Positive encouragement – promoting data hygiene in a world of data privacy

By Jasmit Sagoo, senior director, Head of Technology UK&I, Veritas.

  • 4 years ago Posted in

Complying with data privacy regulations is key to customer satisfaction. Regardless of companies’ legal obligations, customers are more likely to do business and share their precious data with brands they trust. Almost two-thirds (62%) would stop buying from a business that fails to protect their data, while 59% would spend more on brands that take good care of it. Ultimately, playing fast and loose with personal data breaks the contract between customer and business. Poor data hygiene is bad for business, threatening the foundation of the customer relationship and the organisation itself. 

  
Data hygiene defines how a company treats its data. It describes how data is managed and organised, whether it’s properly classified, stored and protected. Data hygiene also relates to employees and practices; a worker who neglects to store sensitive customer data in a secure location could be accused of poor data hygiene.  
  
It is in a company’s interest, reputationally and commercially, to promote data responsibility. However, data hygiene isn’t something that can be achieved overnight. It needs a clear strategy, strong processes and constant attention to ensure standards don’t slip. A high level of data hygiene has two equally important facets; cultural and technological. Employees must have both the desire and the technical capabilities to protect their customers’ data and their company’s reputation.  
  
With great data comes great responsibility 
  
Coming into force last year, GDPR empowers consumers and obligates companies to do everything they can to protect customer data. Failure to comply can result in steep financial penalties and a considerable loss in customer trust. However, it’s one thing to put a compliance policy in place, and another thing entirely to see it through and ensure it is honoured.  
  
Compliance won’t work unless your workforce is engaged and onboard. Employees are usually the weak point in a company’s data security posture. According to a 2018 Ponemon Institute report, 60% of companies who suffered from a data breach blamed employee or contractor negligence. A lack of security awareness or motivation can easily spiral into poor data hygiene; failing to make regular data clean-ups, saving sensitive information on personal devices, and leaving important data in unprotected environments.  
   
The ramifications of bad data hygiene can go far beyond the offender, potentially jeopardising the future of the entire company. One of the more surprising outcomes of GDPR is how it’s encouraged consumers to take control of their data. After one year of the regulation, fines have been muted but we’re beginning to see a real rise in data access requests across key sectors. Once a request has been made you have only a month to comply, which can be highly difficult if the data you are investigating has been lost in your system or incorrectly tagged.  
  
Yet the danger here is greater than it at first seems. It would be very easy for a disgruntled customer or employee to weaponise the right of request to damage a business or a brand. For example, an ex-employee who has been fired or passed over for promotion can force the company to share all the information that went into making that decision. The requester is perfectly within their rights, but a delay or inability to respond – as the relevant data cannot easily be found – only adds to the headache and danger faced by companies who do data management poorly. 
  
Leaving data disorganised also makes it vulnerable, opening it up to potential bad actors and exponentially increasing the chances of a highly damaging data breach. All it takes is for a single employee to click on the wrong email attachment for your network to be infiltrated. Sensitive customer information – medical records, bank details or home addresses – is then ripe for the taking if poorly protected. 
  
Besides potential financial penalties under GDPR, the damage caused by a data breach can be far more invasive and long-lasting. When taking into consideration fines, legal fees, reparations and the scale of the breach itself, total costs can vary wildly but often stretch into millions in losses. Harder to quantify is the damage done to customer trust which, once broken, is difficult to repair. US hospitals, for example, are forced to spend 64% more on advertising for two years following a breach. It’s clear that poor data hygiene can endanger a company’s credibility and put precious market share on the line.  
 
The carrot-and-stick approach 
  
It’s easy to blame employees for bad hygiene, but it’s often merely a symptom of a wider lack of company leadership around taking care of business data . Data responsibility has to permeate every level of an organisation, from top to bottom. Yet, it’s company leaders who decide the data policies and put them in place. In the same way businesses are responsible for their customers’ data, they are also responsible for their employees’ behaviour. They have a duty to ensure good data practices are followed by all. 
  
Fortunately, companies are starting to take their data responsibilities more seriously. Veritas research shows they are driving change through adding compliance provisions to employee contracts, disciplining bad hygiene and educating employees on the benefits of compliance. Businesses are also incentivising good data behaviour, making it a part of the appraisal process and giving benefits to those who act as good examples.    
  
An approach that rewards good behaviour and punishes the bad is a good place to start, but organisations also need polices that enable data hygiene as a daily habit – not just for when the employee thinks someone might be watching. Bad data hygiene isn’t always the result of laziness, but is often created by the struggle to keep data organised in today’s complicated, fragmented IT environments. A more practical consideration is to ensure employees have the right data management tools to aid compliance efforts.  
  
Data is difficult to safeguard when it’s spread across a multitude of different IT environments. When it’s siloed, data is easily forgotten, excluded from the latest security policies and becomes vulnerable to attack. Employees would benefit from a single, centralised data management platform, helping them understand what data they have and where it’s located. This would also ensure employees have access to data whenever it’s needed – such as when a subject access request has come in – and can protect it under a single, consistent set of policies.  
  
Good data hygiene also demands that, should anything go awry, data is recoverable so reliable backup solutions are critical to ensuring nothing is lost. Tools like these disarm data, limiting its risks while enhancing its benefits: they make it easier for you to use data, rather than have data be used against you.  
  
Good data hygiene is not easy to achieve, but it’s increasingly necessary. To compete in a marketplace where trust is a valued commodity, businesses must prove they are responsible with customer data and meet their data requirements. Ultimately, this can only be achieved by giving staff proper encouragement, incentives and the capabilities to manage and organise it. The reward for those companies who take pride in their data hygiene will be improved customer loyalty, increased revenues and the mark of competitive differentiation. In business, data cleanliness is next to godliness.  

By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at...
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source...
Cybersecurity continues to be a major challenge for companies, with as many as four in ten...