Gartner predicts that by 2019, 90% of organisations will have personal data on IT systems that they don’t own or control.
Organisations should create a privacy program that keeps personal data at arm’s length, but under control, the IT research and advisory firm says.
Organisations have traditionally been the target of security threats, and until recently, those hackers focused on attacking vulnerable IT infrastructure.
As protection for such infrastructure improves, the attackers’ attention shifts to softer targets, such as employees, contract workers, customers, citizens and patients, Gartner says.
“As the amount of personal information increases multifold, individuals and their personal data will increasingly become a security target. And, yet in most scenarios the organisation is still ultimately accountable for the personal data on its IT systems,” said Carsten Casper, research vice president at Gartner.
“The time has come to create an exit strategy for the management of personal data. Strategic planning leaders will want to move away from storing and processing personal data in the next five years.”
“The PCI Data Security Standard (DSS) requires the implementation of stringent controls of those who collect and store credit card data. In response, many companies have decided to eliminate credit card data from their own systems and completely entrust it to an external service provider,” said Casper.
“The same could happen with personal data. If control requirements are too strong and implementation is too costly, it would make sense to hand over personal data to a specialised ‘personal-data processor'”
Gartner has identified the following steps to prepare for such a strategy:
- Create a policy that draws a clear line between data that relates to human beings and data that does not.
- Put a fence around personal data. Once personal data has been located, it needs to be protected. Encryption is the most widely used protective control.
- Favour purpose-built over general-purpose applications.
- Adhere to privacy standards, or create your own. Privacy standards simplify control frameworks, audits and information exchange, especially in scenarios where many players and stakeholders are involved.
- Logical location rules over physical and legal location.
More on Gartner and data