In the networked economy, the rapidly growing numbers of connected devices such as computers, cell phones, sensors, wearable devices, implanted medical devices, cars, televisions, and appliances hold great promise for enabling connection, sharing, collaboration, and personalized services. However, the vast amount of personal and business data and content being collected, stored, analyzed and shared also holds great peril for misuse.
What can companies do to keep security and privacy from completely spinning out of control?
1.Create a code of ethical data practices.
While this code will undoubtedly vary across companies it should in general provide as much transparency as possible and align with corporate values. Here are some suggestions on what to include. Letting people know what data is being collected in real time, which helps avoid issues of hidden files and unauthorized tracking. Provide clarity on how the information will be stored and secured, who will have access (including 3rd parties), and how it will be used. Radical clarity can go a long way toward building trust. Make it simple for people to set the level of privacy they want for themselves. If they have to change 40 or 50 unique settings it’s going to create frustration. Be explicit in the value customers’ receive in exchange for the information they provide, which helps increase the likelihood that they will consent to information exchange.
2.Take a holistic approach to governance and policy management.
It’s not uncommon for organizations to have separate practices for data management, content management, and security/privacy. This results in fragmentation of policies, procedures, and organizational accountability. There may be multiple policies around customer information created and managed by different groups such as:
- What may be collected, how it can be used and who it can be shared with
- How to standardize, validate, and enrich the data
- What systems and business processes use the data, who can access those systems and under what circumstances
- How long the information can be kept, when it needs to archived, and when it needs to be completely deleted
The networked economy demands collaboration between the security, data governance, and the content/records management teams. Only then can overlapping capabilities, processes, and policies be rationalized so there is comprehensive visibility, control, and compliance.
3. Don’t blindly dump everything into a data lake.
Again, while there is great potential in using Hadoop to store all your information, it’s not a Big Data panacea. If, as Andrew White from Gartner says, “By definition, the data in the lake is ungoverned,” then companies are opening themselves up to great risk. If you’re unsure of what’s in the data lake, where it came from and customers’ choices about how their personal information may be processed, used and shared, it’s impossible to implement privacy-related protective measures. The Online Trust Alliance found 29% of data breaches involving the loss of personally identifiable information in 2014 were caused by employees accidentally or maliciously – do you really want to dump everything into Hadoop without ensuring proper governance?
4. Utilize information governance technologies.
SAP PowerDesigner provides enterprise modeling capabilities that can help you understand how information flows throughout systems, and how the information is accessed and processed by multiple applications for various business purposes. While most companies already have identity and access control tools such as SAP Access Control to help protect personal information from unauthorized access while facilitating its availability to legitimate users, it’s prudent to perform risk/gap analysis on the Big Data/IoT data flows.
SAP Data Services and SAP’s project SEEED provide data masking and encryption capabilities that help protect data in transit, reduce the risk of data breaches in non-production environments, and minimize the impact of confidential data loss. Archiving, retention and deletion capabilities such as those provided by SAP Information Lifecycle Management help better manage structured and unstructured information from creation to destruction based on multiple retention regulations and policies. And finally, SAP Enterprise Threat Detection helps you identify breaches as they’re happening and analyze them quickly enough to neutralize them before serious damage occurs.
Obviously, these are high-level recommendations and you could go into great depth on each, but I think they do provide a good starting point for further thought and discussion. What do you think?
Will Big Data and the internet of things be a catalyst for an Orwellian dystopia? Or can we realize the potential value and still maintain respect of peoples’ privacy and civil liberties?
If you are going to the Data Governance and Information Quality Conference in San Diego, CA or the MIT Chief Data Officer Information Quality Symposium in Cambridge, MA come hear SAP experts speak about Big Data Morality: Balancing Business Value and Business Values. These sessions will provide a framework for thinking though how to navigate the value that big data promises, within the values by which we operate our businesses. If you can’t make one of these sessions you can still see the presentation on SlideShare.