Enhancing business purpose with privacy compliance

Personal privacy

The headlines were about the huge fines that would emerge, but one year on, there have been few fines and GDPR has largely fallen into the background. It is also questionable how far personal privacy has actually been enhanced in real technical terms, says Paddy Francis, chief technology officer at Airbus CyberSecurity.

“To get real change, businesses need to make the cultural shift from basic compliance to look at privacy as a means to enhance the business purpose, not just through policies, but through implementation at the code and data level within systems,” says Francis.

“Business purpose in this context is not just to deliver profit, but the purpose of the business in terms of what it delivers for its customers, its brand image and its social responsibility.”

He says GDPR should therefore be regarded as an opportunity to promote data as an asset that provides value to the business and consequently to protect and promote data in the same way as any other asset.

For example, a bank that will deliver banking services to its customers needs to be seen as strong and secure and responding to public issues that its customers and shareholders care about. “We therefore need to identify how privacy can promote business purposes,” says Francis.

As an example, he points to the Edward Snowden WikiLeaks revelations. Several years ago, the tech giants saw an opportunity, after the Snowden revelations on government monitoring of the internet, to roll out HTTPS.

Use of HTTPS

The secure web protocols had previously only been used for banking and to protect credit card information on e-commerce sites. ”Companies used HTTPS as a marketing tool to protect their customers from government snooping,” says Francis. “Today, HTTPS is ubiquitous with everything from Google searches to news delivered running over HTTPS and its use is promoted by organisations such as the National Cyber Security Centre.

“While, in reality, it provides little additional privacy, as the URLs still show what pages people are viewing, it did serve the business purpose of the organisations.”

Like all professionals, information security practitioners long for their subject area to be recognised for the value it provides to the business. Francis says the General Data Protection Regulation should be a godsend to them, because they can use “the stick” of fines as an incentive to get the business to take data security seriously.

The GDPR legislation mandates that, at the design phase of any processing operation as well as at the time of the processing itself, organisations shall put in place appropriate technical and organisational measures designed to implement data protection in an effective manner, and to integrate the necessary safeguards into the processing.

Therefore, those responsible for the development and delivery of the data systems need to look at how proper privacy implementation can promote the business as well as protect it from fines, and put this forward as a business enabler.

Data collection challenge

According to Francis, one area often missed by many is minimising data collection, retaining only what is absolutely necessary and making the purpose of data collection clearly visible to users. This gives users confidence and reduces the potential impact of any data breach.

“I find that when signing up for many new services, I am still asked for my date of birth and postcode, so that what is delivered can be tailored to my demographic,” he says. “However, I am pretty sure that no algorithm exists that can differentiate content for me from that for people born the day before or the day after me – AI really isn’t that good.

“Similarly, postcode areas, which typically contain 15 households, are unlikely to be significantly different from those adjacent to them, so why insist on a full postcode? These organisations are clearly collecting more information than they need for their declared purpose, and this is a potential breach of GDPR.”

Francis believes this also magnifies the consequence of a breach, because a date of birth and a postcode, supplemented by other information such as the electoral register, can make someone fully identifiable, even if they have only signed up with a screen name. “What information is really needed is only known by the algorithm developers and database architects, but generally, they are not included in the GDPR conversation and it is easier for them to use standard calls and database structures to collect full datasets,” he says.

Increasing user trust

Francis believes that by reducing the amount of data collected to only that which is really required will increase user trust and make people less likely to use false information where they believe the data request is excessive, or presents a risk.

“Holding more than the minimum dataset also increases the chances of data aggregation, which can turn a minor breach into a serious one, and can mean a declaration to the Information Commissioner’s Office rather than self-recording the event,” says Francis.

But, as Raef Meeuwisse, Isaca expert speaker and author of Cyber security for beginners, points out, most of the tech giants hold many gigabytes of personal data about each person they track.

He says they have not sought to downgrade the value of their lakes of personal data, but they have tried to be transparent and efficient about it.

“For any organisation that cares about profit and long-term trust, the safe and effective management of personal information is key to success,” says Meeuwisse.

“Until or unless the actual regulatory fines being imposed increase, the driver for improved personal information management needs to come from the fear of missing out. Consider the market leader in your sector – is gathering and using personal information core to success?”

While it is tempting for privacy specialists to seek to minimise the amount of personal information that is collected, Meeuwisse argues that most regulations are not asking for less personal information to be collected.

“They are asking for transparency and consent for the people who have their data collected – and for the amount of information to be reasonable in the context of how it will be used for both the data subjects and the organisation collecting it,” he says. “Compliance with privacy regulations is an opportunity to outclass the competition. But failing to be compliant will leave any organisation battling to work out what personal data it can keep.”

The more efficient and streamlined an organisation can be in its data protection processes – such as data discovery, data subject requests and data retention – the easier a company will find it to ingrain these practices in the long term, he adds.

Making compliance easier

Making compliance easier for everyone in the organisation will ensure that data protection starts to be seen as a part of everyday business activity rather than an overhead required to avoid hefty fines, says Richard Hunt, managing director at Turnkey Consulting.

While data retention policies have been seen as an extensive task for a lot of organisations and one that is difficult to monitor among employees, Hunt says having a formal deletion process has many benefits for an organisation.

“It allows the organisation to manage and understand the data it holds, remove low-value data and, in turn, lower data storage costs,” he says. “The improvement in data quality will unlock opportunities for more discerning marketing that deploys contextual campaigns to groups or individuals – subject to consent – that are far more likely to be successful in revenue terms.”