Since the Payment Card Industry Data Security Standard has required companies who collect and store credit card data to implement more stringent controls, many have decided to eliminate credit card data from their own systems and entrust it to an external service provider.
Processing personal data is a costly obligation and carries many risks.
Could the same happen with personal data? If control requirements are too strong and implementation is too costly, could it make sense to hand over personal data to a specialized “personal data processor”?
According to Carsten Casper, managing vice president at Gartner, organizations will increasingly seek to move away from storing and processing personal data over the next five years.
“Processing personal data is a costly obligation and carries many risks. As organizations cease processing personal data due to forces in mobile and cloud computing, they should address this loss of control in their business strategies,” says Casper.
Here are five key reasons why change is needed in companies’ approach to personal data:
1- Managing employee or customer data is only a cost of doing business
Administering personal data is a cost of delivering goods or services – it’s not the business itself. New technologies make it easier to hand over employee management to a specialist provider. This means handing some control of data to a third party, be it for online recruitment, talent management or payroll processing. The same is true for customer contact data and customer transaction profiles.
2- Employers and employees drift apart
Short-term and temporary employment and an increase in contract and freelance workers are characteristics of the modern workplace. The workplace has become more flexible as people increasingly work from home, travel and live abroad. They use their own computing devices and cloud services that weren’t necessarily procured by the company meaning that the contractual, physical and technical ties between employers and employees loosen.
3- There are more processes for personal data than ever before
Processes must be identified, documented, secured and audited. The privacy officer oversees processing of not only employee salary information and customer delivery addresses, but also location data from the fleet of vehicles, image data from shop surveillance cameras, preference data recorded in mobile apps, building access data, opt-in or opt-out preferences for email campaigns, and many more areas.
4- Personal data knows no borders
Companies are constantly transferring personal data internationally – when consolidating data centers, moving their email services to a cloud environment, or outsourcing IT operations to a lownfra-wage country. Embedding a few lines of code on the corporate website can immediately create an international transfer of personal data such that enforceability of domestic laws is not guaranteed.
5- The individual is a soft target
Employees and customers are moving into the line of fire of criminal and government-sponsored attackers. Until recently, those hackers focused on attacking vulnerable IT infrastructure. As protection for such infrastructure improves, the attackers’ attention shifts to softer targets, such as employees, contract workers, customers, citizens and patients. Knowing anything about these individuals can help to launch or support an attack against corporate targets, meaning that the organization is still ultimately accountable.
“It’s clearly time to create an exit strategy for the management of personal data. Organizations must prepare for a time when they do not own IT infrastructure, and they do not control the way that employee and customer information is protected,” says Casper. “The ultimate aim is to create a privacy program that keeps personal data at arm’s length, but under control.”