Simplifying data compliance regulations
- Posted on July 31, 2017
- Estimated reading time 4 minutes
The Payment Card Industry Data Security Standards Council (PCI-SSC), for example, recommend a comprehensive list of protective measures so that the credit card information of customers are protected and is only used for its intended purpose, viz., payments for goods and services. Although the data security standards listed by the PCI-SCC are not mandatory in many cases (small merchants and service providers are not required to validate all controls), they protect the customer’s credit card information and the holding organisation from severe potential liabilities.
Challenges of working with different organisations
In cases of outsourcing IT operations that include handling of critical data, the CIO’s responsibilities are now doubled in regards to confirming which compliance regulations apply to themselves and how will they entrust their critical data to a third party. In such cases, it is understandable that most CIOs may rather handle their own shop than go through the tedious process of checking every IT outsourcing suppliers’ terms and conditions.
As I work with various compliance regulations across the globe, I see a few common elements that apply to most:
- Take reasonable process-related and technical steps to protect critical data. These steps may include having standard hiring practices to having good information security policies in place.
- Using the critical data only for its intended use. While this one seems straightforward enough, imagine an organisation trying to use your customer data to gain more insights for themselves so that they can target your customers for ads, etc.
- Securely destroying the data from their systems when the project or contract is completed.
Risks of non-compliance
The organisations that are proposing these regulations also are amending them to include notifying any data breaches promptly. This leads to risks to the organisation of potential fines, lawsuits, and most importantly loss of reputation.
In October of 2016, the details of blood donors in Australia was left in an insecure computer environment and accessed by an unauthorised person and resulted in a data breach. If the operations of the Australian Red Cross Blood service depended on privacy-conscious individuals, then these individuals will think twice before agreeing to sharing their information faithfully with the service. (ARCBS has since apologised and are working with Australian Cyber Security Centre to secure their operations).
Yahoo’s shareholders lost a record $350 million during their sale process. This was due to Yahoo admitting to two separate breaches of their users’ details. The potential losses due to breaches are real and huge!
What you can do to avoid data risks
Understand that the IT compliance and regulations are set up to protect your organisation. Ignoring them would mean penalties, risk of losses through security incidents and risk to your brand. I recommend that you:
- Check for IT security compliance regulations that apply to your industry and geography.
- Reach out to Avanade through your client executive to set up a discussion about how seriously we take regulation and your IT security.
- Visit the Avanade Trust Center to review our security capabilities.
As with all things that are complex, engaging in conversations will help you provide clarity. Inaction is, unfortunately, not an option.