Management of Data for Business

In the 1990s, people across the globe used the internet increasingly and the internet itself expanded exponentially. It inevitably meant, today, that enormous amount of data is transmitted and even stored in computers worldwide as a way of facilitating safe transactions, efficient user identification, discussion between different users, and the exchange of ideas and other user experiences. This data is usually of varying sensitivity and nature, ranging from articles and posts that present thoughts, beliefs, and expression of opinion, to more personal data like credit card details and phone numbers. In any case, it has become common practice for people in the information age to send information to be stored on servers which makes it easy to identify an individual in a wide range of transactions.

On the other hand, however, this practice can have adverse effects as this information can affect people’s lives if it were to be misused by the data holder. Also, it is a reality that more services by organisations in both the public and private sector has become computerised and need users to provide more personal data like an individual’s physical and mental health, economic data and home address. Moreover, with the exception of give-take data scenarios, personal data that is shared across networks or even within the network of the data subject, has always has been vulnerable to misuse by third parties. Such computer issues, which can have an impact on the lives of real people, necessitated the creation of regulations and laws to help in protecting the rights of users and also places obligations on data controllers.

This report is a discussion of the ethics of data management as well as the legislation and policies that can affect how businesses manage the information in their possession. This essay purports to discover how the current and future legislation on data management affects the operations of modern business organisations. The report has been divided into four parts; the first a discussion of the ethical issues, focusing on privacy and anonymity on the internet, the second an overview of UK data protection law, and the third is a discussion of the General Data Protection Regulation (GDPR) and how it enhances existing laws. The report concludes with recommendations for organisations.

The ethics of data management

Two of the most common theoretical approaches in ethics are consequentialism and deontology. In consequentialism, it is assumed that an action is wrong to the extent which it has bad consequences while in deontology the assumption is that humans have moral duties regardless of the whether their actions have good or bad consequences. Many laws and regulations that exist are informed by ethical principles although in ethics it is generally accepted that laws should not be used as a replacement for morality. Thus in addition to adhering to legal requirements, individuals and organisations are encouraged to also consider the morality of their actions. When talking about ethics in data management, one has to consider issues related to rights, harms, and interests that could be affected when information security is breached.

One of the main harms that can be caused by the loss of data is economic harm. Loss of valuable data by any organisation comes at high economic costs, for that organisation. Moreover, stored data also has cultural, personal, and social value and loss of such data could cause both emotional and psychological harm to the users. When the confidentiality of information is compromised, it poses risks to the security, as well as the rights of the users. Confidentiality is comprised if third parties can gain access, copy or disseminate this information to the public which violates the rights of the owners who should determine who can access and use it. Unauthorised access also violates the intellectual property rights of the owners of the data.

In addition to property rights, breach of confidentiality also violates privacy rights when the data is used or disseminated without consent. For instance breach of confidentiality of an internal memo from a financial institution could compromise the confidentiality of customer credit card transactions and also undermines the trust these clients had in that organisation. A compromise on the availability of information is a violation of freedom rights such as the right to access and use of public information. Tavani (2009, p, 84) argues that in the information age, access to information is now considered a moral human right as it facilitates social well being by contributing to the success of people in the society. For instance, European data protection laws provide that an individual should, on request, be granted access to any personal data an organization may have on them (Lynskey, 2015, p. 135).

Privacy and anonymity on the internet

One topic in computer ethics that has always attracted great public interests the anonymity and privacy of users. Many societies around the world recognise that everyone has a right to personal security. This issue first gained prominence as a public debate through judgement by two justices of the US Supreme Court, who gave the definition for privacy as “the right to be let alone” (Warren, Brandeis and Childress, 2015, p. 2). Privacy is not an easy to define notion, and since then, more definitions which are more inclusive have been presented. People have a right to privacy which can be described as the right by an individual to determine the amount of access other people have into their personal affairs. Schoeman (1984, p. 3) gave the following definition: “A person has privacy to the extent that others have limited access to information about him, limited access to intimacies of his life, or limited access to his thoughts or his body.” In addition to accessing private information, this definition by Schoeman includes other issues like the observation of an individual’s home and personal belongings, their body as well as any interference with their behaviours and relations.

Computers and computer networks have greatly enhanced the ease and efficiency of gathering, storing, searching, comparing, retrieving, and sharing personal information which is a major threat to privacy, especially for people who might want to keep sensitive information out of public domain. The commercialisation and rapid growth of the internet within the past decade combined with other factors like increased user-friendliness, as well as the affordability and easy access to computer technology and the World Wide Web have given rise to new privacy issues. Privacy and anonymity are now under threat from data mining, data matching, and the recording of click trails on the internet among others. An example of how data collected on a user can affect their privacy and anonymity can be seen in how tinder shares information to third parties for targeted advertising. The dating site has hundreds of pages on each user, information that can affect many aspects of their lives. According to one analyst, the information shared with an organisation can have far-reaching consequences as it used to determine “the job offers you have access to on LinkedIn, how much you will pay for insuring your car, which ad you will see in the tube and if you can subscribe to a loan.” (Duportail, 2017).

There are numerous reasons privacy is held to be very important. Many have acknowledged that it protects a person from all kinds of external threats which could be in the form of “defamation, ridicule, harassment, manipulation, blackmail, theft, subordination, and exclusion” (Lynskey, 2015, p. 116). It is believed to be an articulation of the main values of security which can ensure that the individual is protected from all kind of harm others could do to him/her (Bott, 2014, p. 114). Additionally, it could be argued that privacy is one of the main conditions when it comes to autonomy. Petković and Jonker (2007, p. 29), argues that “without privacy, people could not experiment in life and develop their own personality and own thoughts, because they would constantly be subjected to the judgement of others.”

Anonymity on the internet too is given an almost equal importance as it can provide similar benefits to privacy on the internet. For instance, if an individual is seeking medical or psychological counselling over the internet or using it to engage in discussion on sensitive issues like gay rights or political dissent, being anonymous can offer the individual the same protection as privacy. Moreover, both anonymity and privacy on the internet can are viewed as important factors in the preservation of human values like security, psychological well being, self-actualisation and peace of mind. At the same time, however, the benefits of privacy and anonymity can also be exploited by people with ill intentions like money laundering, facilitating acts of terror, and drug trade.

Overview of UK data protection law

In the UK, the use of information about people by businesses is guided by a variety of data protection laws. Among them, the principal law that regulates the acquisition and processing of data about individuals is the Data Protection Act of 1998 (DPA). Essentially, this Act lays down the rules and practices entities must follow in handling personal information, grants rights to the people whose information is being used or processed, and establishes an independent oversight authority to enforce these rules.

The DPA regulates personal data, which is described as any information related to people who are alive and can, therefore, be identified from such information or by linking this information with other data that might be in the possession of another entity (Carey and Treacy, 2015, p. 12). The Act covers all information that can be automatically processed such as computer-based records, public authority records such as health records, and any information recorded on paper but bears specific detail about the subject. It also applies to any conceivable operation of data, ranging from gathering, recording, possession, storage and use of this data. It requires that before an entity or data controller processes any information, they should notify the information commissioner of their activities. Data protection law is based on eight principles that must be followed by any entity that is involved in processing personal information, and these activities are subject to assurance that this data is;

“Fairly and lawfully processed

Processed for limited purposes

Adequate, relevant and not excessive

Accurate and up-to-date

Not kept for longer than is necessary

Processed in line with an individual’s rights

Secure

Not transferred to other countries without adequate protection.”

Anyone who feels that they have been denied any of the rights guaranteed under the eighth principles can seek help from the Information Commissioner Office (Carey and Treacy, 2015, p. 14).

Strategies for protecting sensitive data

Security planning and implementation should be an integral part of the operations of all modern business organisations. Threats to the organisation such as security, disaster and privacy can be addressed by protecting vital data and its critical elements AIC (availability, integrity, and confidentiality), as well as the hardware and processes through which the data is used, stored and transmitted. Also known as the CIA triad, the critical elements can be protected through a variety of security policies, standards and procedures.

Figure 1: the CIA triad

Source: (Rijal, 2016)

Solutions and plans to manage any threats to the CIA triad of organisational data begin with the identification of these security-related flaws, risks and threats. For guaranteed effectiveness and efficiency, security must be organised for and embedded into the systems of the firm during installation and periodic monitoring done. The security of the majority of data frameworks can be effectively addressed if it is incorporated into three principal segments which are communications, hardware as well as software.

Once systems have been installed, steps should be taken to reconfigure software by changing default password and usernames that came with the system. Another measure in data protection involves signing up for automatic updates from the manufactures of the computer operating system at the organisation. The anti-virus software being used should also have automatic updates as hackers often target the systems that do not have the latest safeguards (Moghaddasi, Sajjadi and Kamkarhaghighi, 2016, p. 6). Additional software should be installed to block spam and also detect spyware from potential intruders.

Another strategy in data protection is data encryption. Encrypting sensitive data ensures it would remain unreadable to hackers even if they managed to access it from the company servers (Sharma and Jagtap, 2017, p. 23). It is a fact that the rate of security breaches has increased over the past few years. Business organisations should, therefore, implement a policy of verifying rather than storing data. Some data such as credit card details of users are highly risky to posses for firms and should only be stored if there is a compelling reason. At the same time, organisations should take measure to minimise the availability of their data. While there are various tools that can help organisations prevent unwanted attacks, a considerable threat to many companies has always been their own employees because human behaviour is unpredictable. The risk to data is best minimised by training the staff about the data protection policies of the organization as well as the legal procedures and standards that have to be observed in the wider industry. The employees should have proper knowledge of the best practices when handling sensitive information about clients and the right steps in ensuring that classified information is does not leak to outsiders.

It is no longer enough to just focus on the common security standards and hope that the measures put in place will be sufficient to protect user’s personal information. It is critically important businesses regularly test their systems to identify the vulnerabilities that may not have been picked up by the existing security tools. The firm might even have to hire ethical hackers or cybersecurity experts to search for code vulnerabilities. Other relevant steps include conducting daily scanning to check if any malware may have been placed around the system and investing in more advanced security apps. Finally, every organisation should have a recovery plan that involves specific contingencies in the event of a cyber attack. The attack on Sony’s PlayStation Network is an example of a case when an organisation was caught flat-footed as its operations were paralysed, causing serious damage to its image and millions of dollars in losses (McGoogan, 2017). Firms should add cyber attack scenarios in their disaster plans and also include measures to ensure they can communicate with their clients and distribute relevant data in the instance usual infrastructure is compromised.

The General Data Protection Regulation (GDPR)

The GDPR is a new set of data protection laws that will come into effect in may 2018, effectively replacing the Data Protection Act of 1998. It is aimed at harmonising data protection practices for all countries in the European Union. This new set of laws applies to all UK companies that gather and process personal information and aims to safeguard the rights and privacy of data subjects based on the premise that they everyone should know any information that is held about them and also be aware of how it is used. It was designed to guide data protection within the European Union but also covers the transfer of data to other nations not in the EU (Voigt and Bussche, 2017, p. 126).

Compared to existing data protection laws, the GDPR raises the bar on accountability requirements with more strict sanctions and penalties for businesses that breach privacy laws. Furthermore, the sanctions apply to both data processors and data controllers which is expected to push data protection top of the priority list for businesses in the region (EUGDPR.org, 2017). It increases the level of transparency, with improvements on firm processing notices, which is a positive thing for those users who might be interested in their personal data. It also brings changes to the requirements with respect to consent and makes them even tighter.

A strategy for compliance

Business organization and other entities should utilise the transition period to align their procedure and processes with the new regulations. Businesses should acknowledge that data management is a long-term investment that demands explicit commitment by ensuring enough resources are allocated to facilitate compliance. It is also important to ensure that all staff are aware and understand the changes in the rules of data protection. All this requires an exercise of mapping out the areas within the organisation where compliance could be a challenge. This helps the business to identify key compliance issues to be prioritised during the implementation of the firm’s commercial objectives as well as market trends. The next step involves the establishment of a data privacy governance structure (Weigl, 2016, p. 102). This includes the appointment of a data protection officer who would be in charge of the overall data privacy program at the organisation. It also involves setting out the tasks, responsibilities and chain of command in for the staff concerned with data management and who should ensure compliance with GDPR.

They should also set up a personal data inventory that should always be updated and accurate as possible since it is subject to regular audits. According to the new regulations, data controllers are required keep users updated in the processing activities being done on their personal information. This is a transparency obligation that requires organisations to create information notices that can be readily accessed. Technical and organisational measures like privacy by design and pseudonymisation need should be implemented to ensure that there is an adequate and secure protection of personal data being processed (Bolognini and Bistolfi, 2017, p. 174). They should also engage cybersecurity teams to put in place the appropriate security measures and also comply with the requirements of their clients. Moreover, it is important these techniques are clearly documented and subjected to regular testing and updating. The last item is regular data protection impact assessments which are to be used in identifying and managing risks to personal data. They are also to be used to demonstrate to the supervisory authorities that the firm has done everything within its powers to ensure data processing is done in accordance with the law.

Managing user consent

Under GDPR regulations, the conditions of consent are harder to meet. The name of the organisation must be clearly and specifically stated, and the organisation also has to inform the user that they have the right to withdraw consent. One way organisations can meet these new requirements is by using case-specific customer configuration. Within this approach, there are changes done on the configuration files which should be localised for all the languages that are used. The changes are determined by the product being used as well as approach adopted for implementation. Ubiscure.com is an example of customer identity and access management solutions that can help firms comply with the new set of laws (Uber, 2017).

When using this user consent management solution, the firm should mention how to manage consent as well as the user’s right to withdraw consent. The system should also be configured to send customers email messages that mention and remind them of the right to withdraw user consent. Also, for audit or dispute purposes, the firm should maintain a record of the system logs that can prove consent collection.

Implications of data breach

The new regulations propose heavy penalisation for non-compliant organisations. Among the key components of the new laws is the notification rule whereby data controllers and data processors are required to report any cases of a data breach to the supervisory authorities within 72 hours after it has occurred (EUGDPR.org, 2017). The notification must provide the following details; the nature of the breach and the number of users to be affected, possible impacts of the breach, how it can be resolved, and the personal details of the data protection officer. If there are chances the privacy of consumers could be jeopardised by the breach, the organisation is required to notify each affected user. Failure to comply with the breach notification rule could attract hefty fines which the maximum is set at 20 million or Euros or 4% of the firm’s annual turnover (EUGDPR.org, 2017).

Conclusion

Data protection laws are aimed at safeguarding the privacy as well as the personal information of individuals in a computerised society. It is widely accepted that in addition to morality, legislation is required ensure the privacy of individuals on the internet is protected as privacy is a fundamental human right everywhere in the world. The UK has various data protection laws of which the data protection act of 1998 is the principal legislation. It spells out regulations that apply to both businesses and public bodies and how they should process personal data of their users. This report has also discussed the GDPR which is set to replace the DPA next year and how it is likely to affect business organisations. This new legislation is more comprehensive and places even stricter data rules for business organisations.

Recommendations

Judging from recent trends, it is expected that cyber attacks are only going to increase in the coming years. The past few years have witnessed an increase in not only the frequency of cyber attacks but also the magnitude of the number of people and businesses affected by hacking (McCandless, 2017). As cyber war between business organisations and hackers escalates, it is expected that critical infrastructure will be compromised increasing the risk of exposing personal information affecting millions of consumers.

Business organisations have to become proactive in minimising this threat by sharing cyber threat information with players in the industry as well as their national defence organisations. Also, the growth of the dark web increases the threat businesses as attackers sell old username and password information. This could affect many services as most consumers, and even organisations reuse the same password after sometime while others share usernames and passwords. Business organisations have to implement two-factor authentication in identifying users if they are to counter this threat.

Finally, with the increase in globalisation, multinationals serve wider customer bases across borders. Loss of data affecting consumers across borders can be a headache. Moreover, the strict regulations imposed by the GDPR are likely to put even more pressure on multinational corporations. This author recommends business organisation ensure they are adequately prepared by taking early measures to comply with the new regulations. Dry runs are examples of measure that can be implemented to enhance preparedness.

References

Bolognini, L. and Bistolfi, C. (2017). Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation. Computer Law & Security Review, 33(2), pp.171-181.

Bott, F. (2014). Professional Issues in Information Technology. Swindon: British Informatics Society.

Carey, P. and Treacy, B. (2015). Data protection. Oxford: Oxford University Press.

Duportail, J. (2017). I asked Tinder for my data. It sent me 800 pages of my deepest, darkest secrets. The Guardian. [online] Available at: https://www.theguardian.com/technology/2017/sep/26/tinder-personal-data-dating-app-messages-hacked-sold [Accessed 19 Nov. 2017].

EUGDPR.org (2017). Key Changes with the General Data Protection Regulation. [online] EU GDPR Portal. Available at: http://www.eugdpr.org/key-changes.html [Accessed 20 Nov. 2017].

Lynskey, O. (2015). The foundations of EU data protection law. Oxford: Oxford University Press.

McCandless, D. (2017). World’s Biggest Data Breaches & Hacks — Information is Beautiful. [online] Information is Beautiful. Available at: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ [Accessed 20 Nov. 2017].

McGoogan, C. (2017). Hackers steal 2.5 million PlayStation and Xbox players' details in major breach. The Telegraph. [online] Available at: http://www.telegraph.co.uk/technology/2017/02/01/hackers-steal-25-million-playstation-xbox-players-details-major/ [Accessed 19 Nov. 2017].

Moghaddasi, H., Sajjadi, S. and Kamkarhaghighi, M. (2016). Reasons in Support of Data Security and Data Security Management as Two Independent Concepts:. The Open Medical Informatics Journal, 10(1), pp.4-10.

Petković, M. and Jonker, W. (2007). Security, privacy and trust in modern data management. Berlin: Springer.

Rijal, N. (2016). CIA Triad [Confidentiality, Integrity and Availability]. [Blog] Complete Network Solution. Available at: https://networksoluti0n.blogspot.co.ke/2016/08/cia-triad-confidentiality-integrity-and.html [Accessed 19 Nov. 2017].

Schoeman, F. (1984). Philosophical dimensions of privacy. Cambridge [Cambridgeshire]: Cambridge University Press.

Sharma, A. and Jagtap, P. (2017). Privacy Preserving Data Mining and Data Exposure Technique and Performance Study. International Journal of Computer Applications, 170(5), pp.22-25.

Tavani, H. (2009). Ethics and technology. Hoboken, N.J.: Wiley.

Uber, K. (2017). Compliance configuration tip - simple GDPR consent management. [online] Customer Identity Management, IAM, GDPR Compliance | Ubisecure. Available at: https://www.ubisecure.com/data-protection/configuration-tip-gdpr-consent-management/ [Accessed 20 Nov. 2017].

Voigt, P. and Bussche, A. (2017). The EU general data protection regulation (GDPR). Cham: Springer International Publishing.

Warren, S., Brandeis, L. and Childress, S. (2015). The right to privacy. New Orleans, La.: Quid Pro Books.

Weigl, M. (2016). The EU General Data Protection Regulation’s Impact on Website Operators and eCommerce. Computer Law Review International, 17(4).