Are Companies Safeguarding Their Customers’ Personal Identifying Information?

As data privacy concerns and supporting regulations escalate, are companies really prepared to ensure protection of their customers’ personal identifying information (PII) and to quickly and accurately report a breach should one occur?  WinMagic recently conducted a survey of IT decision makers in the U.S., UK, France and Germany to assess their companies’ capabilities in these areas – and the findings should raise some red flags.

Here’s a snapshot of some of the overall discoveries:

  • 54% of companies surveyed could not say all PII was protected through anonymization and encryption in all digital locations.
  • Only just over half of all of the companies surveyed (52%) are completely confident that they can report data breaches within 72 hours of discovery to the authorities. And, only 55% are “completely confident” they have systems that could identify a breach from an external source.
  • Companies also admitted they cannot easily identify the data obtained in a breach. Less than half (46%) are confident that they could precisely identify the data that had been exposed in a breach.
  • Only 41% of companies could say that data is automatically geo-fenced “every time” on servers, so it cannot be moved outside of the legal jurisdiction in which it resides.
  • Less than half (48%) of all business partners’ storage locations’ security standards are audited by companies.
  • Slightly more than half (54%) of companies check on every occasion whether a customer has given permission for records to move between data processors, such as suppliers and business partners, before moving data.
  • For those organizations that use cloud-based services for their data, just 41% reported knowing the physical storage location of the data at all times.

This should be a wake-up call for businesses, as the findings demonstrate areas of weakness that represent potential data loss and non-compliance risks.  How can companies start to address this?  Following are three recommendations:

  1. Assess what, where and how all PII – including names, passwords, ID numbers, location data, online identifiers, etc. – is stored, processed and transferred, both within and outside of your organization. Make sure you know this for every department, including HR, legal, IT and marketing.
  2. Establish a clear framework for accountability and compliance when it comes to data protection. Your business may warrant hiring a Data Protection Officer and/or conducting a Data Protection Impact Assessment to monitor and determine the impact of data processing operations on data privacy.
  3. Use techniques like anonymization and pseudonymization and security technologies like encryption to minimize the amount of PII data that’s accessible and support regulations compliance.

Click here for more information on how you can protect your customers’ and company’s data.  For a copy of the survey report, which details the findings with a focus on EU GDPR readiness, please click here.

 

Previous Post
Sending the Elevator Down for the Next Generation
Next Post
Flexibility in IT