The GDPR and other data privacy laws are a clear indication that organisations must start taking great care when collecting and using personal information. You could of course argue that this should have always been the case and that the ethics of handling such data should be obvious. Unfortunately, as history has shown this just isn't the case, the recent past has shown many occasions where personal data has been either lost or misused. When this happens, it's often main stream news and because of this, there is a growing number of people who frankly no longer trust businesses to keep their data safe. I was recently at the IAPP Data Privacy event in London and was taken by one of the key note speakers (Gry Haselbalch) who talked about the ethics of data privacy. She compared the rise of pollution in the 60's that led to a real need to impose tighter regulations on car emissions and how the rise of misuse of data has driven privacy regulation. Throughout the last 20 years, organisations have also become much more eco-aware and some make a virtue about how green they are. Surely the same will start to happen with data privacy, organisations will want to gain not only their customers trust that they really do take privacy seriously but investors might well demand it too. I liked Gry's final comment on this topic: The Law tells us what we're allowed to do with personal information……..Ethics tells us what we should do.
I've also heard a lot at recent privacy and GDPR events about how hard it will be for some organisations to be ready for May 25th 2018, when the regulation becomes enforceable. I also heard the UK Information Commissioner say that there will be no grace period to allow organisations to get ready; it's been clear since last April that GDPR is coming so there's no excuse. Some larger organisations have been more open and said that there's no way they'll be fully ready for GDPR but they are working on a solid plan that they can stand behind. Being able to show the regulator that you have a plan will be key if you're unfortunate enough to have to deal with them due to a breach or a complaint. Any plan will of course include staff training which is vital to instil a robust data privacy culture within an organisation, I heard one retailer say that they want to bring data privacy up to the same level as their already excellent levels of customer service. This will take time and of course a lot of training but it's perhaps a true reflection of where data privacy needs to get to, best practice behaviour needs to be embedded in how everyone thinks; at the end of the day it's people who are the weakest link. The consensus has been, that no one expects to be fully compliant by 2018 but doing nothing is not an option, you need to make a start and be able to show you have a plan.
I've also lost track at the number of times the question of backups has been raised at different events. The penny quickly drops with IT savvy people that they're sitting on years and years of backup tapes that expand upon the dark data they already have sitting on spinning disks. When the right to erasure or the need to minimise data gets discussed they ask, "what should I do with all my tapes?". Well to some extent the answer is still not clear but if push came to shove, I'm sure the regulator would ask why have you got so many years' worth of data backup tapes. Do you really need to keep backups for so long…..surely the point of back is to….er….recover your data. If this is the case, then wouldn't you just need the most recent backups. Anything else is just another way of hoarding data, if you really need to keep the data shouldn't it been in better place such as Veritas Enterprise Vault which will allow you to set a specific retention duration. But I'll park this topic for a future post as there's a lot to talk about when it comes to using backups as your records management platform.
But a final point on why good data privacy ethics matter. The UK Information Commissioner has been rather busy recently, quite a lot of fines have been handed out. Some have been for misusing consent by sending marketing emails to customers who handed requested such contact. But perhaps the most striking example is the fact 11 charities were fined for misusing their donors personal data with some of them even profiling and selling on data. The fines will hurt but so will the damage done to their position of trust with their donors. This obviously shows that even respected organisations can flout the current data protection laws (GDPR will be even tougher) but it also shows that the regulator won't shrink back from fining charities so think what they might do to larger commercial organisations with the full force of GDPR behind them.
With May 25th 2018 just over a year away there are an increasing number of reports or surveys that suggest that many organisations aren’t that well prepared or even making plans to get ready. Hopefully this will start to change as organisations take stock and understand the risks they might have reacting to GDPR. Veritas launched our GDPR strategy in March to explain how we can help our customers manage their unstructured data and reduce the risk of over retaining personal information. You can also watch a short animated video which summarises the problems of keeping too much data.