Future of Sourcing - Data Protection https://futureofsourcing.com/tags/data-protection en Why Should I Maintain My Data? https://futureofsourcing.com/why-should-i-maintain-my-data <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="https://futureofsourcing.com/sites/default/files/articles/FoS%20Graphic%20%2810%29.png"><a href="https://futureofsourcing.com/sites/default/files/articles/FoS%20Graphic%20%2810%29.png" title="data protection" class="colorbox" rel="gallery-node-1924--i0aJyVnaGk"><img typeof="foaf:Image" src="https://futureofsourcing.com/sites/default/files/styles/juicebox_medium/public/articles/FoS%20Graphic%20%2810%29.png?itok=U7ZnRHwA" width="624" height="325" alt="data protection" title="" /></a></div></div></div><div class="field field-name-field-intro field-type-text-long field-label-hidden"><div class="field-items"><div class="field-item even"> <h1>Why Should I Maintain My Data?</h1> </div></div></div><div class="field field-name-field-related-news field-type-entityreference field-label-above"><div class="field-label">Related news:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/the-dangers-of-dirty-data-and-how-to-ensure-your-data-has-its-coat-on">The Dangers of Dirty Data and How to Ensure Your Data Has Its COAT on</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p>So, you&rsquo;ve just shelled out big money to have it classified and your data will almost certainly be correct when you receive it, but it will only stay accurate for a short period of time.</p> <p>Updates and changes mean that before you know it, your once neat and tidy data sets will contain unclassified data, data that&rsquo;s been incorrectly classified, typos, and cut and paste errors, to name but a few. That is why, and I cannot emphasize this enough, it is crucial to maintain your data. Specifically, it is important that you continue to check and maintain your data for any errors that can have a knock-on effect to your bottom line.</p> <h2>What&rsquo;s the Big Deal?</h2> <p>Let&rsquo;s say you use IBM for IT services that cost around &pound;50k and you accidentally misclassify this spend as cleaning services. At the next refresh it&#39;s picked up and classified again, and it becomes &pound;100k and then the next refresh it becomes &pound;150k. You now have a major issue on your hands where you are counting your cleaning services spend as &pound;150k plus whatever you are actually spending on it. The problem worsens because you&#39;re now not counting the &pound;150k of IT spend with IBM.</p> <p>What does that mean? Well, you may have agreed to a contract with a cleaning supplier for &ldquo;&pound;X&rdquo; amount of spend based on that data. In reality it&#39;s maybe half of that. Then you might not be able to honor it or you find yourself in a situation where you have to pay it despite possibly not needing that service at all.&nbsp;</p> <p>On the flip side, you could be negotiating better rates with IBM based on usage of the product. However, that&rsquo;s impossible to realize when it&#39;s sitting under the wrong bucket, but that&#39;s something I can help with.&nbsp;</p> <h2>How Do I Maintain My Data?</h2> <p>The secret to keeping your data clean isn&rsquo;t really a huge secret. It&rsquo;s a case of good housekeeping.</p> <p>You need to check and maintain it regularly. In the same way you give your carpets a regular once-over with the vacuum, regularly checking in with your data makes life easier in the long run.</p> <p>Just like a weekly or twice weekly vacuum round the house, it&rsquo;s a smart idea to check in on your data on a monthly or quarterly basis. If you have a lot of data and a lot of inputs, you&rsquo;ll need to review it more frequently.</p> <p>This is still just as important even if you have a third-party supplier checking over your data. Spot-check your data occasionally to ensure your supplier is fulfilling their obligations. If your team is running the checks for you, make sure you check in with their progress once in a while to verify everyone is on board with the same standards and cleaning the data in the same way. It&rsquo;s also a good opportunity for highlighting development areas for your team.</p> <h2>How Frequently Should You Check Your Data?</h2> <p>Let&rsquo;s go back to that carpet analogy. Leaving your carpet for a week doesn&rsquo;t matter. It doesn&rsquo;t really matter if you leave it for a month (as long as you&rsquo;re OK living with dirty carpets). But leave that once fresh and spotless carpet too long and by the time you pull out your vacuum cleaner, your carpet will be beyond saving.</p> <p>It&rsquo;s the same with your data. Data that&rsquo;s not maintained will slowly become unusable over time. Incorrect or conflicting information will build up. AI outputs are corrupted. Since you can&rsquo;t afford to use bad data, you end up spending significant time or money to fix the problem. Ouch.</p> <p><strong>Regular Data Maintenance Means:</strong></p> <ul> <li>Better data accuracy for better business decisions.</li> <li>Avoiding a time-consuming and costly data clean-up operation (because your data won&rsquo;t slowly become corrupted).</li> <li>A better-trained and more-responsive data team. Doing a little bit of something regularly is always easier than doing a lot of it occasionally.</li> <li>An informal opportunity to stay in touch with the work your third-party supplier is doing.</li> </ul> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/data" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Management</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-privacy" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">data privacy</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/information-technology-it" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Information Technology (IT)</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="Why Should I Maintain My Data? - Future of Sourcing" addthis:url="https://futureofsourcing.com/why-should-i-maintain-my-data"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/global" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Global</a></div></div></div> Wed, 17 Feb 2021 20:32:38 +0000 Susan Walsh 1924 at https://futureofsourcing.com https://futureofsourcing.com/why-should-i-maintain-my-data#comments What Is ISO 27001? Everything You Need to Know https://futureofsourcing.com/what-is-iso-27001-everything-you-need-to-know <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="https://futureofsourcing.com/sites/default/files/articles/ISO%2027001%20standard%20%281%29.png"><a href="https://futureofsourcing.com/sites/default/files/articles/ISO%2027001%20standard%20%281%29.png" title="The ISO 27001 standard is meant to prevent cyber threats from becoming security incidents. " class="colorbox" rel="gallery-node-1865--i0aJyVnaGk"><img typeof="foaf:Image" src="https://futureofsourcing.com/sites/default/files/styles/juicebox_medium/public/articles/ISO%2027001%20standard%20%281%29.png?itok=G5o6lhbe" width="624" height="325" alt="The ISO 27001 standard is meant to prevent cyber threats from becoming security incidents. " title="" /></a></div></div></div><div class="field field-name-field-related-news field-type-entityreference field-label-above"><div class="field-label">Related news:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/where-data-and-operations-intersect-to-meet-covid-19-challenges">Where Data and Operations Intersect to Meet COVID-19 Challenges</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p>Data security is a significant issue of concern for both small and large organizations. As an organization holds onto data collected from customers and vendors, it should be wary of the threat posed by cybercriminals. There are several standards that you should comply with when it comes to information security. ISO 27001 is one such standard.</p> <p><a href="https://www.iso.org/isoiec-27001-information-security.html" target="_blank">ISO 27001</a> is an internationally-recognized standard for managing risks related to the data you hold. Compliance with this standard proves to your customers and other stakeholders that your data environment is secure. It provides a set of standardized requirements for establishing an Informational Security Management System (ISMS).</p> <p>This information security standard results from a joint effort between the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO). It&rsquo;s designed to help organizations across different industries protect their data cost-effectively and systematically.</p> <h1>How ISO 27001 Standard Works</h1> <p>This information security standard is intended to safeguard the integrity, confidentiality and availability of information in an organization. ISO 27001 &nbsp;seeks to establish potential issues that pose a risk to your data environment before defining what should be done to mitigate them. Therefore, risk management is the main idea behind <a href="https://reciprocitylabs.com/guide-to-iso-certification-and-iso-compliance/#be-iso-compliant" target="_blank">ISO 27001 accreditation</a>. When your organization gets certified, it will be easier to pinpoint risks and establish controls for keeping them at bay.</p> <h1>Why Should Your Organization Gain Certification?</h1> <p>Complying with ISO 27001 comes with a ton of benefits. The most obvious is that it proves your organization takes information security seriously. Here are some other benefits that you get to achieve by complying with this information security standard:</p> <h2>Gives You a Competitive Advantage</h2> <p>Suppose your organization attains ISO 27001 certification ahead of your business rivals. In that case, you will have a competitive advantage over them, especially clients who are sensitive about the security of their data.</p> <h2>Better Organization</h2> <p>Fast-growing companies rarely take time to define their business procedures and processes. Consequently, employees will end up not knowing what to do when disasters such as data breaches occur.</p> <p>Implementing the ISO 27001 standard can help you resolve such situations since it encourages organizations to document their main processes and procedures, including those that aren&rsquo;t security-related. This way, you can reduce lost time when a disaster occurs.</p> <h2>Lowers Operation Costs</h2> <p>The ISO 27001 standard is meant to prevent cyber threats from becoming security incidents. Every security incident, be it small or large, costs money. By preventing these incidents, your organization will save money. The best of all is that the investment that will go towards the compliance process is less than the cost savings you will achieve in the long run.</p> <h2>Ensures Compliance with Legal Requirements</h2> <p>New laws and regulations relating to data security get enacted every day. Complying with all of them can be a tall order, especially for small organizations that lack adequate resources. ISO 27001 certification makes it easier for you to comply with the ever-increasing regulations, laws and contractual requirements related to data security.</p> <h1>ISO 27001 Accreditation Process</h1> <p>The <a href="https://www.itgovernance.co.uk/iso27001" target="_blank">core data security requirements</a> of the ISO 27001 standard is highlighted between clauses 4.1 and 10.2. These clauses address the controls that you should implement to get accredited. For your organization to get certified, you must meet all the core requirements of the ISO 27001 standard. The most fundamental core requirement is to have a framework for identifying, assessing, evaluating and treating your information security risks.</p> <p>Some organizations often decide against taking the ISMS to certification. Instead, they choose to align their systems and processes with the ISO 27001 standard. Although this can help you address internal pressures, it delivers less value to the organization&rsquo;s key stakeholders, who might be looking for the assurance that independently certified ISO 27001 offers.</p> <p>It can take years before your organization gets accredited because the process involves both external and internal stakeholders. Compliance requires more than just filling out checklists and submitting them for approval. Before you even consider applying for certification, it&rsquo;s best to ensure that your ISMS is mature and incorporates all potential areas of cyber risk.</p> <p>The certification process is divided into three main phases:</p> <ul> <li>Hiring a certification body to review your ISMS</li> <li>The certification body conducts an audit to check the ISO 27001 standard&#39;s individual components against your organization&rsquo;s ISMS. This isto ascertain your procedures and policies are being followed as required.</li> <li>Follow-up audits are conducted to ensure that the compliance process is kept in check.</li> </ul> <h1>Final Words</h1> <p>Regardless of the industry you operate in or the size of your organization, gaining ISO 27001 certification is a big win since it helps you secure your data environment. The process of getting accredited can be difficult and overwhelming, but the investment is worthwhile. You shouldn&rsquo;t be put off by the costs and time that certification takes. With the proper tools and guidance, attaining accreditation is well within your clasp.</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/iso-27001" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">ISO 27001</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-privacy" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">data privacy</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/data-security" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Security</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/vendor-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Vendor Management</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/cybersecurity" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Cybersecurity</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/international-electrotechnical-commission-iec" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">International Electrotechnical Commission (IEC)</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/international-organization-for-standardization-iso" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">International Organization for Standardization (ISO)</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="What Is ISO 27001? Everything You Need to Know - Future of Sourcing" addthis:url="https://futureofsourcing.com/what-is-iso-27001-everything-you-need-to-know"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/global" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Global</a></div></div></div> Fri, 25 Sep 2020 13:52:16 +0000 Jordan MacAvoy 1865 at https://futureofsourcing.com https://futureofsourcing.com/what-is-iso-27001-everything-you-need-to-know#comments Don’t Leave Your Data Out in the Cold - It Needs a COAT https://futureofsourcing.com/dont-leave-your-data-out-in-the-cold-it-needs-a-coat <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="https://futureofsourcing.com/sites/default/files/articles/Data%20Privacy.png"><a href="https://futureofsourcing.com/sites/default/files/articles/Data%20Privacy.png" title="Ensure your data is consistent, organized, accurate and trustworthy to get the most out of it." class="colorbox" rel="gallery-node-1826--i0aJyVnaGk"><img typeof="foaf:Image" src="https://futureofsourcing.com/sites/default/files/styles/juicebox_medium/public/articles/Data%20Privacy.png?itok=dI45QgBS" width="624" height="325" alt="Ensure your data is consistent, organized, accurate and trustworthy to get the most out of it." title="" /></a></div></div></div><div class="field field-name-field-related-news field-type-entityreference field-label-above"><div class="field-label">Related news:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/where-data-and-operations-intersect-to-meet-covid-19-challenges">Where Data and Operations Intersect to Meet COVID-19 Challenges</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p align="center">&nbsp;</p> <p>Data services are just like coats - not all are created equal. There&#39;s a varying range of price, quality and reliability. And, if your data doesn&rsquo;t have a good coat, there could be a range of bad or costly decisions made. These decisions could affect the business performance, financial situation, risk jobs, or even the fate of the company.&nbsp;</p> <p>Let me put it this way, you wouldn&#39;t go out in freezing temperatures without the appropriate coat, and you definitely shouldn&rsquo;t work with data or make business decisions without the same level of protection. In this case, that&rsquo;s accurate data.</p> <h1>Quality Data Services</h1> <p>And, just like with coats, there are different levels of quality data services out there. The low-cost option might tempt you, but this is cheap, fast fashion. It&rsquo;ll barely last the season before it&rsquo;s out of&nbsp;style. And it definitely won&rsquo;t protect you (or your data) from the elements.</p> <p>Not to mention the fact you&rsquo;ll definitely need to buy another the next time winter comes around again.&nbsp;It&rsquo;s the same with data - if you don&rsquo;t invest in good quality service, you will end up paying twice as much, if not more, in the long run to fix the earlier mistakes.</p> <p>You might be tempted then to invest in the high-end option. But you&rsquo;ll probably need to&nbsp;remortgage&nbsp;just to afford the&nbsp;designer&nbsp;label. It&rsquo;s also&nbsp;probably totally impractical, has complicated care instructions, and&nbsp;you&rsquo;ll be too afraid to expose it to the elements - what use is that?!</p> <p>So, where&rsquo;s the middle ground? Well, last but by no means least, there&rsquo;s your favorite coat. It&rsquo;s with you through thick and thin. It is protecting you (and your data) from the elements. It&rsquo;s dependable, reliable and always in style!&nbsp;</p> <p><strong>So, what does this C.O.A.T. do for your data? Well&hellip;</strong></p> <h1>It&rsquo;s Consistent</h1> <p>Generally, data is used by many people or teams, which can lead to multiple classifications of one product. For example, one person might put DHL as a courier, while another might log it as logistics or warehousing.&nbsp;</p> <p>A taxi might be classified generically as travel when it should be classed as Travel &gt; Road Transport &gt; Taxis. Also, a project cost should be assigned to the same budget or GL code, not several. It could even be a simple as units of measurement.</p> <p>One person may use Liter, another &ldquo;Ltr&rdquo; and another &ldquo;L&rdquo; &ndash; but these should all be one format. This means everything can be reported accurately. You get an accurate picture of what&rsquo;s going on, and better business decisions can be made.</p> <p align="center"><em><a href="https://sig.org/managing-challenges-burgeoning-data-privacy-laws" target="_blank">&gt;&gt;Managing the Challenges with Data Privacy Laws&lt;&lt;</a></em></p> <h1>It&rsquo;s Organized</h1> <p>Data is only useful if it&rsquo;s organized. Think of a messy closet, you&rsquo;re looking for your favorite top but can&#39;t find it as everything has been thrown in there.&nbsp;And, much like your closest, you can organize your data in different ways. The organization of your data depends on what you want to get out of it, and that will produce various reports/analytics.</p> <p>You may want to assign data to employees, teams, departments, functions or internal categories. Also, time periods such as months and quarters, or year groups like P1, P2 can be assigned. So, for example, when you need the information on the accounts that Sharon in Finance is working on or the sales teams&rsquo; performance for the quarter - you can pull that information quickly.</p> <h1>It&rsquo;s Accurate</h1> <p>This can mean different things to different people. At its most basic level, accurate data is correct.&nbsp;In more detail, this could be no duplicate information; accurate invoice descriptions; correct classifications; no missing product codes; standard units of measure (e.g., ltr, l, liters); no currency issues; correctly spelled vendors; fully classified data; or the right data in the correct columns.</p> <p>So, what does this mean? It means greater visibility across your business in several areas, allowing better decisions, as well as time and cost savings and increased profits.</p> <h1>It&rsquo;s Trustworthy</h1> <p>This is critical.&nbsp;Business decisions around jobs, staffing, budgets, cost savings and more are all based on data.&nbsp;Data is used by everyone from the bottom to the top of an organization. You have to be able to trust that what you&rsquo;re looking at is the right information. You need it to be accurate in order for your teams to use the data in their daily jobs.&nbsp;</p> <p>If they don&rsquo;t trust the data, then they might not use the fancy new expensive software you&rsquo;ve just spent tens of thousands of dollars installing.&nbsp;Or the new AI you&rsquo;ve installed may not produce the right results because it&rsquo;s learning from dirty data.</p> <p>Like a good coat, data is an investment - not a cost.&nbsp;By making sure it has its C.O.A.T. on, you&rsquo;re saving time, money and avoiding future problems.&nbsp;And also like any coat, it needs to be maintained.&nbsp;You need to continually ensure your data is consistent, organized, accurate and trustworthy to get the most out of it.</p> <p>So, which C.O.A.T. do you want your data to wear?</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/data-privacy" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">data privacy</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/data-security" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Security</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/artificial-intelligence-ai" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Artificial Intelligence (AI)</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="Don&amp;rsquo;t Leave Your Data Out in the Cold - It Needs a COAT - Future of Sourcing" addthis:url="https://futureofsourcing.com/dont-leave-your-data-out-in-the-cold-it-needs-a-coat"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/global" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Global</a></div></div></div> Tue, 11 Aug 2020 17:52:08 +0000 Susan Walsh 1826 at https://futureofsourcing.com https://futureofsourcing.com/dont-leave-your-data-out-in-the-cold-it-needs-a-coat#comments Data Protection as a Service: The Latest Outsourcing Opportunity https://futureofsourcing.com/data-protection-as-a-service-the-latest-outsourcing-opportunity <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="https://futureofsourcing.com/sites/default/files/articles/Data%20Protection%20as%20a%20Service%20624x325.jpg"><a href="https://futureofsourcing.com/sites/default/files/articles/Data%20Protection%20as%20a%20Service%20624x325.jpg" title="Data Protection as a Service: The Latest Outsourcing Opportunity" class="colorbox" rel="gallery-node-1294--i0aJyVnaGk"><img typeof="foaf:Image" src="https://futureofsourcing.com/sites/default/files/styles/juicebox_medium/public/articles/Data%20Protection%20as%20a%20Service%20624x325.jpg?itok=ZCjKYReX" width="624" height="325" alt="" title="" /></a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <div style="clear:both;"> <p paraeid="{3e218956-ec7d-4c62-b0d8-e05724c9f6ea}{201}" paraid="47219839"><span xml:lang="EN-GB">Data&nbsp;</span><span xml:lang="EN-GB">protection is the most pressing item on the</span>&nbsp;<span xml:lang="EN-GB">business</span><span xml:lang="EN-GB">&nbsp;agenda for organisations</span><span xml:lang="EN-GB">&nbsp;around the world&nbsp;</span><span xml:lang="EN-GB">today</span><span xml:lang="EN-GB">. Since the Ca</span><span xml:lang="EN-GB">mbridge Analytica scandal</span><span xml:lang="EN-GB">, the tech industry, investor market and general public have been waiting to see the real impact of Facebook selling</span><span xml:lang="EN-GB">&nbsp;its</span><span xml:lang="EN-GB">&nbsp;user</span><span xml:lang="EN-GB">s&rsquo;</span><span xml:lang="EN-GB">&nbsp;information&nbsp;</span><span xml:lang="EN-GB">to third parties</span><span xml:lang="EN-GB">.&nbsp;</span></p> </div> <div style="clear:both;"> <p paraeid="{3e218956-ec7d-4c62-b0d8-e05724c9f6ea}{235}" paraid="343384897"><span xml:lang="EN-GB">Now we know.</span></p> </div> <div style="clear:both;"> <p paraeid="{3e218956-ec7d-4c62-b0d8-e05724c9f6ea}{239}" paraid="1287561484"><span xml:lang="EN-GB">Over a&nbsp;</span><span xml:lang="EN-GB">48-hour</span><span xml:lang="EN-GB">&nbsp;period in late July, Facebook saw $119</span>&nbsp;<span xml:lang="EN-GB">b</span><span xml:lang="EN-GB">illio</span><span xml:lang="EN-GB">n wiped off its market cap. The valuation of the company fell from&nbsp;</span><span xml:lang="EN-GB">$</span><span xml:lang="EN-GB">620 to&nbsp;</span><span xml:lang="EN-GB">$</span><span xml:lang="EN-GB">500 billion dollars, and founder Mark Zuckerberg woke up&nbsp;</span><span xml:lang="EN-GB">$</span><span xml:lang="EN-GB">17</span>&nbsp;<span xml:lang="EN-GB">b</span><span xml:lang="EN-GB">illio</span><span xml:lang="EN-GB">n poorer.&nbsp;</span><span xml:lang="EN-GB">Additionally, user</span><span xml:lang="EN-GB">&nbsp;growth declin</span><span xml:lang="EN-GB">ed</span><span xml:lang="EN-GB">&nbsp;across Europe as trust fell in&nbsp;</span><span xml:lang="EN-GB">Facebook&rsquo;s ability to provide adequate data protection</span><span xml:lang="EN-GB">.</span></p> </div> <div style="clear:both;"> <p paraeid="{b50c6918-7015-4020-884e-1d55a1351350}{32}" paraid="1211445040"><a href="http://www.futureofsourcing.com/node/787" target="_blank"><span xml:lang="EN-GB">GDPR&nbsp;</span><span xml:lang="EN-GB">(General Data Protection Regulation)&nbsp;</span></a><span xml:lang="EN-GB">is simultaneously one of the most&nbsp;</span><span xml:lang="EN-GB">mundane yet&nbsp;</span><span xml:lang="EN-GB">terrifying acronyms of recent times, the most obvious manifestation of a wider data privacy narrative. Since its introduction, we&rsquo;re all once again on tenterhooks to see who will be the first to get slapped with a massive fine for mismanaging their user data.&nbsp;</span><span xml:lang="EN-GB">So far, there have been small breaches of the regulation that have resulted in reprimands and guidance on best practice</span><span xml:lang="EN-GB">, b</span><span xml:lang="EN-GB">ut rest assured there will be a high-profile case sooner rather than later.</span></p> </div> <div style="clear:both;"> <p paraeid="{b50c6918-7015-4020-884e-1d55a1351350}{50}" paraid="996153474"><span xml:lang="EN-GB">The market has spoken. People care about their data and authorities care about how businesses use it. There is a</span><span xml:lang="EN-GB">&nbsp;clear risk to businesses who slip up, so&nbsp;</span><span xml:lang="EN-GB">companies are now being forced to&nbsp;</span><span xml:lang="EN-GB">pull&nbsp;</span><span xml:lang="EN-GB">their best security or management staff out of their day jobs and re-focus them on&nbsp;</span><span xml:lang="EN-GB">managing&nbsp;</span><span xml:lang="EN-GB">data protection. Without upskilling them or having dedicated experts, many</span><span xml:lang="EN-GB">&nbsp;companies have non-</span><span xml:lang="EN-GB">specialists</span><span xml:lang="EN-GB">&nbsp;in a role which requires expert knowledge and best practice</span><span xml:lang="EN-GB">. You wouldn&rsquo;t let the CTO take</span><span xml:lang="EN-GB">&nbsp;on your accou</span><span xml:lang="EN-GB">nting, so why is someone in IT&nbsp;</span><span xml:lang="EN-GB">in charge of data protection without proper training?</span><span xml:lang="EN-GB">&nbsp;It&rsquo;s a dangerous precedent to set and highlights the issues in talent management that still dog businesses of all sizes in the current market.</span></p> </div> <div style="clear:both;"> <p paraeid="{b50c6918-7015-4020-884e-1d55a1351350}{82}" paraid="1889076588"><span xml:lang="EN-GB">The answer</span><span xml:lang="EN-GB">? O</span><span xml:lang="EN-GB">utsource your data protection offering.&nbsp;</span><span xml:lang="EN-GB">By&nbsp;</span><span xml:lang="EN-GB">ensuring that vital tasks are handled by talent</span><span xml:lang="EN-GB">&nbsp;that is</span><span xml:lang="EN-GB">&nbsp;best-placed to do so,</span><span xml:lang="EN-GB">&nbsp;bus</span><span xml:lang="EN-GB">iness can meet a very specific skillset,&nbsp;</span><span xml:lang="EN-GB">guarantee</span><span xml:lang="EN-GB">ing</span><span xml:lang="EN-GB">&nbsp;longevity, as well as a process and a set of standards to ensure the organisation&nbsp;</span><span xml:lang="EN-GB">&ndash; and its entire supply chain, often not even considered in the process &ndash;&nbsp;</span><span xml:lang="EN-GB">remains compliant.&nbsp;</span></p> </div> <div style="clear:both;"> <p paraeid="{b50c6918-7015-4020-884e-1d55a1351350}{112}" paraid="1215898952"><span xml:lang="EN-GB">The&nbsp;</span><span xml:lang="EN-GB">International Association of Privacy Professionals estimates that up to 75,000&nbsp;</span><span xml:lang="EN-GB">Data Protection Officers</span><span xml:lang="EN-GB">&nbsp;(DPO)</span>&nbsp;<span xml:lang="EN-GB">will be needed as a result of GDPR</span><span xml:lang="EN-GB">.&nbsp;</span><span xml:lang="EN-GB">Helpfully, Article 37(5),&nbsp;</span><span xml:lang="EN-GB">of the&nbsp;</span><span xml:lang="EN-GB">GDPR expressly provides that&nbsp;</span><span xml:lang="EN-GB">a&nbsp;</span><span xml:lang="EN-GB">DPO</span><span xml:lang="EN-GB">&nbsp;can be either a staff member&nbsp;</span><span xml:lang="EN-GB">or a contractor</span><span xml:lang="EN-GB">, thus enabling the enterprises to&nbsp;</span><span xml:lang="EN-GB">look for highly qualified, outsourced talent to help them meet the challenge of data compliance.</span></p> </div> <div style="clear:both;"> <p paraeid="{b50c6918-7015-4020-884e-1d55a1351350}{146}" paraid="963765258"><span xml:lang="EN-GB">With security roles in dramatic demand, security threats on the increase</span><span xml:lang="EN-GB">&nbsp;and a well-publicised tech skills shortage</span><span xml:lang="EN-GB">, outsourcing data protection to allow</span><span xml:lang="EN-GB">&nbsp;your&nbsp;</span><span xml:lang="EN-GB">existing staff to deliver value in&nbsp;</span><span xml:lang="EN-GB">their specialised role</span><span xml:lang="EN-GB">s may just relieve some pressure on decision</span><span xml:lang="EN-GB">-</span><span xml:lang="EN-GB">makers.</span></p> </div> <p>&nbsp;</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/data-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Management</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/cybersecurity" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Cybersecurity</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/risk-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Risk Management</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/general-data-protection-regulation-gdpr" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">General Data Protection Regulation (GDPR)</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="Data Protection as a Service: The Latest Outsourcing Opportunity - Future of Sourcing" addthis:url="https://futureofsourcing.com/data-protection-as-a-service-the-latest-outsourcing-opportunity"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/europemiddle-eastafrica" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Europe/Middle East/Africa</a></div></div></div> Sun, 14 Oct 2018 22:54:42 +0000 Evtim Batchev 1294 at https://futureofsourcing.com https://futureofsourcing.com/data-protection-as-a-service-the-latest-outsourcing-opportunity#comments The General Data Protection Regulation: Key implications for UK outsourcing https://futureofsourcing.com/node/787 <div class="field field-name-field-image field-type-image field-label-hidden"><div class="field-items"><div class="field-item even" rel="og:image rdfs:seeAlso" resource="https://futureofsourcing.com/sites/default/files/articles/Chris-Cope-Dec-2015-1-624x325.jpg"><a href="https://futureofsourcing.com/sites/default/files/articles/Chris-Cope-Dec-2015-1-624x325.jpg" title="The General Data Protection Regulation: Key implications for UK outsourcing" class="colorbox" rel="gallery-node-787--i0aJyVnaGk"><img typeof="foaf:Image" src="https://futureofsourcing.com/sites/default/files/styles/juicebox_medium/public/articles/Chris-Cope-Dec-2015-1-624x325.jpg?itok=K2iZSrOQ" width="624" height="325" alt="" title="" /></a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;">From 25 May 2018, a new European General Data Protection Regulation (the &ldquo;GDPR&rdquo;) will apply and change the rules applicable to businesses that process &ldquo;personal data&rdquo; such as customer and employee data. Organisations will need to consider implementing new procedures in order to comply. The new rules will impose more stringent requirements on organisations and strengthened rights for individuals, with the risk of substantial fines for non-compliance. We set out some of the key changes and implications for outsource providers and their customers from a UK perspective.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><strong>New, harmonised rules for Europe</strong></p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;">The GDPR is an EU regulation which will replace the existing EU Data Protection Directive - on which the current UK Data Protection Act 1998 (DPA) is based - and impose new data protection rules across the EU and beyond. In theory, the GDPR will introduce one set of data protection standards which apply in a largely uniform manner across all EU countries.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><strong>Applicable in the UK?</strong></p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;">It appears likely at this stage that the GDPR will apply in the UK for some time until Brexit negotiations are completed and that the GDPR will therefore replace the DPA. Even if the UK does leave the EU, it is likely the GDPR will be replaced with alternative equivalent legislation. In addition, many UK businesses would continue to fall within scope because of its broad territorial application.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><strong>Data processors now caught</strong></p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;">A notable feature of the GDPR is that both data controllers (such as employers in respect of their employee data) and data processors (those who process data on behalf of employers, such as outsource providers) will be subject to binding legal obligations. Consequently, for those dealing with clients&rsquo; personal data as an outsourced processor, the legal framework is set to become more onerous.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><strong>Key changes</strong></p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;">The new requirements will bring several key changes to the outsourcing industry.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>New legal requirements for data processors.&nbsp;</em>Data processors (which are not currently subject to the UK DPA) will need to comply with certain requirements of the legislation and the legal risk will not sit solely with data controllers. For the first time, outsource companies in their capacity as data processors will be liable to fines and to compensate individuals in the case of their non-compliance.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>Data protection officers.</em>&nbsp;Businesses (whether data controllers or data processors) will need to appoint a data protection officer (DPO) with &ldquo;expert&rdquo; knowledge of data protection law and practice, if their core activities consist of:<br />&bull; regular and systematic monitoring on a large-scale; or<br />&bull; processing on a large-scale of sensitive personal data and personal data relating to criminal convictions and offences.<br />DPOs are granted protected status because of the nature of their role. They must be allowed to perform their duties independently and must not be dismissed or penalised simply for doing their job.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>New mandatory notification requirement.</em>&nbsp;Notification of personal data breaches (breaches of security leading, for example, to accidental loss or unauthorised disclosure) will become mandatory in certain circumstances. Data controllers will have to notify all breaches to the regulator within 72 hours (unless the breach is unlikely to result in risk to individuals). Breaches which pose a high risk to the rights and freedoms of individuals will also need to be reported to the affected individuals, unless steps have been taken to encrypt the data or otherwise minimise the risk. The rules will require data processors to notify data controllers of any breach without undue delay after becoming aware of a breach.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>New penalties.&nbsp;</em>Outsource providers will be at risk of fines going forward and, in addition, the maximum fine for some breaches will increase to EUR 20 million or 4% of annual worldwide turnover in the previous year, whichever is higher. This is significantly higher than the current maximum penalty in the UK of &pound;500,000.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>Registration to be replaced with accountability.&nbsp;</em>The existing notification regime, whereby data controllers register with the regulator (in the UK, the Information Commissioner&rsquo;s Office) and pay a fee, will be replaced with an &ldquo;accountability principle&rdquo; which will require those dealing with personal data to take more proactive compliance steps.&nbsp;In particular, data controllers will be required to adopt internal policies and compliance procedures that demonstrate compliance with the requirements and update them where necessary.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>Record-keeping.</em>&nbsp;Both data controllers and data processors will need to document their data processing activities and make their records available to the regulator upon request (some organisations with fewer than 250 employees will be exempt from this requirement).</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>Risk assessments.&nbsp;</em>Data controllers will be required to have an eye to privacy issues at the onset of processing and implement data protection safeguards into projects by design and by default. Where processing carries a high risk, data controllers will need to conduct risk assessments known as &ldquo;Privacy Impact Assessments&rdquo; (or PIAs) and consult with the regulator before starting the processing. Time for such project-shaping assessments and discussions will need to be built into project timetables, particularly for more risky projects for example involving large volumes of health personal data.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><em>Sub-contractors and overseas transfers.&nbsp;</em>Sub-contracting will be a particular area of risk for outsource providers, as they will remain fully liable to the data controller for the performance of the sub-processor&rsquo;s obligations. If the sub-processor is based outside the European Economic Area, the data processor will need to have regard also to the overseas transfer restrictions &ndash; which are broadly similar to those in the DPA but now apply to data processors as well as data controllers.</p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;"><strong>Preparing for implementation</strong></p> <p style="line-height: 1.714285714; margin-top: 0px; margin-bottom: 1.714285714rem; color: rgb(68, 68, 68); font-family: 'Open Sans', Helvetica, Arial, sans-serif; font-size: 14px;">Outsource providers still have just under two years to assess the operational and legal impact of the GDPR on their businesses and make adjustments where required. The ICO has published guidance on its website which aims to help businesses prepare. When negotiating new contracts, both providers and their clients will also need to consider how they will appropriately allocate the additional risk and costs of increased compliance.</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/security" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Security</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/law" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Law</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/contract" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Contract</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/brexit" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Brexit</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="The General Data Protection Regulation: Key implications for UK outsourcing - Future of Sourcing" addthis:url="https://futureofsourcing.com/node/787"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/europemiddle-eastafrica" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Europe/Middle East/Africa</a></div></div></div> Mon, 12 Sep 2016 17:37:08 +0000 Beverly Flynn 787 at https://futureofsourcing.com GDPR: is this about IT or resilience? https://futureofsourcing.com/node/962 <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p>Levels of concern in business appear to be rising, as the date for the roll out of the new EU Data Protection regulations, known as GDPR, was announced (May 25, 2018, by the way). Social media were alight with comment and speculation and many people were questioning if a potential Brexit could impact the uptake of the regulations in the UK. The bottom line is, we have our own Data Protection Act, which will remain and it is not possible to rule out the adoption of best practice guidelines, regardless of any potential Brexit outcome. But surely, that is looking at the GDPR the wrong way round? It almost appears as if the tone has been set and once again data protection and security professionals face the probability of an established negative view of what is meant to be a helpful set of guidelines.</p> <p>Granted, GDPR contains monetary penalties, but if look at the level of data breach we see in the press every day, much of it is preventable and comes from poor practice. But if we cannot be assured of businesses and organisations protecting the data that we lend them, then legislating them into it would appear to be the logical route. Surely we should all be pleased at the opportunity to look at how we handle data ourselves and question how our data is handled?</p> <p>According to the Datastrophe report, half of enterprise IT decision-makers (ITDMs) are concerned that the security measures they have in place will not meet the GDPR expectations and one in five were waiting to see what final decisions were made in the regulations before putting additional security measures in place. Now, whilst on the one hand, it may seem sensible to wait and see what new regulations may mean for the UK business sector before spending, we have had access to many of the proposed regulations for some time and given that this included a potential monetary penalty amounting to 4% of global turnover for a serious data breach, you would think this alone would have had all ITDMs making some serious decisions.</p> <p>However, there is part of the problem: ITDMs. Data protection is not the reserve of IT. IT is a part of the DP solution but by no means all of it. Granted, the survey had to be directed to someone but it is so often we see this kind of research directed toward IT and this leaves us to question more than it allows us to clearly answer, sometimes. If we are genuinely trying to grasp the UK preparedness for GDPR, looking to the IT response is not going to give us the full picture. But as we know, sometimes this is a problem with security perception in general; it is frequently seen as an IT issue not a business one and this is merely a reflection of that belief.</p> <p>For instance, what about the areas of governance outside of IT, how prepared are they for GDPR? Risk teams, infosecurity professionals, data protection professionals, senior information risk owners, information asset owners and of course, end users, all play a part in data protection success or failure. They will also be part of the planning and preparation for the GDPR roll out. Let&rsquo;s take a look at business units like HR and finance which both handle significant levels of sensitive data: employee salary, medical and personal information, as well as sensitive business information and access to funds and assets.</p> <p>Not all of this information is in digital format and not all of it is sitting within the protective sphere of a corporate network&hellip;even though it should be. It could be sat on any number of end user devices. What about sharing of this information, moving of this information or changing it? And finally what about users who print things out? We know from the Information Commissioner&rsquo;s Office that this is a common method of accidental breach. What can IT do about that? So how is the adequate protection of all information assets handled by a business and what steps are being taken at a corporate level to prepare for GDPR, is what we really should be asking.</p> <p>We know that &ldquo;shadow IT&rdquo; is alive and well and being used to circumvent security restrictions placed on users because, amongst other things, they have decided it will enable a more convenient user experience. This can include behaviour such as, sending corporate information to personal email addresses and using personal devices on networks without security testing or permission. Whilst there will always be users who try to do this, overly onerous policy or procedure should be avoided in order to prevent this kind of risky behaviour. Security policy makers need to find out what users need to do, find a way for them to do it securely. They also need to enforce policy once it has been set.&nbsp;Data sat on personal devices is way beyond the touch of corporate security and given the behaviours outlined above, security may not even be aware it is at risk.</p> <p>Let&rsquo;s go back to that Datastrophe report, because that tells us that ITDMs think around 42% of all corporate data is held on endpoint devices that are outside of the traditional security perimeter. Not surprising that almost 70% of these ITDMs feel that more needs to be done in terms of investment in endpoint data protection. Bear in mind that when we talk about end points, we are talking about devices that the business knows about and either owns or has sanctioned for use via a Bring Your Own Device (BYOD) policy. On this point users and ITDMs disagree hugely and according to the data, 65% of ITDMs believe there is a clearly defined BYOD policy in place, 67% users saying they do not&hellip;.</p> <p>The truth, no doubt, lies somewhere between, however everything we have learned about shadow IT and as mentioned above, tells us that users will leverage their own devices for convenience. Indeed some researchers (such as Ovum) have found that up to 70% of BYOD practice is done without the knowledge or consent of employers, which to a degree tends to back up the users&rsquo; assertions. So there is another area untouched by IT security oversight&hellip;</p> <p>So realistically, we need to examine what measures are in place to secure the behaviour of end users, instead of expecting IT to handle the whole DP arena and absorb the changes coming through to business via the GDPR. Understanding and evolving how we handle data protection in the face of firmer regulation, means that businesses need to look at themselves in their entirety and be brutally honest about how the effective the whole business is at security and resilience. For out of this will come a pragmatic and business-enhancing approach, that will benefit end users with streamlined, pragmatic and agile security which results in practical improvements to both experience and data protection levels. Surely this is the right way to be looking at GDPR?</p> <hr style="clear:both;" /> <p>&nbsp;</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/data-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Management</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/risk-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Risk Management</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/brexit" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Brexit</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/uk" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">UK</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="GDPR: is this about IT or resilience? - Future of Sourcing" addthis:url="https://futureofsourcing.com/node/962"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/global" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Global</a></div></div></div> Fri, 10 Jun 2016 12:59:22 +0000 Mike Gillespie 962 at https://futureofsourcing.com Cyber-attacks: can you contract against damage caused by supplier data breaches? https://futureofsourcing.com/node/959 <div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"> <p>The data and cyber regulatory regime in the EU &ndash; which includes, for the time being at least, the UK &ndash; is undergoing a very significant shake-up. The new General Data Protection Regulation which will come into force on 25 May 2018 will bring a number of new measures into play such as much increased fines (up to the higher of 4% of annual worldwide turnover or 20 million euros, in some cases) and mandatory reporting of most data security breaches. The new rules will also catch for the first time businesses established outside the EU but who sell to EU data subjects or monitor data subjects&rsquo; behaviour within the EU. Other changes afoot include the Network and Information Security Directive, which when implemented over the next two years or so, will cover critical infrastructure providers, such as key operators in the energy, banking, transport, finance and health sectors and, importantly, the digital sector; and the Electronic Identification Regulation which from 1 July this year will regulate providers of trust services e.g. businesses involved in providing identification, verification or authorisation of a person&rsquo;s identity in electronic transactions.</p> <p>The level of interest amongst regulators, and also amongst governments, is not surprising due to the high cost and disruption suffered. The Department for Culture, Media and Sport recently announced government research findings that two thirds of large businesses experienced a cyber breach or attack in the past year. And the same research revealed the high cost of cyber breaches and attacks to business, with last October&rsquo;s attack on TalkTalk, for example, reported to have cost the telecoms company over &pound;60m and led to the loss of more than 100,000 customers. The threat of cyber-attack comes from many sources, such as infections by viruses and malicious software, theft or fraud involving IT systems targeting things such as confidential information, intellectual property, credit card data and other personal information, incidents caused by staff and attacks by unauthorised outsiders, criminal, terrorist as well as nation-state-sponsored attacks such as the Stuxnet worm deployed to sabotage Iran&rsquo;s nuclear program in 2014.</p> <p>Apart from regulatory fines, cyber-related risks, costs and losses include wasted management time, legal and consulting costs, adverse publicity, reputational damage, loss of customer confidence, reduced sales, business and operational disruption, litigation risk such as contractual claims, allegations of negligence and, particularly in the US, class actions, and increased cost of insurance. Firms need robust cybersecurity programs to address these and other risks through focusing on areas such as compliance with applicable industry laws and regulations, implementation of information security policies and other best practices, vulnerability risk assessments and testing, employee training programs, incident response plans, insurance coverage review and investor communications.</p> <p>Firms also need to develop robust approaches to contracting with third party suppliers in order to deal with issues such as compliance with laws such as the Data Protection Act, audit, background screening, information security and the like. Further, when thinking about existing contractual relationships, and with the explosion of cloud computing in particular in mind, firms should review, and stress-test, the array of contractual and other risks which may arise in the event that a third-party supplier who hosts or processes a firm&rsquo;s personal data, customer credit card details or other confidential information is compromised. For these purposes all material outsourcing, cloud computing and other important supplier contracts should be reviewed along with the scope of services provided (which may have changed since the contract was signed) and an assessments of the risks undertaken.</p> <p>In any business-to-business contract, it is highly likely that these issues will have been addressed to some degree or other, typically through some combination of representations, warranties, indemnities and general contractual obligations (such as those often imposed on data processors), which depending on the circumstances and the way that the contract is crafted will give rise to remedies such as service credits, step-in, termination and damages. Exclusions and limitations of liability will also be relevant. For example, it is not uncommon for the parties to a business contract to seek to exclude liability for what are usually referred to as indirect and consequential losses, and these clauses often include a laundry list of losses which, depending on their construction, may prevent a firm recovering lost or corrupted data, from recovering certain economic losses such as lost profits or business, or from seeking to recover for damage to reputation. Although firms with leverage will be able to ensure that certain clauses can be included to counter the risk, the firm needs to balance the risk involved with other considerations such as the price which it is willing to pay via a risk premium loaded onto the charges, and the alternatives such as insuring (or self-insuring) the risk itself rather than seeking to transfer it via the contract.</p> </div></div></div><div class="field field-name-field-tags field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Tags:&nbsp;</div><div class="field-items"><div class="field-item even" rel="dc:subject"><a href="/tags/risk-management" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Risk Management</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/cybersecurity" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Cybersecurity</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/government" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Government</a></div><div class="field-item odd" rel="dc:subject"><a href="/tags/law" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Law</a></div><div class="field-item even" rel="dc:subject"><a href="/tags/data-protection" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Data Protection</a></div></div></div><div class="field field-name-field-addthis field-type-addthis field-label-hidden"><div class="field-items"><div class="field-item even"><div class="addthis_toolbox addthis_default_style " addthis:title="Cyber-attacks: can you contract against damage caused by supplier data breaches? - Future of Sourcing" addthis:url="https://futureofsourcing.com/node/959"><a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_linkedin"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_facebook"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_twitter"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_googleplus"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_pinterest_share"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_reddit"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_email"></a> <a href="https://www.addthis.com/bookmark.php?v=300" class="addthis_button_print"></a> </div> </div></div></div><div class="field field-name-field-region field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Region:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/regions/global" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Global</a></div></div></div> Wed, 08 Jun 2016 13:09:55 +0000 Tim Wright 959 at https://futureofsourcing.com