Data – Protection, Risk and Impact
Why is data suddenly so important?
The truth is that it’s always been important. At the start of modern-day data processing around 50 years ago, the adage was GIGO (Garbage In Garbage Out), and it’s still true.
However, the amount and range of data that we now collect as part of operating a business have grown exponentially over the past 50 years.
• Organisations are now more complex and global in nature.
• Data is gathered from disparate sources and requires significant manipulation to derive meaningful information.
• Data regulations have become more strict and put accountability onto the data controllers and processors to ensure its validity and security. The costs of not complying can be high.
Data has moved from being a fundamental component necessary to drive a process, e.g. Billing, to be a valuable asset for the organisation that will help drive strategic business decisions, providing insight into client preferences and behaviour.
For client-related data, organisations now have a legal obligation to prove that the data is being held and processed for legitimate interests.
Privacy & Protection
In 2018, the EU brought in a significantly increased range of fines for breaches of the new General Data Protection Regulation (GDPR) laws. The penalties range up to €20m or 4% of annual worldwide turnover, whichever is higher – dwarfing the previous maximum of £500,000.
The new legislation defined responsibility and accountability across various roles, including:
• A processor: is a separate person or organisation (not an employee) who processes data on behalf of the controller and per their instructions. Processors have some direct legal obligations, but these are more limited than the controller’s duties.
• A controller: is the person that decides how and why to collect and use the data, which will usually be an organisation, but can be an individual (e.g. a sole trader). If you are an employee acting on behalf of your employer, the employer would be the controller. The controller must make sure that the processing of that data complies with data protection law.
• A data subject: is the technical term for an individual whose personal data is being collected, held, or processed.
For more detailed information, please refer to the:
UK’s Information Commissioners Office (ICO) website
Recent examples of ICO action include:
Some countries do not have a Data Regulator or Data Privacy laws.
Indeed the US currently has no single data privacy policy. It relies instead on each state implementing its policies. A recent example of this is the California Consumer Privacy Act (CCPA) which came into force on the 1st June 2020.
However, the CCPA differs from GDPR in some key areas.
• It does not restrict the transfer of personal information outside the US.
• It does not require that businesses appoint a data protection officer and conduct impact assessments.
• California residents’ right to access personal information is limited to data collected in the past 12 months.
• CCPA also places fewer obligations on service providers.
• CCPA allows businesses to collect data from consumers without first acquiring consent.
Thus EU GDPR is generally seen to be the leading example of Data Privacy regulation globally, providing the highest level of protection to the data subject, above and beyond most local control.
Global Data Transfer
In today’s world, it is increasingly important to be able to move data freely to wherever it is needed. However, the transfer of personal data to recipients outside the originating country is generally prohibited. For example, within the EEA data transfer between member states is allowed. Transmission outside of the EEA is not permitted unless:
• the target jurisdiction is deemed to provide an adequate level of data protection;
• the data exporter puts in place appropriate safeguards; or
• an exemption applies.
Global Enterprise needs to be aware of this and implement policies, process and technology to guard against non-compliance and data breaches, especially where these organisations make use of globally located infrastructure or cloud services.
Historically, where data privacy laws apply, these organisations have resorted to several risk-reducing strategies. These include:
• Inter-group data-sharing agreements.
• Terms of business, where the client agrees to data being shared with the inter-group entities.
• Published Data Privacy Policies, where many organisations use EU GDPR as a benchmark in the absence of any in-country data regulations.
• Technical measures to ensure data is encrypted at rest and can only be interrogated by the intended recipient.
It’s worth noting that in the absence of a Chief Data Office(CDO), many of these policies and processes are created in response to one-off projects. It would be inappropriate for subsequent projects to assume that these existing policies and procedures are also applicable to their use cases. The CDO would also be responsible for ensuring that data privacy compliance is built into all business processes.
Risk
Cyber Security Breaches Survey 2020
According to the UK Government’s Cyber Security Breaches Survey 2020 (updated March 2020) almost half of businesses (46%) and a quarter of charities (26%) report having cybersecurity breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (68%), large businesses (75%) and high-income charities (57%).
Among this 46 per cent of businesses that identify breaches or attacks, more are experiencing these issues at least once a week in 2020 (32%, vs 22% in 2017).
For the full report go to UK Government Cyber Security Breaches Survey 2020
According to a UK Government 2015 survey, 90% of large organisations and 74% of SMEs reported a security breach, leading to an estimated total of £1.4bn in regulatory fines.
One finance body claims that UK businesses could face up to £122bn in penalties for data breaches in connection with new laws that came into effect in May 2018.
Impact
The impact of a data breach on the organisation can be costly both financially and reputationally.
The following are three high profile examples of poor data management and the impact on each of the organisations.
In December 2012, it was widely reported that HSBC was fined $1.9bn for money laundering offences by the US Depart of Justice (DOJ), The DOJ also agreed with the bank to defer potential prosecution allowing the bank five years to resolve it’s compliance issues.
US prosecutors accused HSBC of lax money-laundering controls allowing at least two cartels, based in Mexico and Colombia, to launder $881 million in drug proceeds through the bank between 2005 and 2010.
The root causes of the compliance breach were:
1. The bank could not accurately risk rate their customers due to missing, incomplete and inaccurate data.
2. Client onboarding processes varied dramatically from one region to the next, and in some cases were incredibly relaxed.
In 2012, HSBC embarked on a comprehensive global programme to change the culture in the bank and to strengthen its compliance controls and systems, investing $1bn in compliance technology and creating a financial crime risk unit that has more than 7,000 staff globally. The work was overseen by a DOJ appointed Monitor as well as the UK Financial Conduct Authority (FCA).
The bank’s Global Standards programme significantly improved client onboarding procedures, including risk rating using accurate, high-quality data.
The bank was released from the DPA in 2017, having met its commitment to the US DOJ.
Following the introduction of a new computer system in the early 2000s, the Post Office began using its data to accuse Sub Postmasters of falsifying accounts and stealing money. Many were fired and financially ruined; others were prosecuted and even put behind bars.
It was eventually determined that the computer system was at fault and that the accused had done nothing wrong.
More than 550 ex-post office workers shared an out of court settlement of £58 million, which had taken almost 20 years to resolve.
Better data controls and reconciliations could have avoided this.
In August 2019, the Times reported that highly sensitive data was left in a former bank employee’s home for more than a decade. In a significant and possibly severe data breach, this personal information included the banking details of more than 1,600 Natwest customers.
According to the Times, the information includes account and sort codes, credit card details and people’s account histories, including direct debits, as well as their names, addresses, relationship status, occupation and phone numbers.
Critically, it appears that NatWest knew about the data breach, and in what looks like a decision to protect its reputation rather than its customers – Royal Bank of Scotland, who owns NatWest, chose not to disclose the breach.
Conclusions
• Data has moved on from being a fundamental component to support operational processes.
• As a Data Processor/Data Controller, you have legal obligations to:
– protect personal data.
– Ensure data is complete, of good quality and relevant.
– Prove that you have a legitimate interest in holding personal data.
• Effective controls need to be in place to minimise the impact of poor quality data.
• A Master Data Management model should be in place to ensure that data is managed effectively.
• A Chief Data Office function is highly recommended to monitor data use and management across the organisation, ensuring priorities and preferences of inter-group departments are not putting the organisation at risk.
Compliance cannot be left to chance
This article was written and edited by Brian Jones, Chris Wotton and Paul Caden at Databilities
For more information please contact Databilities
Email: info@databilities.co.uk
Web: https://databilities.co.uk
For more articles in the Databilities ‘It’s all in the data…” series follow us on LinkedIn
