Source – techrepublic.com
Issues surrounding data privacy are as legally unresolved today as they were two years ago, but the recent Equifax breach now puts a clear focus on them that strikes fear into the hearts of CIOs.
The Equifax data that was breached was not big data. However, big data is a major privacy concern for IT because so much of it is coming into enterprise data repositories from so many sources; and it comes in many shapes and sizes.
After Equifax, CIOs can rest assured that their CEOs and boards will be following their work in data privacy closely—and big data is one of the areas they’ll be most concerned about.
What operational steps can IT take to assure at a grass root level that sound data privacy practices are employed for their big data?
1. Continuously vet your big data cloud-based vendors for data privacy
Many cloud vendors can provide the levels of privacy and security that you want for your big data—but you have to demand and be willing to pay for it. Never assume that by default your cloud vendor will automatically apply best practices. Your staff should carefully evaluate the privacy protections that each of your big data cloud vendors offers and determine whether these data protection levels meet your own internal governance standards. If a cloud vendor’s data privacy practices don’t meet your own governance standards, pass on the vendor. Also ask your external IT auditors to review all cloud-based vendor data protection and security practices as part of the IT audits that the auditors perform for your company. Vendor data protection and security levels should minimally be checked on an annual basis.
2. Use private clouds
Most public cloud vendors offer private cloud services, too. Placing your data in a private cloud is more expensive than being a multi-tenant customer in a public cloud, but the private cloud deployment better separates your organization’s data from that of others. Cloud-wise, it is the next best thing to keeping your data on premises.
3. Anonymize data
You can the protect the data privacy of your customers and still perform critical trends analysis. One way that this anonymizationcan be accomplished is by encrypting data elements that personally identify someone. Another way is by identifying data from individuals with similar values (let’s say that the value you are are measuring is income) and then averaging them into a composite income value that gets pulled into a larger data analysis. Other methods are data redaction or masking.
4. Locate all the big data enclaves in your company and vet these for data privacy
As organizations distribute big data throughout departments and business units, there is always a risk that the data held within departments is changed so that data privacy levels are no longer met. The department responsible for big data governance and administration should regularly identify and track the big data marts that are distributed throughout the company. These localized big data marts should also be periodically audited by external IT auditors for data privacy compliance. If business units and other non-IT departments are using cloud-based services, the data privacy practices of their vendors should be verified for compliance to corporate standards. Cases of non-compliance should be immediately documented and mitigated.
5. Set your sights on GDPR
If you’re a North American company and you aren’t doing business internationally, you might not immediately have to concern yourself with the European Union’s General Data Protection Regulation (GDPR).
The GDPR, which aims for more stringent protections of individuals’ data, goes into effect in May 2018. According to a Gartner prediction, over 50% of companies affected by GDPR will not have met its requirements by 2018. The fines for non-compliance are hefty – up to 4% of annual revenue.
Keeping GDPR in sight matters because even if your company doesn’t do business in Europe today, it might in the future; and GDPR is where data privacy practices are headed in the future. If you comply with it now, you’re ahead of the game.
6. Perform social engineering audits
It’s the dark side of IT, but the reality is: employee sabotage of critical data happens, as does inadvertent and sometimes purposeful inappropriate data sharing between employees and with individuals outside of the organization. All are reasons to include a social engineering audit along with your annual IT audit when your external auditor arrives. A social engineering audit looks for phishing attacks, phone and physical entry attacks and other types of technical and social deception that can often be traced back to your own employees. You can uncover potential areas of vulnerability, and also use the audit as means of identifying the types of employee training that could be helpful.