Cloud-based collaboration company Intralinks and international legal firm Field Fisher Waterhouse (FFW) have published a free guide to help enterprises share information without risk of violating data protection laws.
The guide entitled Confidential Collaboration: How to manage regulatory compliance & data privacy while keeping your data safe, was commissioned by Intralinks and compiled by FFW.
“We commissioned the report because of the lack of preparedness inside our global customer base to address the type of legal challenges that will inevitably increase,” said Richard Anstey, CTO of Intralinks.
“We wanted to show businesses that it is important to be more proactive about strategies and data protection regulation relating to collaboration and information sharing.”
The guide proposes best practice to ensure data privacy and regulatory compliance for the enterprise, using examples of recent high-profile incidents involving corporate information use, access and sharing.
More specifically, the guide makes recommendations on how to minimise legal risks and avoid significant fines, penalties and loss of reputation resulting from non-compliance.
Read more about data protection
- BYOD: data protection and information security issues
- Is it time to move from data protection to information management?
- Google facing European sanctions over data protection
- Data protection methods, define thyself
- Google, privacy and data protection: One step beyond (the law)?
- MEPs vote to tighten data protection rules after internet surveillance revelations
The guide outlines data protection laws in different legal jurisdictions such as the European Union (EU) and the US, including an assessment of where data is safest in terms of legal rules preventing unlawful access.
The guide also covers the importance of comprehensive due diligence when working with third-party data processors, and guidelines for governance, risk mitigation and compliance.
Sharing information is a functional activity of business critical to success and productivity, and cannot be avoided, said Stewart Room, author of the guide and partner at FFW.
“But all this is against a background of massive technical and organisational upheaval, including the move to cloud computing, mobile devices and bring your own device (BYOD),” Room told Computer Weekly.
“What has been missed in all the discussion around these topics, however, is that, at the heart of all of these, the issue is about how people go about collaborating and sharing.”
Despite the general awareness of topics such as de-perimeterisation, BYOD, mobility and cloud, he said the activity of collaboration itself tends to be overlooked, as well as the associated regulatory risks that arise.
“With BYOD the conversation tends to be about things like the ability to wipe data remotely, but does not tackle the central issue of how to get some governance around collaboration and information sharing,” said Room.
He believes businesses need to get past the operational issues and home in on the purpose and benefits of collaboration and information sharing.
“Then they need to work backwards to design business processes and look at technologies to facilitate what they are really trying to achieve,” said Room.
Governance and risk management
The key point of the guide is that, if businesses do not create proper governance around collaboration and information sharing, that will carry a huge amount of legal and reputational risk, he said.
“The conversation is not just about data breaches that would occur in an ungoverned environment, but the massive exposure to unacceptable legal and reputational risk should they occur,” said Room.
Businesses need to focus on the risk of the activity first, which he said should shape the corporate agenda. This in turn will shape related activities, such as BYOD and self-procurement.
For example, Anstey said some organisations have put firewalls in place that catch any requests that go out to a consumer file-sharing environment. They redirect the user to a portal provided by IT, through which individuals and departments can procure approved services for collaboration and file-sharing.
Controlling the threat landscape
This effectively gives central IT functions control, audit and governance over what is going on and make sure it fits with all the internal processes and audit requirement, he said.
“Self-procurement is not a bad thing. It is the proliferation of tools in an uncontrolled way that is a huge danger, particularly when those tools do not have the controls to enable good governance,” said Anstey.
For example, organisations tend to overlook the need for rights management systems to ensure that, once a collaborative task is over, they have the ability to “unshare” information.
According to Room, taking a risk-based approach enables businesses to be able to work backwards to create the right kind of governance and organisational and technological frameworks to deal with risk and make decisions about risk appetite and risk acceptance.
Tackling identified risks
Once the risks have been identified, the guide charts some ways forward for organisations to tackle those risks.
“The guide highlights that there is a huge amount of legal and regulatory risk, it aims to help organisations look at that risk in the context of recent internationally reported events, and then suggests key questions to ask about strategy for dealing with it,” said Room.
He said organisations have to accept their responsibility for tracking the full information lifecycle by ensuring the technical ability to audit activities and pull back information when a task is done, and at the same time technology suppliers must have the right attitude and understanding of the regulatory environment, especially in Europe, to support organisations in their ability to manage risk.