Data protection: An effective security solution to excessive regulation

By Risk Performance and Technology group

Original, as it appears on Finance et Investissement –

A new European law, the General Data Protection Regulation (GDPR), has been in effect since May 25. Before it was even enacted, numerous complaints were filed against Facebook and Google, and many American information sites reacted by closing their website access to European net surfers.


Not sure what I’m talking about? I’m referring to requests for consent concerning your personally identifiable information (PII) that you receive when visiting your favourite websites. Many people have asked me: “How can we manage so much regulation?”

Back to basics!

The risk of non-compliance has been around since laws were first enacted. In the time of Moses, for example, anyone breaking one of the Ten Commandments incurred the risk of being struck by divine lightning or being barred from paradise on leaving this earth. It all depended on their individual beliefs. The same goes for the GDPR, the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA) in that you can choose to take the risk of not complying.

There are only four ways to manage this sort of risk: live with it and risk the penalty; reduce the risk by investing time or money to implement controls; transfer the risk by taking out insurance, for example (in the case of regulations, insurers will rarely agree to insure you against non-compliance and if they do, the premium will be very high) and lastly, eliminate the risk.

Yes, it is indeed possible to do away with a risk. In the case of non-compliance risk, elimination is the best or at least the most effective and least expensive solution in the long run.

Eliminating risks

A risk is the potential loss of a quality (availability, confidentiality, integrity, flexibility, mobility, etc.) of an asset related to the impact of the asset’s exposure via a deficiency) to a threat agent. Let us take a house fire as an example. The assets are the house and its contents, the hazard is a grease fire and the exposure (or deficiency) is the absence of a responsible adult to watch over the stove. Elimination of the threat means eliminating the asset: the house, for example. If you do not own a house, you are not exposed to this hazard or its potential impact.

I trust you are starting to understand where I’m going with this, and I’m sure some of you are thinking this solution is simply not applicable because it’s just too extreme. Well, do take some time to mull this option over, because it is viable.

Most data ecosystems requiring businesses to institute compliance practices contain non-capitalizable data that are by-products of the real business process and therefore of little use. We have simply not learned to not collect such data.

In fact, the dematerialization of information and the convenience and sheer expansion of digital data storage have resulted in information overload.

We collect too much information.

For example, does a bank truly need to know your social insurance number? The answer is no, so why do they ask for it? Information overload, that’s why. This invaluable information is really not monetizable and the fact that it is collected presents yet another risk of loss or theft.

According to an annual study by the Ponemon Institute, each data breach in Canada, i.e. loss or theft, represents over $250, and items of information about individuals do add up.

The more information you have about an individual—say a client, partner or employee—the costlier the file as a whole.

Thus, if you collect 20 different pieces of identifiable information on an individual, this file will cost you more than $5,000 in case of loss or theft. How many clients and employees do you have?

Accordingly, the less needless information you gather, the less you will need to comply with restrictive rules and the less expensive an eventual data breach will be. The GDPR standard gives European citizens the right to demand that companies ask for their “explicit” and “affirmative” consent, the right to have personal data deleted, the right to receive the personal data they provided, the right not to be subject to automated decision-making including profiling, and the right to be notified as soon as possible in the event of a serious data breach. PCI is the regulatory framework for the VISA, MASTERCARD, DISCOVER, JCB and AMEX consortium in terms of credit card data protection. The HIPAA, for its part, is designed to protect the health and insurance records of U.S. citizens.

Remember that jotting down regulated information on a piece of paper is information gathering in its own right.

The solution is to start analyzing your information-gathering process in order to streamline it. If you do not need a particular piece of information, do not collect it. And do not attempt to manage from an exceptional case standpoint, where you “might need this if such-and-such happens,” as that would compel you to collect information that is potentially regulated but of no use to your business process. You should have a Mind Chart or access to architecture for storing regulated information about third parties which you do not own but are required to protect. Reduce your legal and security liability by limiting the information you gather and streamlining its processing. In doing so, you will also reduce your appeal to cybercriminals.