Data Privacy is a hot topic in the world today; People are increasingly concerned about what data they share with the external world. The reality, many don’t even realize that a lot of their personal information is already widely shared through the usage of various mobile apps.
While we might not have a ready solution to all of this, what we know of is that personal data in the hands of enterprises needs to be handled with enterprise-class security. Multinationals including Sony and Comcast have agreed to pay millions of dollars for the data breach cases that happened in the recent past.
As the outsourcing partners for many of these large corporations, we have to comply with the data privacy and data protection laws applicable to customers’ jurisdictions. In this blog, my aim is to provide the best practices to be followed by IT services firms for Data Protection. These are vital given that compliance with data privacy standards will add to the customer comfort while signing contracts.
1. Stay abreast with current laws and developments in the space
Data laws are relatively new and frequently get updated. In the recent past, we read about the invalidity of data transfer pact between US and EU. This announcement already has been factored in by Microsoft. The firm is opening datacenters in the UK and building a few more in Germany to cater to its operations in that region. As outsourcing partners to customers, IT services providers also have to be equally agile and sign contracts with cloud service providers that comply with laws of the land.
Even if you leave countries aside, individual states and provinces are also enacting and amending laws on a relatively regular basis. For example, recently, the state of California passed a law stating that the local police need to get an arrest warrant to access online data.
Do keep in mind that while not every law applies to the IT services providers, it is still important to keep track of such laws.
Now, what is the solution to the above problem? I recommend that every service provider that deals with customer data in some form should maintain an inventory of the applicable Privacy and Data Protection laws – Geography wise and Industry wise. There should also be a process for regular update of this list.
2. Create policies according to information flows
It is important to note that security is not locking down everything to the external world. Doing that will make the application useless. The challenge is to ensure that there are appropriate access controls at every stage to ensure full functionality of a hosted application.
This is where “understanding data flows” becomes crucial. By understanding the data flows in the application, one can come up with appropriate access controls and ensure data protection. Some of the steps in the process include:
· Creating an inventory of information
· Identifying personal data
· Identifying data Storage
· Identifying data processing stages and modules
Once done, you will then have to Implement Baseline Controls for Data Protection and Privacy. The Baseline must be mapped to existing contractual requirements and also to the Privacy Principles – Notice, Consent, Onward Transfer, Retention, Disposal, etc.
Policies and Procedures need to be drawn wherever personally identifiable data flows. Payroll processing, for example, is one such area where the information is confidential.
Following the trust but verify approach, put an Audit Plan to ensure implementation of the framed policies and directives.
3. Implementing the right controls
Technology enables us to formulate the proper controls to ensure data privacy. Some controls that come to my mind are:
· Enabling the right access controls
· Encryption of Data
· Physical and Logical Separation (to the extent possible) – For example, not allowing mobiles, pen, paper, bags inside production area where personal data is processed
· Data Leakage Prevention (DLP) tools
· Maintaining access logs
4. Data breach detection and response
According to a research report by Varonis, 67% of data breach incidents are detected after several months. 70% firms find out about data breaches from customers and third parties rather than their IT departments.
While data breaches can happen because of sophisticated cyber-attacks, it is the companies that bear the brunt of angry consumers. It is important that data breach is notified to the customer and Authorities if any. It is expedient to keep the response communication template ready along with the details of persons to be notified. Response management help in containing the damage. Finding about the data breach from external sources will only add to the embarrassment.
So it is of paramount importance to include data breach detection and response methods along with data protection controls as discussed in the previous section.
5. Spreading awareness among employees
In my experience, most data breaches happen because of lack of awareness on the part of the employees. Spreading awareness among employees working in these processes through training programs is crucial.
At Mphasis, we have a mandatory training program on Privacy and Data Protection. Every employee has to complete the training program once in a year. Our Chief Risk Office designed the training program and, in fact; we won the TISS LeapVault CLO Award 2015 for the best Risk, Safety & Policy Compliance Training Programme.
6. Winning confidence
Customers are looking beyond technical prowess while awarding contracts to IT services firms. They want to feel safe after awarding the contract. There are two subsets to winning customer confidence:
1. Certifications: The ISO 27000 class of standards govern the information security These standards apply to even cloud service providers. In fact, some cloud service providers are already compliant with the ISO/IEC 27018 standard that caters to protecting personal data stored in the cloud. Additionally, ISO/IEC 29100:2011 provides a privacy framework that
· specifies a standard privacy terminology
· defines the actors and their roles in processing personally identifiable information (PII);
· describes privacy safeguarding considerations, and provides references to known privacy principles for information technology
BS 10012 certification is yet another one that comes to my mind on the topic of Personal Information Management.
IT service providers also should vie for such certifications to build trust with the customers
2. P2P connect: Customer conversations should move beyond sales teams and CRMs. I would strongly recommend P2P discussions among the Chief Risk Officers, Chief Legal Officers, and Chief Privacy Officers. While the technology team has historically built trust WRT the technology prowess, the above discussions will address the challenges in the domain of data privacy and protection.
These were my views on how IT service providers can ensure compliance with data protection while dealing with sensitive customer data. Have you ever dealt with ensuring compliance in this area? If you have, I will be delighted to learn about your experiences too.