The use of Big Data and the virtues of information security are hot topics, but what is challenging for many CIOs is how these two are able to sit comfortably with each other.
Data Privacy - Information security regularly tops BCS polls as the most important skill for IT professionals of the future. Within the last five years, data breaches within the UK have increased tenfold, and personal data is often the target of those breaches. Legislation, such as the Data Protection Act 1998 is in place to protect our personal data and the usage of it by organisations, but application and enforcement are all to often inadequate.
Big Data - We create 2.5 quintillion bytes of data every day with 90% of the digital data that exists having been created in the last two years. Much of the data comes from social media platforms where people share their feelings, likes and links to points of interest. For most people, this is a part of everyday life, but for businesses this is Big Data that can intelligently shape their marketing and customer engagement.
Sales and marketing teams are keen to extract the precious information data provides and utilise it for business purposes, but what are the rules around this activity and how do we identify when a line has been crossed?
First and foremost information security is key. I believe the CIO needs to determine a set of standards for information assurance. This should primarily adhere to all legislation while considering the brand and ethos of the organisation. It should also take into account the length of time information is retained, how that information is protected - and transparency -with those providing data understanding what their personal information may be used for (indeed, the Information Commissioner’s Office has an open consultation on how best to use Privacy Impact Assessments for this purpose). This is the basic starting point and sets clear boundaries for those using data for commercial gain. Once this is established, it should be shared with the wider organisation, gaining board buy-in and approval from the CHRO and CMO. However, these standards you create may well not be a definitive list and, on occasion, IT professionals will need to consider the implications on a case-by-case basis taking into account the wider impact on the organisation. We’re seeing some organisations introduce a Data Committee. This is an opportunity for the CIO to bring together the CMO, CHRO and legal on a regular basis to discuss all areas of data capture and decide how this can be used in accordance with legislation as well as company policy.
When first establishing data policy, the ‘softer’ skills that many CIOs now look for in their employees will prove their worth as the IT department can take a more holistic view of the data usage and apply this to each area. Openness and transparency with the customers, both internal and external is key; these policies can and will need to change over time.
As the Chartered Institute for IT, we understand the delicate balancing act between Big Data and information assurance. Although legislation goes some way to supporting this balance, it can never truly keep up and enforcement is easier said than done. That is why, ultimately it is the CIO’s responsibility to shape the way their organisation manages these sometimes conflicting areas and ensure that ethically and legally the organisation is sound.