By: Kiran Pradhan, Head-Business Intelligence & Analytics, Oracle India
The digital economy is driven by data at the core. Thanks to the burgeoning digital footprint, businesses possess a treasure trove of data. Business guesstimates have started getting better and more accurate as companies leverage modern technologies such as AI/ML and NLP, resulting in more personalized consumer offerings. But there’s a catch – the risk of data being compromised. Are businesses able to navigate this challenge, and ensure consumer privacy?
The adage ‘knowledge is power’ has become more pertinent than ever for businesses today. As businesses seek to get closer to their customers and improve their own business processes through the smarter analysis of data, their ‘knowledge’ is now a key differentiator.
While data is wealth of a different kind, only those businesses that have the ability to extract maximum value – both from data they collect as well as create – will be the ones best poised to succeed. The increase in value of data has necessitated increased scrutiny on the data lifecycle – the way in which it is collected, warehoused and used, as well as access rights (who, where and when can access the data).
Progressive businesses are looking at sustainable measures beyond just preventing data breaches. They are getting better at truly understanding the value of data, and are viewing it as their ticket to a successful future. More and more organizations understand the need to ensure their processes, training and culture focus on recognizing and respecting the value of their data. In terms of clear ownership within the organization, the role of a data protection officer (DPO), working with a chief information security officer (CISO), will be a step in the right direction.
Governments get on board, outlining and enforcing new standards
The introduction of the EU’s General Data Protection Regulation (GDPR) is one of the latest high profile examples to specify how organizations should manage, use data, specifically consumer data. Though this is an EU regulation, the impact is far reaching for global businesses. Though one could argue that companies needn’t wait for new regulations to assess whether they are doing enough to protect their data.
Closer home, the report by Justice Srikrishna panel has recommended that a new legislation be constituted to protect an individual’s right over data. The recommendation further outlines that neither the right to privacy, nor the right to information is absolute, and that the two will need to be balanced depending on the circumstances.
Given this, what approach should businesses take? Any data protection law or guideline would factor in three key tenets: clarity and focus on assessment; prevention and detection. For that matter, these three tenets are useful, albeit high-level starting points for any company keen to safeguard its data and treat it with respect and responsibility.
The importance of proper assessment
Not many organizations have grown in a truly holistic manner, with different lines of business working in silos, with their own applications and processes. Also bear in mind that some employees may inadvertently or otherwise, over time, circumvent rules and policies in ways that they think make more sense, but which could undermine data protection and compliance. It is therefore important for organizations to have an accurate picture of the problems they face before fixing them.
The need for effective access controls
At the outset, as organizations figure out where their data resides and how it is used, they should be able to set and enforce rules and implement robust defense mechanisms to prevent unauthorized actions. This approach should span protection from internal as well as external threats, whether accidental or malicious. Next up, the focus should move to measures that prevent anybody outside the organization, or anybody without the necessary access, from using sensitive data.
Encryption is highly effective, as well as an approach that spans tokenization, data masking, anonymization and robust access controls. Businesses need to also review the data they use for understanding what controls are best suited for a given circumstance. For example, when you anonymize customer data, it may have little impact when analyzing sales trends, but it does dramatically reduce the sensitivity of that data.
Detection in time is crucial
One vital aspect of compliance and security best practices is vigilance. To identify anomalous behavior and implement defensive measures, depending on established threat criteria, automation becomes all the more important. Systems need to become more intelligent, so they are able to make smart assessments of who is accessing information, as well as when and why, and structure responses on pre-agreed threat criteria; for example, locking out a user before s/he is able to access, move or use sensitive data. Not only this, systems will be called upon to deliver these assessments often in “real-time”.
While data privacy laws help companies with a clear approach to safeguarding data, businesses should not be motivated by regulatory encouragement alone. Compliance is a necessity, but not a differentiator. To succeed in the data-driven economy, where knowledge is most definitely power, businesses need to realize and treat their data as precious at all times, in all situations, essentially to sustain the “knowledge advantage”.
In short, businesses should love their data so much that they consider it but natural to protect it at all costs. Only then will they be able to unlock valuable insights, create new business models and tailor services better to customers in an ongoing fashion – thus setting them apart.