“As the amount of personal information increases multifold, individuals and their personal data will increasingly become a security target. And, yet in most scenarios the organization is still ultimately accountable for the personal data on its IT systems,” said Carsten Casper, research vice president at Gartner.
Traditionally, according to Gartner, corporations have been the target of security threats. Moreover, those attacks by hackers were generally focused on attacking vulnerable IT infrastructure. However, as internal protection regarding these vulnerabilities improves, attention will shift to “softer targets,” such as employees, customers, patients, freelancers, and everyday people.
“The time has come to create an exit strategy for the management of personal data,” adds Casper. “Strategic planning leaders will want to move away from storing and processing personal data in the next five years.”
“The PCI Data Security Standards (DSS) requires the implementation of stringent controls of those who collect and store credit card data. In response, many companies have decided to eliminate credit card data from their own systems and completely entrust it to an external service provider,” said Casper.
Casper concludes, “The same could happen with personal data. If control requirements are too strong and implementation is too costly, it would make sense to hand over personal data to a specialized ‘personal-data processor.’”
Gartner advises that while these privacy programs that hold personal data should be kept at arm’s length, they should also still be under the control of the enterprise.
However, organizations should not jump the gun on this type of strategy either. Instead, Gartner outlines a few methods for firms to follow in preparation for moving data from in-house to out-house.
First, companies should create a policy that clearly draws a line between personal and non-personal data. For instance, making a distinction between contact information and health and financial information, as well as Internet Protocol addresses, geolocation data and other traces an individual leaves in the online world.
Second, Gartner advises organizations to put a fence around personal data. In other words, once they have located personal data, it needs to be protected through means of encryption.
Furthermore, as the personal data is compiled, corporations must make sure, if possible, the data is not combined with other data. Any technology that processes personal data in the same way it processes non-personal data creates a risk for the company and individual.
Lastly, enterprises should be aware of the many laws and jurisdictions that exist across physical and geographical boundaries. For example, Gartner says “personal data might be stored in a data center of a US cloud provider, which is operated by a third-party service provider from India. However, data is encrypted, the Indian IT employees manage only routers and servers, and only European employees of the client can actually see the data. These employees are located in Europe, and bound by European employment contract and European privacy laws.”
As a result, companies should keep in mind that logical location rules over physical and legal location. Therefore, in the example provide above, logically speaking, the data is in Europe, although legally and physically, it may be somewhere else.