Amid the swathes of technology solutions that promise to manage data lifecycles, it’s the people piece that organisations have to get right. That was the consensus of a panel of experts discussing data lifecycle management at the virtual Data Protection World Forum.
Privacy Compliance Hub co-founder Karima Noren was joined by Mark Penny, head of systems and infrastructure at the University of Leicester, and Kalin Cvetkov, global data protection officer at Crypto.com.
The trio engaged in a wide-ranging discussion that included safe sharing of data with international partners, how to appoint effective privacy champion committees, and how to optimise the overall data management lifecycle.
“It’s like an ocean to be honest. Data lifecycle is a huge topic,” Karima began. “It’s people that need to get this right. People are going to decide what data is going to be processed and they’re going to decide what tools they will adopt to process it. In practice, what we are finding is that the people aspect is still something that is not given sufficient focus.
“We need to have some serious collaboration inside organisations and with our vendors, and this is still not happening,” she added. “Many organisations and departments still work in silos. And the other challenge you have is this effort must be continuous. Privacy and lifecycle management isn’t a problem we can fix by having a super taskforce that jumps in and does something once. But in many organisations, this is still project, not programme, led.”
In Leicester, Mark Penny admitted that one of the university’s biggest challenges is anonymising research data before it can be used. “The solution we put together for this was to develop an ISO 27001 compliant infrastructure hosted in Microsoft Azure [Cloud], where the control data could be uploaded and the nominated people could do the work to anonymise it,” he said. “We rely on the researchers to understand the information that they are allowed to use publicly. The results of getting it wrong would be withdrawal of research funding so there’s a lot of incentive for them to get it right.”
Coming back to Karima’s earlier point, the buy-in of an organisation’s people is key, he added. “The technical side can only prevent so much. Invariably it’s the human part, a failing or a misstep, that causes disasters to happen. It doesn’t matter whether it’s a website that’s been hacked and customer details have got out, or something else. When you trace it back, most of the time it’s down to something not being patched, something was preventable in some way, or an assumption was made.”
Of course there are simple ways to make data lifecycle management easier for organisations to follow, Kalin Cvetkov said. At Crypto.com, they use automatic reminders set two months before contracts are due to expire, which are sent to a team tasked with keeping track. A short meeting is then held with the relevant parties to plan what needs to be done. “Don’t do it two days before. That creates tension and people will hate your privacy activity,” he said. In the case of a security breach, make sure you have a short five-step guide that layman users can follow quickly. “The first 15 minutes are very critical and they will not be able to read long policies,” he addded.
Checklists can be helpful the whole way through the lifecycle, Karima said. Different departments can make sure each stage is properly signed off, down to complying with GDPR rules in relation to safe cross-border sharing and ensuring data has been purged at the end of its use. “As the business evolves in this very complex world, the checklist ends up having a list of actions, and you never miss one.” Kalin recommends pairing this with short interviews: “so everyone sees the Data Protection Officer of the company is not somebody on the shelf but a real person who cares about what they do.”
Privacy champions are becoming commonplace in large organisations, but one of the challenges is making them as effective as possible, Karima said. “When you build your committee, you can’t just put anybody on it. You want a mixture across departments because you need expertise across your organisation. But you also need doers. You need senior leaders that show up and give this bit of value and importance. And you need a few storytellers.
“Most of the time, it’s an appointment that people have alongside their day job. There isn’t a sense of urgency to really contribute to this committee. But what you need is a group that’s so good at working together, that understands the business so deeply, that when the difficult questions come, they have foresight. So think about who is on your committee, make sure it’s supported and give it a clear action plan so when the champions come together, they know what they’re doing. That’s the makings of a very effective team.”
Privacy has arguably taken something of a backseat over the past 18 months but urgently needs to be addressed, she added. “An awful lot of data has been collected about individuals as a result of the pandemic. And because it was a pandemic, I’m not sure that all the players have actually thought about the datasets being collected, where they’re being kept, and the responsibility of correctly managing that data. A lot of these companies have great technology, but not a lot of insights into privacy. People like data. They like to have lots of it. But you can see how it all gets complicated.”
Watch a recording of the event on demand by registering on the PrivSec Data Protection & Infrastructure website here.