teissTalk: Quantifying and qualifying the value of your data

teissTalk host Geoff White was joined by  Veroniki Stamati, Information Security and Privacy Engineering Lead, Skyscanner as lead guest; Craig McEwen, Chief Information Security Officer, Anglo American; and Andrew Rawlins-Catterall, Group Data Protection Officer, VDS Insurance.

Views on news

In the wake of the former Security Shield being ruled invalid by the Court of Justice, there have been intensive negotiations between the EU and the US to decide what it should be replaced with. A new episode in the tussle has been when Facebook included a threat in its annual report to the SEC to pull down its two most popular social platforms in the European Union unless it can continue to be regulated by SCCs (Standard Contractual Clauses).  The panel agreed that the threat is to strengthen Meta’s negotiating power and the danger of Meta leaving one of its most lucrative markets is rather slim. A quick teissTalk survey, however, suggested that a number of data security experts (more than two-third of the teiss audience) would breathe a sigh of relief in case they could stop worrying about the data security implications of these two platforms. Chances are that Facebook will eventually retreat the way it did when the introduction of Apple’s App Tracking Features dealt its ad business a blow.

Communicating the risk of data loss to the Board

Challenges for data protection professionals include the task to keep up not only with new regulations but also with the pace at which the value of data changes. Take, for example, the functionality that lets you gain actionable insights based on the bits that a customer hovered over on your website. Having this feature could help booking platforms tide over the worst months of the pandemic, while, from a data privacy point of view, it can be problematic, as it involves placing information on the user’s computer. Another example is the pattern analysis functionality of the Vet-safe platform, which analyses what has gone wrong with individual cases and how they could have been averted – a very important feature which has far-reaching data protection implications. But less sexy issues such as tapping in one wrong digit can also have devastating effects on data integrity.

The Board’s role here is to be aware of where the business’s data crown jewels are and ask the right questions about what will happen if the company loses some of its data. But, more importantly, they also need to put operational resilience in their focus and have an understanding of how quickly the organisation can recover if an incident happens and what the onward effects are. Since Policy Statements on Operational Resilience has been released, the identification of a company’s IBS (Important Business Services) is not only a nice tool for making a business continuity plan but an imperative. For management to make the right investments, it’s key they are fed information about whether a continuity plan, the right safeguards and insurance are in place. Sectors outside banking and finance have less responsibilities when it comes to KYC. However, for platforms with embedded payment functionalities it’s a more challenging exercise.