Over the last several years, companies have begun using big data, analytics, the cloud, and the Internet of Things (IoT) to turn collected personal data into personalized services, innovative insights, optimized operations, and new business models. While the business benefits of collecting data on every customer interaction are manifest, a dark side to keeping all this personal information also exists, including the potential for devastating data breaches and legal and regulatory fines.
IBM estimates that we are now creating 2.5 quintillion bytes of data every day.1 Additionally, 91 percent of American adults say that consumers have lost control over how personal information is collected and used.2 Highly publicized corporate data breaches have made data privacy and security essential topics in boardrooms, and the Edward Snowden leaks demonstrate that even top-secret government documents are vulnerable.
Unfortunately, even without a compelling business driver, decreasing storage costs are leading many companies to “park” data permanently, just in case it is ever needed. This data dump approach, however, can lead to violations of privacy regulations and other legal or regulatory actions. To avoid these problems, companies must define and implement a comprehensive information governance (IG) program that safeguards all strategic information.
The Challenge of Information Privacy
For too long, companies have focused on improving the walls around their organizations while neglecting to adequately protect the data inside. The first and most important step in protecting data is understanding and identifying what should be considered “sensitive.” The next step is developing privacy policies that satisfy applicable privacy laws and regulations, recognizing that these vary across different jurisdictions.
Typical information that needs to be protected includes:
• Personally identifiable information (PII): Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Anything that identifies an individual, such as name, Social Security number, National ID, address, phone number, email, device ID, gender, age/date of birth, marital status, languages spoken, and other demographics (income, education) can be considered PII. The EU has even broader definitions of PII.3
• Sensitive personal information (SPI): Special categories of data such as race, ethnicity, and political and religious opinions. The definition of what constitutes sensitive data varies by country and even by state and territory.
• Protected health information (PHI): As regulated by the Health Insurance Portability and Accountability Act (HIPAA), PHI includes any information related to an individual’s health, condition, and treatment.4 Reports vary, but the consensus is that stolen medical records (MRs) are actually worth 10 times the value of credit card numbers5 because MRs contain a wealth of information needed to commit fraudulent activities such as filing false tax returns, obtaining credit, getting prescription drugs, and engaging in Medicare/Medicaid and medical identity fraud.
Become a member of CGOC to get unlimited access to our resources to get the insight, interaction, and information you need to make good business decisions. Already a member? Sign in
Not a member? Join the community
Already a member? Sign in
Become a CGOC Member and have access to resources, white papers, surveys, proceedings, and practice tools such as the Information Economic Process Assessment Kit. CGOC Members receive first priority to regional CGOC executive meetings around the world.
Asterisks (*) indicate fields required for registration