How to handle personal data (without getting hacked)

Whether you swapped access to your data for the chance to catch Pokmon or found your email and password in the 500 million leaked from Yahoo, it's likely that in today's world, most of the services you use hold at least some of your personal information.

The problem is whether or not you can trust companies to keep your data secure, from both hackers and government spies. Data breaches are affecting huge, trusted firms on a weekly basis, while governments are forcing organisations to help them spy on people's data.

Dropbox, for instance, has admitted that hackers stole 68 million customers' login credentials back in 2012, while internet service providers may soon start storing your web browsing history, if the government's Investigatory Powers Bill is passed into law.

This is just the start. With the advent of the Internet of Things (IoT), billions of connected devices will make their way into our cars, homes and workplaces.

While having smart devices makes everyday life more convenient, it also provides hackers with new opportunities to break into secure networks and get their hands on our data.

There's no doubt that giving up your personal data helps you get better, more personalised services, and as an IT leader, you'll know just how valuable collecting your customers' information is to your organisation. But it's also vital you retain their trust - and your company's reputation - by keeping it safe.

Our panel of IT experts looks at the best ways to handle people's personal data, and how to protect it from an increasingly dangerous range of cybersecurity threats, too.

What makes personal data valuable to you?

But how do we determine the value of personal data? A good place to start is by looking at what makes data useful.

Gartner looks at this a few different ways, from examining the cost of acquiring that information in the first place, to how accurate it is. But arguably one of the greatest measurements of data's value is its timeliness, which dictates how relevant and accurate it is.

"The value of data, and the protection afforded to it, changes over time," says Paul Saunders, former CIO at the University of Dundee. "For example, a company's financial reports to the Street on the day before they are made public require a much higher level of protection than they do the day after."

Mark Evans, head of IT at construction firm RLB, on the other hand, believes the importance of data's timeliness depends on what you're using it for.

"User data is the springboard for business strategy," Evans says . "From the shoeshine boy setting up his stall near to where there is the greatest footfall and likeliest customers through to Amazon suggesting other "things you might like", data has always driven business."

"Tracking market trends over years to anticipate future market conditions is something which can only be achieved by holding onto historic data," he points out.

But he adds: "Where data relates to products or services which are no longer on sale, that is probably the point where some retirement of data should occur, however, this is still entirely subjective, dependent entirely on the required outcomes."

What is for certain is that bad data that is inaccurate, too old to serve its purpose, or incomplete, is worse than no data at all, according to Saunders.

"CIOs need to be able to trust the data that they collect," he explains.

Handling increasing volumes of data

Nearly 21 billion connected devices will exist by 2020, Gartner predicts, creating quite a potential headache for CIOs who need to somehow process and store all this information.

RLB's Evans believes analysing and keeping increasingly large volumes of IoT data is only possible in the cloud, calling on-premise alternatives an "unrealistic" option.

"It's obvious to me that cloud has its place in data analysis," he tells IT Pro. "Bearing in mind the security issues ... cloud provides the elasticity which is needed when dealing with ever-increasing datasets."

Saunders, meanwhile, recommends a more targeted approach that lets you set objectives, or ask certain questions, then collect only the data that's necessary to achieve those objectives or answer those questions.

"It's important that an organisation approaches the use of data from a strategic perspective," he says. "What are the main strategic goals of the organisation? What business problems are we trying to solve? What data would help us solve that? How can we combine data from a variety of sources to glean information that we may not have otherwise acquired?"

Do you need a data scientist?

Perhaps a better question to ask is, do they really exist? Data management is a complicated and technical job, but one that is crucial to most businesses' revenues with data analysis becoming integral to their strategies. Consequently, RLB's Evans says data scientists who can "walk the walk" are getting harder to find, and IDC predicts that tech skills shortages will extend to data scientists and data management experts by 2020.

"Any skillset which has a scarcity value will generate CVs which owe more to 'Alice in Wonderland' than to reality," Evans adds.

"The problem is, people who are hiring data analysts often don't share a vernacular and sorting the wheat from the chaff is extremely difficult."

Perhaps a better approach is making the data easier to understand, and extending access to regular end users. IDC believes so; it predicts that over the next four years, spending on self-service data visualisation tools will be two and a half times as high as outlay on other IT tools.

Saunders agrees, saying: "Talented data scientists are few and far between so CIOs need to look at leveraging talent from across the organisation and provide business friendly tools and easier access to data to enable non-IT teams in the analysis and usage of information."

Former Hampshire County Council CIO and BCS president, Jos Creese, is sceptical of this growing trend, though.

"Research that talks about the 'democratisation of data analytics' without considering the risks is just nave," he states. "We need to put in place protection and control as we become increasingly transparent to governments, corporations and anyone else with an interest in finding out more about us."

The risks of holding personal information

If personal data is valuable to your organisation, it's valuable to hackers, too. Those who manage to break into your systems and get hold of the data you're supposed to be keeping safe can sell it on the dark web to the highest bidder.

Or they might exploit its value to you ransomware attacks, in which hackers lock users out of entire computer networks until a ransom is paid (usually in Bitcoin), are becoming more prevalent: Intel Security reckons ransomware attacks have increased by 3,000% since they were first spotted in 2012.

Saunders warns that as more and more IoT devices create more and more data, they also create more problems. "As the data sources grow from structured to unstructured and IoT [gets bigger], the potential threats from the data grow along with the potential value," he says. In short, with reward comes risk.

One of the threats you should be aware of is jigsaw identification, according to Creese.

"The real risk lies in the connection between different data sets about us," he says. "The capacity to correlate data will be immense and our devices are no longer the products, we are."

Leaking such a level of detail of a customer would be catastrophic, especially after the EU's General Data Protection Regulation (GDPR) comes into force in May 2018 (following Brexit, the UK is expected to adopt similar rules to the GDPR).

This will introduce a maximum fine of 4% of a company's annual turnover, or up to 20 million, for data breaches.

How to protect personal data

These stricter data protection laws mean it's more important than ever to protect customers' data.

Creese says: "The GDPR will significantly change EU data protection law. This is no longer a topic purely of concern to IT professionals and lawyers. CIOs and information specialists need to ensure that all business leaders across public and private sectors understand the business risks and the liabilities and take effective measures to protect their customers, suppliers and their own business interests."

With that in mind, how do you go about strengthening your organisation's security so hackers can't get in?

Both RLB's Evans and Dundee's former CIO, Saunders, believe it's about having robust policies and frameworks in place governing exactly how data is handled.

"Have strong, well-policed, well-publicised policies on usage of data and widely-known - and implemented - sanctions for anyone breaking the policies," says Evans. "Use the readily-available tools to protect the data and keeping an eye on ... using data responsibly and not playing "fast and loose" with valuable information, which can either make or break the organisation."

According to BCS, good governance covers ensuring there is accountability for data usage from the board to the person responsible for the policy, giving customers visibility of what data you have on them, ensuring you have customer consent to hold this data, and being open about what you're using it for. But the bottom line is, you should spend time ensuring your data usage policies are up to date (especially with the GDPR), and provide a clear set of guidelines for your organisation on who can access what data, and what they can do with it.

Saunders adds: "CIOs need to build technical and governance frameworks that foster the use of a wide variety of data sources in a secure way."