Data is an organisation’s most valuable asset. It is the resource that underpins every decision, which AI and machine learning can use for pattern matching, that explains present and past performance, and on which projections are based. Without it, organisations are less effective and efficient than their competitors, and have only instinct and prejudice to call on. Success, if they achieve it, will largely be down to chance.
But dealing with data comes with responsibilities.
Britain’s National Cyber Security Centre advises organisations to “ensure you know what data you have, where it is stored and what you consider most sensitive, and apply protections based on the risks you have identified.” Likewise, it recommends not storing data that isn’t required and, where data is replicated or cached, making sure all copies are sufficiently protected.
How organisations go about this is up to them. The Information Commissioner’s Office (ICO) acknowledges that in some cases they “can consider the state of the art and costs of implementation when deciding what measures to take – but measures must be appropriate both to your circumstances and the risk your processing poses”.
In all cases, they must ensure that their activities remain within the law, and that the measures they take to secure their data are appropriate, robust, and practical.
This requires a waking watch. Data legislation is constantly undergoing review as uses of data and the national economies such activity supports evolve. The UK’s Department for Digital, Culture, Media and Sport is currently running an open consultation on “reforms to create an ambitious pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data”. One of the goals of the consultation is to help innovative businesses use data responsibly without undue uncertainty or risk.
Data and Risk Management
Although legislation varies between territories, European legislation sets a benchmark for all EU member states, on which each is free to build. Organisations basing themselves in one of the 27 EU countries, or using data gathered from or focused on a citizen or organisation within the Union – even if they are based outside the EU, as the UK now is – must ensure they meet at least these minimum standards. Any additional requirements imposed by national legislatures must be considered on top.
It is therefore vital that organisations have a clear understanding of what data they already hold, what they are collecting on an ongoing basis, and how it is handled. This requires continual landscape analysis, encompassing not only obvious metrics, like customer and transactional records, but supplementary data points, such as documents and emails stored on cloud servers, user data collected when visitors land on the corporate website, third-party data acquired from outside organisations, and alternative data used to enrich existing insight.
While the most widely discussed European regulations concerning data collection and use remains the General Data Protection Regulations (GDPR), focusing on this to the exclusion of all others would be a mistake. Post-Brexit, it has a direct equivalent in the form of UK GDPR, which is based on the Data Protection Act 2018.
The EU is expanding the areas in which it takes an interest, to the extent that the forthcoming Digital Services Act will cover not only organisations’ use of data, but the assets that comprise the physical data landscape, including internet access providers, hosting services and online platforms through which organisations conduct business.
Compliance with the Digital Services Act will require organisations to maintain transparency in their operations, cooperate with national authorities and provide more extensive information to consumers. As such, they will need to maintain granular and timely records to which they can refer when called upon and, in the case of online platforms, will be obligated to vet the credentials of third-party suppliers.
Failure to provide complete and accurate data to authorities is a risk against which firms must mitigate, and although the most stringent requirements are reserved for enterprises that serve a minimum of 10% of the continent’s population, start-ups and smaller operations must ensure they are fully aware of – and complying with – their new obligations.
Infrastructure, partnerships, and continued obligations
Ensuring adequate investment in data-centric security is therefore an essential commitment for organisations operating in or serving Europe. Outsourcing infrastructure and core services, like email hosting and data storage, to third-party cloud providers can help, since such providers that sell into the European market must themselves ensure they are fully compliant.
However, the organisation that owns the data remains its controller, and thus its responsibilities are unchanged. It must extend its internal auditing to cover its data supply and management chain and ensure its procedures for governance remain aligned with current – and incoming – legislation.
The DevOps approach to GDPR compliance
There are many practical steps that organisations can take to ensure they remain compliant with regulations in Europe and beyond, including:
- Consistent record keeping, preferably automated to ensure responsibility is never delegated to a single entity.
- Consistent use of encryption for all data both in transit and when at rest.
- Appropriate expiry intervals for all credentials and encryption keys.
- Additional security measures, such as geographical restrictions to ensure data is only accessible from authorized locations.
- A strategy for handling data and training staff, so all stakeholders understand and can comply with its requirements.
- A system for data governance and, if necessary, the use of data governance tools to track and manage access to data.
However, a comprehensive security policy should never be predicated solely on technical measures. Adopting a DevOps approach will result in broader, more comprehensive risk management, by baking in mitigation as part of the corporate culture.
DevOps looks beyond a tools-first approach to evolve processes in an iterative manner through the formulation, implementation and maintenance of strategies and policies that respond to changing business circumstances, recognise evolving risks and remain compliant with updates to national and trans-national legislation such as those applied Europe-wide.
Related Case Studies
Automated Data Solution For Curating Accurate Regulatory Data At Scale
Learn how a leading regulatory intelligence provider is offering expert insights, analytics, e-Learning, events, advisory and consulting focusing on the payments and gambling industries
Document Collection and Metadata Management System For the Pharmaceutical Industry
A leading provider of data, insight and intelligence across the UK healthcare community needed quick and reliable access to a vast number of healthcare documents that are published everyday in the UK healthcare community.