Ethical data management: the future differentiator for successful brands
What’s next for data protection policies? Will we see a “race to the bottom” in data ethics… or is there an opportunity now for businesses to move beyond compliance and use proactive ethical data management as a brand differentiator?
You don’t have to look far nowadays to find examples of companies playing fast and loose with private data or being underhand about their data policies and data security lapses.
Last month, Facebook received a $5bn fine from the US Federal Trade Commission for what it described as “deceptive privacy practices”. While Uber recently attempted to cover up the fact it had paid a hacker to delete personal data from 50 million riders and 7 million drivers, stolen during a data breach.
(Not a good idea, by the way: this is why paying off hackers can actually put you at greater risk.)
But are we really flying headlong into a dystopian future when it comes to data privacy ethics? Or could this actually signal a new opportunity for ethical businesses?
In this blog post, we explore some current data protection themes and data security standards and processes, and look at how ethical companies can set themselves apart through ethical data management positioning.
What next for GDPR?
Everyone will recall those inboxes full of unanswered opt-in emails when the General Data Protection Regulation came into force on 25 May 2018. Countless companies then rushed to comply and (unnecessarily in many cases, unfortunately) trashed their databases.
But many others bided their time, thinking that an easy way through the new legislation would appear. And since there has been relative quiet from European Data Protection Authorities (DPAs) following the rollout of the new legislation, some have wrongly assumed the torchlight has passed over them and moved on.
But Ad Exchanger is predicting a rise in prosecutions this year, as the changeover beds in and lengthy investigations begin to come to fruition. With fines of either 20m EURO or 4% of annual revenue (whichever is higher) at stake for non-compliance, there’s certainly a financial incentive to review data management
GDPR compliance has been cumbersome to some, but there are admirable principles underlying GDPR, which include:
- Establishing data privacy as a fundamental right for everyone.
- Defining data protection standards across the EU.
- Clarifying who is responsible for data protection (any company that either collects or processes EU citizens’ personal data needs to comply).
- Setting a mandate for the data protection principles. Article 5, for example, sets out how data security must go beyond encryption to also include risk assessment, controlling sensitive data access, and attack prevention measures.
Companies that put GDPR principles at the heart of operations have the opportunity to overcome public mistrust and suspicion and profile their data management practices to position themselves in the newly emerging marketplace for ethical businesses and suppliers.
Data breaches and ISO 27001
We would always advise making sure that both your company and your data management partner are signed up to the ISO 27001 standard.
The ISO/IEC 27000 standards group relates to the security of information assets. ISO/IEC 27001 specifically relates to the requirements for an information security management system. An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
Adhering to these standards helps to maintain the security of intellectual property, financial information, your employee details or information supplied by third parties. When it comes to protecting personal data from security breaches, ISO 27001 is a good place to start. But the benefits of certification go beyond mere compliance.
ISO 27001 also provides a solid foundation on which to build the operational and technical infrastructure required to keep the risk of security breaches to a minimum. The independent assessment required for ISO 27001 brings formality and ensures rigorous implementation. It demonstrates that the whole company takes data security seriously.
G Cloud and reciprocal standards
The Government Cloud or “G-Cloud” is a Marmite discussion topic. But its aim to make it easier for the public sector to procure cloud computing services – particularly from SMEs – is an admirable one. If engaged with correctly, G-Cloud is another way you can illustrate your commitment to high standards of ethical data management and data security.
It is a shame that the initiative has been dogged by issues. But we at virtualDCS are all in favour of standardised frameworks that ensure everyone is working to the same degree of scrutiny.
Pinsent Masons has a useful blog post on the evolution of the G-Cloud security accreditation process here.
Internal hacks and Office 365
If you are relying on native backup, such as that provided by Office 365, then make sure you understand your responsibilities and the retention periods for each function.
As we discussed in a recent blog post:
“70% of data lost from Software as a Service applications is due to accidental deletion, or through the malicious deletion of files by end users.
“It is your responsibility to proactively back up your data and users from any kind of human error (whether that’s accidental or malicious), hackers, viruses and misconfigured workflows.
“The recycle bins and version histories in Microsoft Office 365 only provide limited protection from data loss. This can turn a simple recovery into a big problem after Office 365 has geo-redundantly deleted the data forever.”
We cover this in more detail in our ‘Office 365 backup gaps you didn’t know about’ post.
The new ethics of data management
Hopefully, we have shown you a number of ways you can proactively position your company as an ethical data leader. As brand trust becomes increasingly important in the modern marketplace, ethics will add equity to your brand.
Business intelligence and Big Data expert, Barry Devlin, summarises some of the arguments well in his recent TDWI article on the New Ethics of Data Management:
As data management professionals, these questions must become part of the justification and deliberations for all sorts of big data analytics, Internet of Things, and artificial intelligence projects. Over the past year, we have seen some recognition that security, privacy, and transparency are coming to the fore as fundamental considerations for such projects. This is good news and, indeed, a necessary change.
Ethical data management at virtualDCS
In this blog post, we’ve compiled both our knowledge and our “hymn sheet”. We work to the highest standards because we believe in them and we know that it’s what our clients want and expect from us.
virtualDCS has held an independent ISO 27001 accreditation since 2016. We are proud to host customer data on our robust and secure UK infrastructure. Unlike many others, our entire company has been accredited, and for every single one of the standards that apply to our type of business. We chose the British Standards Institute (BSI) to audit us as we know they will make us accountable and hold us to the highest possible standards.
If you’d like to discuss partnering with us, we’d love to speak to you.
Contact us today by calling 0345 3888 327, emailing enquiries@virtualDCS.co.uk or by filling in an online contact form.