Data is your most important asset – pay attention to data management and information security
The importance of data for companies is growing constantly. When data is used for creating new products and services, it should be protected effectively – especially when the data is sensitive. This requires both high-quality data management and expertise in information security.
Most companies want to protect their data well but stumble upon deficiencies in data management. There may be shortcomings in master data: for example, information on the owner or the last version of the data may be missing. The challenges only get bigger when the data is torn away from its original source as the definitions do not always accompany the data unchanged.
One of the main premises for solving these issues is to improve the understanding of the company’s data assets. This happens with the help of metadata, which describes the data content. Metadata can be maintained when data is processed and moved from one place to another. It can also be completed afterwards, by searching automatically recognizable elements from the data content.
When it comes to protecting data, it is essential that the metadata shows how the data can be used and shared. The more detailed these criteria are, the easier it is to manage any data-related rights. However, the criteria cause difficulties for companies because they have often collected their data in the course of several years, while the requirements for data use have only become stricter.
Sensitive data requires better protection
The need to protect data is emphasized when the data includes sensitive information, such as personal data. The GDPR determines that any personal data must be protected and secured. This requires both a secure IT infrastructure and good practices and processes for handling the data.
From the point of view of data management, sensitive information can be protected by pseudonymizing or anonymizing any identifying information. Pseudonymizing means that this information is processed in a way that it cannot be directly connected to an individual. This does not yet eliminate the responsibilities defined by GDPR. Anonymizing, on the other hand, means processing personal data in a way that makes it permanently unusable for identifying a person. That means the GDPR is no longer applied to the data. The use of pseudonymizing or anonymizing is still in its infancy in companies, and when these methods are put to practice the possibility for further use of data is often lost.
From the point of view of information security, the data can be protected by, for instance, encrypting it, ensuring the security of the platform already at the level of infrastructure, and by using methods of identity and access management. It’s all about who can use the data and for what purpose, how is this person identified and how do we resolve access management.
Having good processes for managing authorizations as well as periodical reviews of access rights is important for data protection.
Data solutions and information security should be developed hand in hand
Restrictions in using data present a challenge for the development of data solutions since finding new ways to use data is the actual goal of this work. In the prevailing culture, data has often been protected only when necessary. The other extreme favors the idea of protecting data completely, except for purposes that have been granted a specific permission.
Companies have to strike a balance between using and protecting their data. How this is carried out depends on the sector and its legislation as well as company policy. In addition, it is important to recognize which rules apply to which people and what groups should be granted access to data.
Data solutions are developed to fulfill business needs, while agile development aims at quick experiments. Protecting and securing data may be forgotten, since it is not the primary driver for development. This is exactly why we should make a conscious effort to pay attention to data protection.
In the near future, we must find a happy medium between agile development of new data solutions and protecting data in a controlled manner. The same goes for the rising trend of developing AI applications based on data. Any shortcomings in data management are reflected in the models based on machine learning and affect the entire outcome.
One solution for this situation is to make use of a data protection and security expert in development projects. While this doesn’t require a lot of effort, it adds a new point of view, which may significantly affect the end result. In addition, the personnel developing data solutions can be trained in data protection in order to increase their awareness of its significance.
Data protection is a holistic endeavor: companies must take into account their own policies and processes as well as general legislation and regulations.
Most organizations are only now taking notice of these issues, and do not have enough expertise to handle them.
Mika Käck works as Principal Consultant at Enfo’s Digital Trust team, building new Digital Identity services for our customers.
Mika Naatula is the CTO of Enfo’s Data and analytics unit. The focus of his work is to use data for bringing results. Naatula sees data as a strategic asset that helps to make better decisions and to build a better world, piece by piece.