Data Request - The Burden with Benefits

Rhys Macfarlane, Chief Security Officer at Luxury Escapes.

Rhys Macfarlane, Chief Security Officer at Luxury Escapes.

We live in an age where the value and importance of personally identifiable information, or PII data, cannot be understated. Our digital lives are built upon these pieces of information, and, in some cases, they are the keys to verifying our identity. And yet, these pieces of information must be used; they must be given to companies, or else we cannot use their services and properly engage in our digital world. We cannot just lock them away, safe and secure, and go about life as normal. For this very reason, the raft of data protection regulations, the most prominent of which would be the General Data Protection Regulation, or GDPR, was brought into effect. While these regulations are a great development and one, I believe we needed to have; the burden upon companies has been significant and appears to be increasing over time.

The foundations of many of these regulations are basic security fundamentals, and they have done an excellent job at bringing information security considerations closer to the centre of most businesses. Companies are now rightly considering information security and data protection as a fundamental aspect of their business and one that must be considered at every possible juncture. It probably won't surprise anyone when I say I believe this was not always the case at every company and that not so long ago, we information security specialists were viewed as a somewhat annoying voice which nobody really wanted at the party. In this way, the regulations have brought in a very important shift in the mindset of modern corporate thinking. In some cases, this required some businesses to spend time and money improving their standards, as they should do perpetually; this is not the specific area I wanted to dive into. Rather, I want to talk about the burdens brought about by data access requests, removal requests and alterations.

Now do not get me wrong, while I refer to these requirements as burdens, I think they are the correct move for businesses and the correct move morally. We, as companies, do not own this data; it belongs to the individual. When the individual sends us their data, we should view this as a temporary trust in us. This trust is something that the individual can, as the owner, revoke at any time. I am confident we will see this happening more and more as the population continues to understand the value of their data. When they want to engage with a company, they will entrust their data to it; when they decide to move on, they will take their data with them. But what does this mean for the company? This means we must become very efficient at responding to these requests and scrubbing our databases when required. New developments, such as in-app data removal request requirements, have seen the level of these requests rise, and I believe such developments will continue.

As a collective, we have been forced to bring in entirely new functionality to our businesses, which, if done incorrectly, could have significant implications for the data owners and our companies. Get it wrong and you're going against the data owners' wishes, and these regulatory bodies will let you know about it. I am sure I do not even need to specifically reference the kinds of monetary fines a company is looking at nowadays, as we've all seen and read the stories of when other companies have paid these prices.

The ability to go in and remove or de-identify data in every database or section of a company is not always easy. Doing so when companies receive hundreds or thousands per month will be a significant uphill battle. As with all areas of tech, products are popping up to help in this new area; one I have found particularly useful has been Snippii.com, an automated customer response, internal checklist and tracking tool. After using this product for a while, something occurred to me: these requests are not only good for the individual but also useful for companies. Not only do removal requests clean up our lists and lower our exposure to potential breaches, but they are also an amazing indicator of how your customers are responding to your business behaviour. Being able to see on a macro scale how many requests you receive over time can be a piece of the puzzle when deciding what your customers liked and didn't like. Did you bring in a new marketing style in April and noticed a spike in removal requests in April and May? Did you bring in a different product offering and noticed your removal requests dropped right off in the following months? As with all things, people vote with their feet, to use an old idiom, and these data requests are people voting with their cyber feet. We would all be wise to pay attention to these movements and tailor our businesses around what we can see.

Yes, these requests are a burden on companies, and yes they will most likely increase over time, but that doesn't mean they are bad for business. Looking at it in a glass half full way, these requests are an amazing insight into our customer’s way of thinking and responding to our brands. But all those points aside, it is our duty as responsible companies to protect a customer's data when they trust us with it and respect their wishes when they would like it returned to them.