Enterprises have always taken data protection seriously. But just what this means is changing rapidly for the modern business.
In the old days business data was business plans, communications with customers and between senior executives. Price lists and margins and company accounts all had to be carefully protected.
There was regulation for much of this – access to company accounts, particularly for publicly-traded companies had to be very strictly controlled – failures meant big fines from regulators.
But the modern enterprise creates vastly more varied types of data.
There are thousands of new types of data created from emails and internet browsing logs to information from sensors and the ‘Internet of Things’. The average company website probably creates as much as data as an entire company did forty or fifty years ago.
Staff mobile devices are collecting, and distributing, data via dozens of applications which might be monitoring Wi-Fi use, mobile browsing, use of contacts and even how a device’s battery is performing.
Any form of web browsing means another chapter of data collection. Advertising networks, search engines, messaging providers and social networks like LinkedIn and Twitter are all harvesting information from your staff.
So the modern Chief Information Officer cannot just ‘protect the data’.
They must decide what they can, and should, look after and what they’re happy to let go. For information which is ‘let go’ they must try and understand where this information is going and if it could be of use to a competitor or a malicious outsider. If staff are regularly using a social network or messaging platform you need to know how that company is storing and processing that data.
It is not just the type of data which is changing.
The ways that this data is regulated is changing too. Although there are still local and national laws increasingly businesses have to follow global rules. This matches the increasingly global nature of data storage. Cloud services, off-site backup and the role of data stored by third party applications all require global rules.
Businesses based in Europe need to be able to exchange data with US companies. Either directly as customers or suppliers of US firms or more indirectly by their use of web services.
Even use of credit card services, to say nothing of search or social networks, requires transferring data to the US.
This used to be covered by Safe Harbour – essentially a legal fig leaf which allowed US firms to be considered as European legal entities. This agreement fell apart after the Snowden revelations.
A new agreement, called Privacy Shield, is still being finalised between the European Union and the US. It will mean US firms must ensure they’re following the same rules as companies within the EU so that data can be transferred freely.
US regulators will monitor firms to make sure they are following the relevant rules.
Although the details are still being hammered out the agreement should make life a little easier for businesses.
European companies will be able to use their ‘local’ data protection authority to pursue complaints in the US – which should make the process easier and cheaper.
S while the types of data look likely to keep on multiplying at least the regulations should be getting a little simpler.