Privacy and Compliance, Who Owns the Data?
The Data
Computer data. Who owns it, the organization or the customer? Executive management is responsible for the oversight of information systems and data. This data, held in the computers, can be a mix of organization owned information and information obtained from external sources such as its customers.
When a security breach occurs, who owns the data and whose information has been compromised? Is it the organization’s or the customer’s information? When an organization’s proprietary information (e.g. financials, intellectual property, etc.) has been compromised, it is the organization’s data. When a customer’s personally identifiable information (PII) has been disclosed to unauthorized parties, it is the customer’s data.
The Bank Vault
Executive management should view their information systems as a bank vault where the organization is the custodian of customer data. Since the organization does not own customer data, the customers own their data and the organization is only a custodian.
As a custodian, it is the organization’s role to hold in safekeeping the customer data. Safekeeping and privacy compliance obligations include minimizing the risk of theft or loss, whether the information is in physical or electronic form.
As a result of the increase in the number of data breaches, various laws and regulations have been enacted to protect the privacy of individuals and their information. Prior to these privacy compliance requirements, many organizations were not allocating sufficient resources to protect customer data. Information collected was shared with outside parties and the customer was never informed.
Security Controls
Since information systems face a variety of risks (e.g. compliance risks, unauthorized access, etc.), executive management should perform a risk assessment to identify their assets and threats to the assets. Once the assets and threats have been identified, preventive, detective, and corrective controls are then implemented to mitigate and reduce risks.
Once your organization’s controls are in place, contact a Certified Auditor to review your controls for sufficiency and effectiveness. For more information please see: