We continue with “Data Driven,” a series of articles examining the volume of data generated by emerging technologies. Today, Bill Kleyman examines the handling of personal data amid the explosion of data creation and storage.
It’s become pretty clear that very soon we’ll all become a persistently connected society. We’re building smart cities, homes, and leveraging smarter tools in our everyday lives. This includes everything from connected devices to cars.
But do you know what comes hand-in-hand with persistent connectivity? Data. A lot of data.
Cisco recently pointed out that by 2021, data center storage installed capacity will grow to 2.6 ZB, up from 663 EB in 2016, nearly a 4-fold growth. And, globally, the data stored in data centers will nearly quintuple by 2021 to reach 1.3 ZB by 2021. Finally, driven by all of these connected devices and the Internet of Things, the total amount of data created (and not necessarily stored) by any device will reach 847 ZB per year by 2021, up from 218 ZB per year in 2016. Data created is two orders of magnitude higher than data stored.
We’re experiencing a new type of revolution. Beyond connected devices, the next technological age will absolutely revolve around data. Structured, unstructured, multi-sourced, and numerous other types of data points are all impact the way we do business and conduct even go about our lives.
Let me give you an example. I have no doubt that you’ve heard about GDPR. To give you a brief definition, the General Data Protection Regulation (GDPR) is a specific regulation in the EU law. It covers data protection and privacy for all individuals within the European Union. Here’s the other important note, it also addresses the export of personal data outside the EU.
Although it might be somewhat of a new regulation for us to hear about, it’s actually been in the works for more than two years. And, you’re definitely feeling it now. Have you had to accept a plethora of new ‘Updated Privacy Policy’ statements? Feels like everything along with your electronic toothbrush has been updating them.
There are real ramifications if you don’t accept. For example, if you’re in Europe, you won’t even be able to adjust your thermostat unless you agree to the updated privacy policy. Social media platforms have disabled thousands of accounts for not agreeing to the latest terms and conditions. Others, like news sites, are forced to change their EU delivery altogether. If you went to visit the LA Times website from most European countries, you’d be met with a simple message: “Unfortunately, our website is currently unavailable in most European countries.” They’re not the only ones. The list includes the Chicago Times, Chicago Tribune, Baltimore Sun, and others.
Government entities aren’t doing this just to mess with multi-national organizations. People want to have the right to be forgotten. And, they want better management of their data sources. In fact, the way corporations manage some of your most private data is actually not all that great. A lot of organizations can’t confirm 100% if an individual’s personal information is purged from all systems, forever. And, even though many might know where your data resides, not all of them have good auditing capabilities to track updates, deletion, and even access.
The point is that data can be a powerful tool, but it can also complicate things. So, what happens if you’re not a consumer but a large organization? What happens when you have multiple data centers spanning the globe? How do you work with data and most of all leverage it? Let me give you a few thoughts to prepare you for the deluge of data in the coming years:
Data Classification – Understanding the 5 W’s of Data
In my experience, data can be classified in terms of what it’s doing for the business. Believe it or not, many organizations actually house some elements of personal data; oftentimes without even realizing it. To that extent, consider these 5 W’s.
- Who has access to personal or corporate data? Is the data stored or is it just transient?
- Where is this personal data being kept? And, where do you transfer this personal data to?
- Why is the personal data even under your control? Does it need to be?
- When are you keeping those personal records until? Are there situations where you’re sharing this data?
- What mechanisms do you have in place to protect personal data?
Establishing a Global Data Policy
This is a key approach for global organizations. You’ll need to establish core principles for the protection of personal data as well as policies and procedures for managing this information. In some cases, a global data policy might require the appointment of privacy champions, data protection officers, and other features.
Updating IT and Data Center Strategies
New regulations and policies mean you might have to evaluate how you’re storing and securing data. This doesn’t just have to be personal data either. Sensitive information, proprietary data, and even analytical data should all be classified and secured. To that extent, there are some great ways to segment data leveraging storage as well as networking technologies. Solutions around WAN management allow you to geo-fence data points to ensure they stay locked down. You can get pretty granular here too. You can force data to stay in a state, city, zip code, or even a building. Technology aside, you’ll also potentially want to review how you log and audit data that flows through your network. And, if applicable, you may need to include functionality that facilitates the secure destruction of personal data when no longer required for legitimate business and compliance purposes, in accordance with record retention policies.
Updating Security and Incidence Response Strategies
What happens if a breach occurs? Have you done a risk assessment and really understood the value of your data? The last thing any organization wants to experience is a data breach; especially when personal data is involved. When it comes to data and incident response, you need to have strategies which review data confidentiality, integrity, and availability. I can’t stress this enough – this is an area where you really want to do your homework.
Consider Appointing a Data Protection Officer (DPO)
In the age of data, you’ll need to work with data professionals. New jobs, titles, and roles are emerging to help you cope with the tsunami of data that’s being generated. A data protection officer has some new and critical responsibilities. This includes monitoring compliance and data protection laws, cooperate with and act as a contact person for supervisory authorities, and work to inform and advice business leaders as well as employees to the state of their data. If you’re a large organization, you might have a few of these folks working with IT, security, and business teams to ensure that data is being worked with properly.
Living in a Data-Driven World
Our future will be almost entirely become data-driven. The decisions we make, the applications we use, and the way we conduct business will all revolve around persistent connectivity and the data we create around it all. Data has the power to enable entire businesses. It also has the power to hurt people. As every business, city, and person becomes a digital entity, we’ll need to adjust data protection policies to ensure (as much as we can) privacy and security.
When utilized properly with big data engines, data analytics, and even data visualization, data and the information that it carries can be a powerful ally for both people and the business. In fact, the healthcare sector alone showcases how leading medical organizations are leveraging data to save lives every single day. This is the amazing and beneficial side of leveraging data. Of course, there are challenges around this as well, as we often read about more data breaches happening.
The final and most important element will be people. Training and working with users so that they can understand how and where their data is being used will be critical moving forward. Data will be one of those things that you simply can’t allow to get away from you. The longer you put off effective data management strategies, the more prone you are to a breach or improper handling of peoples’ data.
And there’s a price to pay if you’re in that boat. Not only can a breach impact your brand and consumer trust, you may very well be fined as well. As the GDPR guidelines point out, if a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. On the lower levels, you may be fined up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. And, at the upper levels, you may be fined up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
The penalty is calculated based on the nature of the infringement, intention, mitigation, preventative measures taken, history, level of cooperation, the data type, and more.
The bottom line: Think about your own data strategy and see where it actually measures up.
Getting to the Data End Game
An effective data management strategy will certainly be multi-faceted. This includes creating a solid process around policies, procedures, and measures. Your end-goal should include:
- User training
- A well-functioning data governance structure
- Good record-keeping of all data transactions and movements
- Updated IT policies
- Ongoing risk analysis
- Appropriate safe-guards for cross-border data transfers
Working with data in the future must take a very direct approach, featuring privacy by design and privacy by default.
It really doesn’t matter what type of organization you are. You will be working with data. In some cases, this data is benign, on other situations it might contain personally identifiable information (PII) and must be secured.
None of this is going to be easy. If it seems overwhelming, be sure to work with partners and data experts who can get your data requirements in order. Conducting a data mapping session to understand where your information resides is a great way to start.
As we become a persistently connected society, our decisions will become even more data-driven. This will ultimately happen both at the personal and business level. There will be no perfect scenario to data management; only constant vigilance and the need to keep evolving strategies around data management.