According to Gartner Inc, by 2019, 90 percent of organisations will have personal data on IT systems that they do not own or control. It says that the organisations should create a privacy program that ensures that the personal data is safe and protected.

?

Enterprises have traditionally been the target of security threats with hackers targeting vulnerable IT infrastructure. However, with the introduction of enhanced security solutions, hackers have shifted their focus towards more vulnerable targets like employees, contract workers, customers, citizens and patients.

“As the amount of personal information increases multifold, individuals and their personal data will increasingly become a security target. And, yet in most scenarios the organisation is still ultimately accountable for the personal data on its IT systems,” says Carsten Casper, research vice-president, Gartner.

Casper adds, “The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years.”

As per the research firm, the PCI data security standard (DSS) requires the implementation of stringent controls of those who collect and store credit card data. In response, many companies have decided to eliminate credit card data from their own systems and completely entrust it to an external service provider. The same could happen with personal data. If control requirements are too strong and implementation is too costly, then organisations would consider handing over personal data to a specialised personal-data processor.

Gartner has identified a few steps towards ensuring the security of data. The first is to create a policy that draws a clear line between data that relates to human beings and data that does not. The former category includes contact information and health and financial information, as well as an Internet Protocol address, geo location data and other traces an individual leaves in the online world. The latter category especially includes business plans, corporate financial data and intellectual property.  The true challenge resides in handling data that can fall into both categories. Whether an organisation decides to declare certain types of data as personal data or not depends on its ability to take risks. In a majority of the cases, companies tend to prefer to risk a little rebuke from a regulator rather than having to re-engineer complete business processes.

Gartner points out that locating and documenting personal data have to go hand-in-hand with creating policy. Once personal data has been located, it needs to be protected. Encryption is the most widely used protective control. An additional challenge exists where the organisation does not own the underlying IT infrastructure be it a mobile device or a cloud environment. Personal data should not be combined with other data. Any technology that processes personal data in the same way as non-personal data makes itself vulnerable to potential security threats. Content should be analysed before decisions are made about protection. Such decisions are easier if employee performance information is stored in a human resource management system, customer information is stored in a customer relationship management system and financial and business information is stored in an enterprise resource planning system.

According to Gartner, compliance with a high number of privacy laws and cultural expectations from multiple regions can be costly. Privacy standards simplify control frameworks, audits and information exchange, especially in scenarios where many players and stakeholders are involved. Regardless of the specific privacy standard and cross-border transfer mechanism used, the most difficult challenge for organsations is to make such rules binding on all entities involved, including all employees, and accept liability in cases where employees or customers suffer harm. Further, privacy expectations continue to be influenced by laws, and jurisdictions have physical boundaries. This collides with the IT reality of cloud and mobile computing. The physical location is the location where the electrons and bytes are stored. Given that this information can be accessed from the other end of the world in a fraction of a second, the physical location should be increasingly irrelevant. Yet this physical location is still what many regulators wish to continue with, although the legal location should be most relevant from a regulatory perspective.

However, an increasing number of companies and service providers have shown preference of moving toward a more pragmatic logical location. As an example, personal data might be stored in a data centre of a US-based cloud provider, which is operated by a third-party service provider from India. However, data is encrypted, the Indian IT employees manage only routers and servers, and only European employees of the client can actually see the data. These employees are located in Europe, and bound by a European employment contract and European privacy laws. Logically, the data is in Europe, although legally and physically, it may be somewhere else.