Organisations should create a privacy programme that keeps personal data at arm's length, but under control, according to Gartner, Inc. Gartner predicts that by 2019, 90 per cent of organisations will have personal data on IT systems that they don't own or control.
Organisations have traditionally been the target of security threats, and until recently, those hackers focused on attacking vulnerable IT infrastructure. As protection for such infrastructure improves, the attackers' attention shifts to softer targets, such as employees, contract workers, customers, citizens and patients.
"As the amount of personal information increases multifold, individuals and their personal data will increasingly become a security target. And, yet in most scenarios the organisation is still ultimately accountable for the personal data on its IT systems," said Carsten Casper, research vice president at Gartner. "The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years."
"The PCI Data Security Standard (DSS) requires the implementation of stringent controls of those who collect and store credit card data. In response, many companies have decided to eliminate credit card data from their own systems and completely entrust it to an external service provider," said Mr Casper. "The same could happen with personal data. If control requirements are too strong and implementation is too costly, it would make sense to hand over personal data to a specialised 'personal-data processor'"
Gartner has identified the following steps to prepare for such a strategy:
Create Clear Delineations Between Personal and Nonpersonal Data
The first step should be to create a policy that draws a clear line between data that relates to human beings and data that does not. The former category includes contact information and health and financial information, as well as an internet protocol address, geolocation data and other traces an individual leaves in the online world. The latter category especially includes business plans, corporate financial data and intellectual property. Separating the two is necessary, because different laws apply.
The true challenge resides in handling data that can fall into both categories. Whether an organisation decides for or against declaring certain types of data as "personal data" depends on the organisation's risk appetite. In most cases, companies tend to prefer to risk a little rebuke from a regulator rather than having to re-engineer complete business processes.
Put a Fence Around Personal Data
Even the best data protection policy is worthless if you can't live by it. Locating and documenting personal data have to go hand-in-hand with creating the policy. Once personal data has been located, it needs to be protected. Encryption is the most widely used protective control. An additional challenge exists where the organisation does not own the underlying IT infrastructure - be it a mobile device or a cloud environment.
Favour Purpose-Built Over General-Purpose Applications
Personal data should not be combined with other data, if possible. Any technology that processes personal data in the same way it processes nonpersonal data creates a risk. Content should be analysed before decisions are made about protection. Such decisions are easier if employee performance information is stored in an HR management system, customer information is stored in a customer relationship management system, and financial and business information is stored in an enterprise resource planning system.
Adhere to Privacy Standards, or Create Your Own
Compliance with dozens of privacy laws and cultural expectations from multiple regions can be costly. Privacy standards simplify control frameworks, audits and information exchange, especially in scenarios where many players and stakeholders are involved. Regardless of the specific privacy standard and cross-border transfer mechanism used, the most difficult challenge for organisations is to make such rules binding on all entities involved, including all employees, and accept liability in cases where employees or customers suffer harm.
Logical Location Rules Over Physical and Legal Location
Privacy expectations are still influenced by laws, and jurisdictions have physical boundaries. This collides with the IT reality of cloud and mobile computing. The physical location is the location where the electrons and bytes are stored. Given that this information can be accessed from the other end of the world in a fraction of a second, the physical location should be increasingly irrelevant. Yet this physical location is still what many regulators insist on, although the legal location should be most relevant from a regulatory perspective.
Companies and service providers prefer to move toward a more pragmatic approach - the logical location. As an example, personal data might be stored in a data centre of a US cloud provider, which is operated by a third-party service provider from India. However, data is encrypted, the Indian IT employees manage only routers and servers, and only European employees of the client can actually see the data. These employees are located in Europe, and bound by a European employment contract and European privacy laws. Logically, the data is in Europe, although legally and physically, it may be somewhere else.
More detailed analysis is available in the report "Let Go of Personal Data Without Losing Control." The report is available on Gartner's web site at http://www.gartner.com/....
This report is part of the Gartner Special Report "The Future of Global Information Security" The special report can be viewed at http://www.gartner.com/... and includes links to reports and commentary that explore the major tectonic forces at play that will change how business use of technology will be dramatically changed by rapid escalations in threat, defence and societal demands.
Gartner analysts are also discussing key trends in the security space at the Gartner Security & Risk Management Summit 2013 going on through Thursday at the Gaylord National in National Harbor, Maryland. This Summit is the premier gathering for senior IT and business executives across IT security and risk management, including privacy, compliance, business continuity management (BCM), IT disaster recovery and business resiliency. The Summit offers five role-based programmes that delve into the entire spectrum of IT security and risk, including: network and infrastructure security; identity and access management; compliance; privacy; fraud; BCM; and resilience.
Gartner Security & Risk Management Summit 2013 will also be taking place 19-20 August in Sydney, Australia and 18-19 September in London, UK. Details on the Australia event are at http://www.gartner.com/.... More information on the UK event is at http://www.gartner.com/....
Members of the media can register for press passes to the Summits by contacting susan.moore@gartner.com (Sydney) or rob.vandermeulen@gartner.com (London).
Information from all Gartner Security & Risk Management Summits 2013 will be shared on Twitter at http://twitter.com/... using #GartnerSEC.
Organisations have traditionally been the target of security threats, and until recently, those hackers focused on attacking vulnerable IT infrastructure. As protection for such infrastructure improves, the attackers' attention shifts to softer targets, such as employees, contract workers, customers, citizens and patients.
"As the amount of personal information increases multifold, individuals and their personal data will increasingly become a security target. And, yet in most scenarios the organisation is still ultimately accountable for the personal data on its IT systems," said Carsten Casper, research vice president at Gartner. "The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years."
"The PCI Data Security Standard (DSS) requires the implementation of stringent controls of those who collect and store credit card data. In response, many companies have decided to eliminate credit card data from their own systems and completely entrust it to an external service provider," said Mr Casper. "The same could happen with personal data. If control requirements are too strong and implementation is too costly, it would make sense to hand over personal data to a specialised 'personal-data processor'"
Gartner has identified the following steps to prepare for such a strategy:
Create Clear Delineations Between Personal and Nonpersonal Data
The first step should be to create a policy that draws a clear line between data that relates to human beings and data that does not. The former category includes contact information and health and financial information, as well as an internet protocol address, geolocation data and other traces an individual leaves in the online world. The latter category especially includes business plans, corporate financial data and intellectual property. Separating the two is necessary, because different laws apply.
The true challenge resides in handling data that can fall into both categories. Whether an organisation decides for or against declaring certain types of data as "personal data" depends on the organisation's risk appetite. In most cases, companies tend to prefer to risk a little rebuke from a regulator rather than having to re-engineer complete business processes.
Put a Fence Around Personal Data
Even the best data protection policy is worthless if you can't live by it. Locating and documenting personal data have to go hand-in-hand with creating the policy. Once personal data has been located, it needs to be protected. Encryption is the most widely used protective control. An additional challenge exists where the organisation does not own the underlying IT infrastructure - be it a mobile device or a cloud environment.
Favour Purpose-Built Over General-Purpose Applications
Personal data should not be combined with other data, if possible. Any technology that processes personal data in the same way it processes nonpersonal data creates a risk. Content should be analysed before decisions are made about protection. Such decisions are easier if employee performance information is stored in an HR management system, customer information is stored in a customer relationship management system, and financial and business information is stored in an enterprise resource planning system.
Adhere to Privacy Standards, or Create Your Own
Compliance with dozens of privacy laws and cultural expectations from multiple regions can be costly. Privacy standards simplify control frameworks, audits and information exchange, especially in scenarios where many players and stakeholders are involved. Regardless of the specific privacy standard and cross-border transfer mechanism used, the most difficult challenge for organisations is to make such rules binding on all entities involved, including all employees, and accept liability in cases where employees or customers suffer harm.
Logical Location Rules Over Physical and Legal Location
Privacy expectations are still influenced by laws, and jurisdictions have physical boundaries. This collides with the IT reality of cloud and mobile computing. The physical location is the location where the electrons and bytes are stored. Given that this information can be accessed from the other end of the world in a fraction of a second, the physical location should be increasingly irrelevant. Yet this physical location is still what many regulators insist on, although the legal location should be most relevant from a regulatory perspective.
Companies and service providers prefer to move toward a more pragmatic approach - the logical location. As an example, personal data might be stored in a data centre of a US cloud provider, which is operated by a third-party service provider from India. However, data is encrypted, the Indian IT employees manage only routers and servers, and only European employees of the client can actually see the data. These employees are located in Europe, and bound by a European employment contract and European privacy laws. Logically, the data is in Europe, although legally and physically, it may be somewhere else.
More detailed analysis is available in the report "Let Go of Personal Data Without Losing Control." The report is available on Gartner's web site at http://www.gartner.com/....
This report is part of the Gartner Special Report "The Future of Global Information Security" The special report can be viewed at http://www.gartner.com/... and includes links to reports and commentary that explore the major tectonic forces at play that will change how business use of technology will be dramatically changed by rapid escalations in threat, defence and societal demands.
Gartner analysts are also discussing key trends in the security space at the Gartner Security & Risk Management Summit 2013 going on through Thursday at the Gaylord National in National Harbor, Maryland. This Summit is the premier gathering for senior IT and business executives across IT security and risk management, including privacy, compliance, business continuity management (BCM), IT disaster recovery and business resiliency. The Summit offers five role-based programmes that delve into the entire spectrum of IT security and risk, including: network and infrastructure security; identity and access management; compliance; privacy; fraud; BCM; and resilience.
Gartner Security & Risk Management Summit 2013 will also be taking place 19-20 August in Sydney, Australia and 18-19 September in London, UK. Details on the Australia event are at http://www.gartner.com/.... More information on the UK event is at http://www.gartner.com/....
Members of the media can register for press passes to the Summits by contacting susan.moore@gartner.com (Sydney) or rob.vandermeulen@gartner.com (London).
Information from all Gartner Security & Risk Management Summits 2013 will be shared on Twitter at http://twitter.com/... using #GartnerSEC.
