Why businesses need to respect data privacy and implement effective data governance

Data Privacy

Recent highly publicized cases regarding the use (or misuse) of personal data, and the inadequacy of data privacy practices, in companies such as Facebook, have created a lot of awareness and concern about the way organizations exploit data that they have collected about individuals for commercial advantage.

Even before that news broke worldwide, data protection regulations were being introduced to give citizens more rights regarding their personal data. Canada introduced its PIPEDA (Personal Information Protection and Electronic Documents Act) in 2000; in 2018, the EU’s GDPR reformed its existing regulations to introduce stronger rules; in the US, the California Consumer Privacy Act of 2018 will take effect on January 1, 2020. I believe it’s only a matter of time until it spreads across the US or is implemented nationally.

These regulations are different in their details, but they are guided by the same principles:

  • They require ALL organizations who hold personal data on citizens within their jurisdictions to be transparent about what personal data they hold, what they will do with it, and how they will share it with other organizations. For example, the GDPR rules apply to any organization, anywhere in the world, which collects and processes the personal data of EU citizens. They are also required to take appropriate security measures to safeguard the data, and report any data breaches to the appropriate authority.
  • They give citizens more rights over their personal data, such as the right to be informed about how their data will be processed, and who it will be shared with; the right to see what data is held; the right to have any inaccuracies rectified; the right to object to their data being processed and to have it deleted (in certain circumstances).

Can you really afford to risk the consequences of not complying with data privacy regulations?

Failure to comply could result in heavy fines – up to 4% of annual turnover for a serious infringement, in the case of GDPR – as well as huge reputational damage, with customers losing confidence in your organization’s ability to keep their data safe. Think about how much Facebook must have spent on their remediation efforts and the ads they’ve used to promote the changes they’re making, not to mention the eventual fine, which is still to be determined. Recent reports imply that the loss could be $3-5 billion.

That alone should give any organization a huge incentive to get their data privacy act together, but, as discussed in this recent article on Data Protection Network, there are also positive business benefits to be gained from proactively implementing good data governance procedures, such as building customer trust.

What counts as personal data?

It’s important to be aware of the definition of personal information so that you can take appropriate measures to identify and secure it. Personal information is anything which enables you to identify a natural person, either on its own or in combination with other information. Examples include:

  • Name
  • Identification number
  • Email address
  • Social Insurance / Security Number
  • Driver’s License Number

So, we’re not just talking about sensitive information – though obviously information such as financial or health-related data needs special safeguarding precautions.

What do you need to know from a compliance perspective?

To comply with the data privacy regulations, in terms of safeguarding the data, being transparent about what you hold and how you process it, and responding to access requests from data subjects, you will need to conduct an information audit to identify exactly what personal data you hold.

The concept of auditing data is not a new one, but the concept of auditing data with a primary focus of protecting personal data is. You will need to record what personal data your organization collects, where it came from, where it is stored, how it is processed and who it is shared with.

Today’s ERP systems create a challenge when it comes to auditing in this area, as they can house massive amounts of data, and different organizations may use certain columns to hold different types of information. For example, many columns within an ERP System can be used for almost any type of data; some organizations may use them to store personal data; others may not. Unfortunately, there is no standard list of tables and columns for your ERP that you can use to definitively identify all the personal data, but there are common tables / columns that can be reviewed as a first pass.

Here are a few tips to get started on the identification and categorization of personal data within your ERP System:

  • Consider conducting a data discovery exercise where key business resources who are familiar with the data can help identify the types of data held within certain modules or applications of the ERP System
  • Define what data is, or could be considered private, based on the findings from your data discovery exercise; remember some columns may be in use, but not as intended by the software manufacturer
  • Categorize the data with labels such as:
    • Categories of individuals
    • Purpose of processing
    • Category of personal data
    • Known recipients
    • International organizations data shared / transferred to
    • Safeguards in place / being used for transfer of data
    • Retention schedule
    • General or organizational security measures
  • Create a data asset registry which holds the information on your data discovery exercise, through to a listing of personal information contained within your ERP system by category.

Once you have identified the data and how it is processed, you will then be able to assess the associated risks and decide the best way to mitigate them as part of your data governance procedures.

What do you need to know from a security standpoint?

Security Administrators have the responsibility for advising the business, internal audit and data privacy/protection officers about best practices when it comes to securing this type of data. The security administrator should be prepared to provide advice and guidance on the following topics:

  • Who has access to the data?
  • What data encryption methods are in place over the data (if any)?
  • Are segregation of data rules in place? If so how / why? If not, what type of security can be put in place to achieve this?
  • Are users with access to this data authorized on a periodic basis?

When it comes to protecting personal data in your ERP system, the general principal of least privilege should be applied. Limits should be placed on what individual users can see and do with personal data; as with access to applications, users should be granted the minimum access needed to be able to perform their job function.

Data Privacy affects the whole organization

This only scratches the surface of what is required to comply with the various regulations, but it should help to get you started. The important thing is to recognize that data privacy must now be taken seriously. Everyone in the organization, from board members through to individual workers who input and process information, needs to understand the implications and be educated in your data privacy practices.

All the regulatory regimes have different elements, but for most companies who operate across the globe, it will not be feasible to handle data differently depending on which regulation each data subject is governed by. It makes sense to take a pragmatic approach from the get-go, by finding the lowest common denominators and implementing data governance procedures that can be applied across the enterprise.

Q Software is working on plans to help our customers address some of these issues – watch this space for more news on that.

In the meantime, here is more information about our ERP security management and audit reporting tools.