclosure and disposal) form the project of works.  Then mapping that back to the business applications that manage them will help you assess the scope, timeframes to address and budget.


2. Review your technology capabilities and identify gaps

Your information systems can help you maintain compliance.  Assess your current technology capabilities and determine how you can leverage unused features or functions to automate the process.  For gaps, conduct some research software that can augment your existing environment to improve privacy compliance.  For example, object-storage solutions like the Hitachi Content Platform can help preserve and protect the most critical data and provide audit logs of changes.  Private file sync and share solutions like HCP Anywhere provide end to end encryption over public networks thwart network sniffing. Application-independent search software like Hitachi Data Discovery Suite can greatly accelerate the time and reduce the lost of e-discovery.  And data migration software like Data Migrator on Hitachi NAS can help automatically dispose of data securely when its no longer needed.


3. Create a Privacy Policy and publish it

Privacy and compliance is as much about people as it is about processes and technologies.  Document your privacy processes and communicate them to you employees to create a culture of compliance.  Employees need to understand how important it is to the company and be educated about the mechanics of how it affects their job function. They also need to be advised about how external information collection systems (say from 3rd party service providers) need to managed.  Publishing your privacy policy to your customers is just as important, as they need to be reassured of the way you manage .


4. Appoint a Privacy Manager

Maintaining a culture of compliance is not a one off initiative, it needs to be ingrained into the way the organization does business.  The role of the Privacy Manager is to take responsibility of the practice beyond the implementation phase.  They ensure the processes are being followed, policies are regularly reviewed to keeping pace with changes, inspect that systems are audited, act as an escalation point for customer disputes and resolution, and lead the continual training across your organization.


Last year, I wrote a blog post on the new Privacy Act changes in Australia and talked about some of the technology capabilities within Hitachi Data Systems portfolio that can help with step 3.

Outcomes