There was a time, when absolute discretion was an important maxim in the relationship between a liberal professional (doctor, banker, solicitor, architect etc.) and their clients, but times have changed, and are continuing to transform at an ever increasing pace.

In spite of everything, abuse of confidential data isn’t what it used to be, and one can never be too careful in the globalised world of ever increasing speed, complexity and controls, where some people might even consider selling their granny for a game box.  When it comes to confidential data, then the facts of life are simple: if you neglect it, misuse it, or otherwise sell it, lend it, or lose it to 3^rd parties, who have no legal right to access it, either knowingly or not, be prepared for a very bumpy ride.

Clearly, we should all know that corporations have a duty as well as the obligation to protect individuals against the misuse of their personal information, and this can be a very complex undertaking, but do we really know what we are supposed to know about how we use the data that we are responsible for?

The responsible use of corporate data is not just about implementing statutory requirements: it has become an unavoidable quality issue for management.

People who understand the issues of confidential data, and who are aware of the consequences of corporate laxity in connection with data protection, will recognize that the importance of data management and data protection cannot be overstated. For example, all businesses within the European Union, Switzerland, the USA, and elsewhere, have implicit and explicit obligations regarding how they manage and protect the controlled use of personal and identifying data.

Apart from the relevant ethical and commercial considerations that must influence the full care and attention in the handling of sensitive data, especially data that identifies an individual or corporate legal entity, there are a number of legal ramifications concerning the way in which data can and cannot be used. It is true that the laws governing data protection vary from country to country, but there is certain commonality of focus between the various ways that the protection of data is typically viewed.

Exposing personal and confidential data in a public way, and without permission, is of course a violation of data protection law, but data protection covers a much broader range of issues, including the use of data for test purposes.

Companies should be aware of the fact that the use of data in system development, testing and training, must be carried out within the terms of the respective data protection legislation.

However, many businesses are not so aware of the fact that using certain data for development and testing requires the same degree of compliance, in terms of its controlled use, as at any other time.

Typically, Data Protection legislation covers all data held by companies by which individuals may be identified. This includes simple data items such as: names, addresses, and telephone numbers – as well as more sensitive data types such as: personal, health, or financial information.

A recent industry report in the UK for example indicated that over 40% of IT departments in UK companies are using live customer data as test data. Under the current Data Protection Act in the UK, a company ‘can only use data for the purpose for which it was collected’; which does not exclude development or testing, not even Data Warehouse, Business Intelligence or Big Data development and testing.

It is frequently and falsely believed, for example, that data warehouse development and testing poses no real data protection problems or issues, as it typically takes place with little appreciable loss to any of the individuals or entities identified by the data. However, the use of “production data” for testing can lead to issues of non-compliance with existing legislation, and in some cases, could potentially lead to the imposition of monetary fines and imprisonment, with all the attendant fallout in terms of loss of goodwill, damage to image[1], loss of stakeholder value, and so on and so forth.

Most importantly of all to remember is this: even if there is even the slightest risk of the data being held by your company getting out into the public domain, or being conveyed to a unauthorized third party, your company becomes greatly exposed in a number of ways, and this risk cannot be overemphasized, as failure to comply with Data Protection legislation can result in serious consequences.

For example, there may be many instances where test data is taken off site, or printed out (business intelligence reporting) as part of the test process. If this happens, even with a high level of corporate security, there remains a risk of accidental (but nonetheless prosecutable) misuse of data.

So, consider this the next time you think it’s okay to provide any sort of personal identifying data (and it really means all and any identifying data) to an external organisation, whether on-shore or off-shore. It may just get you into hot water, with a hefty fine and even a spell in the Grey Bar Hilton.

[1] As well as official and judicial measures, companies infringing data protection legislation run the risk of negative publicity, potentially causing customers, employees and business partners to lose confidence in the way their data is handled by the company in question.

---

File under: Good Strat, Good Strategy, Martyn Richard Jones, Martyn Jones, Cambriano Energy, Iniciativa Consulting, Iniciativa para Data Warehouse, Tiki Taka Pro