We are in a world where privacy regulations are giving control back to people, and imposing significant penalties on organisations that don’t adequately secure personally identifiable information.
There are only really two possible things your organisation can focus on to navigate this new landscape.
The first is to spend more on securing your data than you ever have before. This is the easy route – because greater magnitude of harm means greater risk mitigation expenditure. The maths is simple, the board will get it.
The second way is to reduce data data capture to the bare minimum, and delete or anonymise what you’ve captured as soon as you can.
This isn’t easy, it requires your whole organisation to take a disciplined approach to data capture that recognises the new risks.
It requires questions like “why do we need that data to deliver our service, and for how long” to be asked and acted on as a matter of routine. If you’re doing really well, you’ll have a business case for every bit of data you capture that will also have a time value.
Innovative solutions will be required to gain the advantage of broad and long term data capture, without incurring the liability, and without becoming target.
The hardest part will be getting people to hit the delete button, because we’re used to hoarding, not minimalism. We’re convinced that data is the new oil, when it’s actually the new Plutonium, and needs to be handled like it.
There will be two types of organisations in the future – those who overspend on security, get nothing back on their investment and still get fined, and those who capture only what they have to, and innovate. The second way is better.
Karl Melrose's Blog 