Managing Data for Privacy and Security

The rising use of digital technologies and the Internet during the past decade has led to a dramatic explosion in the collection and use of personal data by government agencies and businesses. For the most part, the information has been leveraged in ways that make people's lives easier and more productive. Businesses throughout the world now routinely conduct important business transactions and trade data with business partners over public networks. And a growing number of consumers are banking, shopping, booking travel arrangements, updating account information, and filing taxes -- all without leaving their offices and living rooms. And yet there is a growing concern about data proliferation. Coupled with the burgeoning list of privacy and security compliance restrictions (i.e., the Gramm-Leach-Bliley Act, Health Industry Portability and Accountability Act, National Do-Not-Call Registry, and Sarbanes-Oxley Act), there is little doubt organizations among every government and business sector must look at additional ways to ensure the privacy and security of customer data. Data Problems that Endanger Security and Privacy Many data-privacy and -security problems occur due to the proliferation of inaccurate data maintained by the growing number of private, corporate, and government organizations. With the rise of (and reliance on) the Internet, the volume of data has increased dramatically, but the quality and accuracy has actually decreased. Industry analysts report extremely high degrees of inaccuracy in files maintained by credit bureaus, collection agencies, health providers, and direct mail services. Unfortunately, inaccurate data that is erroneously released or shared can negatively impact people's privacy and damage reputations. Security and privacy can also be compromised by any alteration of data that takes place as a result of activities such as format conversions or system migrations that increase the likelihood of errors and inaccuracies. In-house systems that attempt to integrate customer data with basic CRM systems are susceptible because data must be moved and/or stored in large databases, rendering data vulnerable to theft or loss of integrity. Organizations and businesses that share data by sending extracts from their systems face an increased risk of exposure anytime they send information beyond their network firewalls. You need a system in place to manage who is allowed access to data and what subset of the data each person sees. One of the most important measures an organization can take to maintain privacy and security of data is to use technology to institute and enforce a minimal-use principle for data access: People only have access to the data they need to execute their tasks -- no more and no less. To address these challenges, many organizations are implementing customer data integration (CDI) solutions, which allow them to leverage customer information to their best advantage, while securing and managing data to ensure that rules and policies governing privacy and security are respected and followed. Comprehensive CDI systems identify, link, and synchronize customer information across systems, sources, and external lists to create integrated customer data from disparate applications and data sources. CDI systems access and compare similar records about a specific customer, eliminate duplicates, evaluate possible errors, and link them to form a single, accurate version of a record, which can help improve customer service, streamline business processes, and enhance delivery of services. CDI "Must Haves" Businesses and organizations in the process of evaluating CDI systems should look for a solution that provides the best method for collecting and managing private data in a secure, sensitive, and trustworthy way. Essential features and capabilities include:

• Central Notification Control: This provides the ability to configure and manage notices sent to users attempting to access personal records; and enables enforcement, auditing, and verification during the data-notice process.
• Opting In/Out: The CDI system should be able to enforce opt-in/opt-out rules regardless of the platform used to gather preferences; it should support flexible privacy models (i.e., contact point or individual); and it should support age as a criterion for Children's Online Privacy Protection Act enforcement.
• Customer Accessibility: Organizations must be able to pinpoint exact locations of all customer-related data in order to provide individuals with access to their data within a reasonable period of time. Capabilities that assist in this process include: real-time search capabilities for finding all data and providing a complete, composite view; flexibility to decide how data can be viewed; and a method for finding both structured and unstructured data.
• Security for Stored and Shared Data: CDI solutions that allow local storage of data enable individual divisions within an organization to retain control of their own data. Such solutions also enable administrators to define the extent of viewable data with a very high degree of specificity; administrators can decide at the row and attribute levels who can see what kind of data. Federated CDI models encrypt data in databases and logs, and support encryption (or "hashing") of data from source systems, enabling secure data-sharing between trusted partners.

A CDI system must know where all of the data in the enterprise resides so that it can examine individual records and enforce appropriate security and privacy rules. With this awareness, the CDI system can centrally manage and enforce policies regardless of where the data has been collected, generated, used, and stored. This capability enables the system to serve as the foundation for comprehensive security and privacy control within an entire enterprise or organization. About the Author Scott Schumacher serves as chief scientist at Initiate Systems where he is responsible for R&D of Initiate's matching algorithms and the overall management of product development. Initiate Systems is a leading provider of customer-centric master data management (MDM) solutions. Scott can be reached at sschumacher@initiatesystems.com.

Related Articles

IBM Acquires MDM Player Initiate Systems

After weeks of rampant speculation -- and just six days after Informatica and Siperian dashed to the altar -- IBM and Initiate finally tie the knot, adding yet another variety of master data management to Big Blue's arsenal, and extending its reach into the healthcare and public sectors.

“The Internet Is Still the Wild, Wild West”

AOTA '08: Security is nascent and consumers are still hesitant to make an online transaction. What will it take for the Internet to be a place where everybody knows your name—and it's OK?