The next career limiting opportunity for CIOs: Getting data privacy wrong
Thanks to emergence of concepts such as the right to be forgotten, and consumers hyper-sensitised to data protection by revelations about intelligence agency snooping, privacy is becoming a bigger and bigger headache for companies — and the CIO is bearing the brunt.
Most companies analyse customer data in some way, but there are increasing amounts of legislation around how such data handling should be performed. Breaking the rules can land a company in hot water — and leave the CIO out of a job.
"Privacy regulation is now a topic that no CIO should underestimate as a major risk factor for business. CIOs who underestimate privacy regulation risk fines for their organisation, undermine their organisation's reputation and trust, as well as risk losing their own jobs," analyst firm Forrester said in a recent report.
Enterprise technology projects involving big data and analytics, as well as other, more customer-facing initiatives such as mobile advertising, involve querying and processing vast amounts of customer data. It's copied between systems, mixed, analysed, mined, chopped, and shaped — often by staff with little understanding of the bigger privacy issues.
As a result, it falls to the CIO to make sure that a customer privacy strategy is in place and stuck to, and addresses issues as diverse as who owns customer-related data, whether customer data from social media sites should be used in marketing, and how data should be shared among employees.
Forrester's report Customer Privacy Is A European CIO Priority said that not only should CIOs make sure their organisation is complying with existing privacy regulation and provide customers with the opportunity to opt out of data collection schemes, but adds that they should: "Prepare for data breach notifications. Be ready for the moment when customers come to you and demand answers as to what data you hold about them."
The way the data is being stored is not especially helpful when it comes to making sure the policy is being stuck to, the analysts note, as it can be backed up in different locations or sold on. "These complex structures of data storage turn comprehensive data deletion into a difficult — and some say impossible — exercise," the report noted.
Add in the EU Data Protection Directive, Data Retention Directive, Safe Harbour, and variations in privacy policy across Europe and new concepts like the right to be forgotten and the result is a heady brew for CIOs.
Tech Pro Research
Separate research by security company Trend Micro found that one in three UK businesses are seeing customers demand more transparency with regard to how much of their personal data is being kept and where. Despite this, a third of companies do not have a formal process in place to notify customers in the event of a data breach and only 26 per cent have a formal process and always notify their customers.
In the UK, 13 per cent of businesses reported that their customers never demanded transparency about how their personal data is kept. "That is set to change," said Rik Ferguson, vice president of security research at Trend Micro. "We're going to see a lot more customers invoking the right to be forgotten. Customers will be asking, 'Do organisations even know where my data is? Do they know how to delete it?' "
Vinod Bange, a partner at law firm Taylor Wessing, said the impending EU General Data Protection Regulation stipulates that customers must be notified of a data breach without undue delay and the applicable regulator to be notified within a timescale that may be as short as 24 hours. "The majority of UK organisations don’t have this capability and this is a perfect example of how organisations will need to upscale their readiness against tough new standards," Bange said.
And it's only likely to get worse. The Forrester research pointed out that data being collected, for example by retail and hotel loyalty cards, is not granular enough for businesses, leading them to search out the richer information found in social media and device-based geo-location data.