Data Administrators: Protecting Customers’ Privacy
BackBy Scott Schumacher — September 2007
With increasing security risks and ever-expanding lists of privacy and security-compliance restrictions, data security and privacy are top needs at all businesses today. To address these challenges, many organizations need data administrators who can implement customer data integration solutions.
The rising use of digital technologies and the Internet during the past decade has led to a dramatic explosion in the collection and use of personal data by government agencies and businesses.
For the most part, the information has been leveraged in ways that make people’s lives easier and more productive. Businesses throughout the world now routinely conduct important business transactions and trade data with business partners over public networks. And a growing number of consumers are banking, shopping, booking travel arrangements, updating account information and filing taxes without leaving their offices and living rooms.
But although electronic use of information provides numerous benefits, it also poses various risks. Today’s headlines, with their disturbing accounts of identity theft and security breaches, underscore the dire consequences of electronic communications and electronic data sharing.
Moreover, the increasing frequency of negative publicity has heightened public awareness of the security and privacy risks associated with the Information Age.
The growing concern for these threats, as well as the burgeoning list of privacy and security-compliance restrictions, are two important reasons why organizations in every government and business sector must take steps to ensure the privacy and security of customer data.
To address these challenges, many organizations need IT professionals who can implement customer data integration (CDI) solutions, which allow them to leverage customer information to their best advantage while securing and managing data to ensure the rules and policies governing privacy and security are respected and followed.
Data Problems that Endanger Security and Privacy
Many data-privacy and security problems occur because of the proliferation of inaccurate data maintained by the growing number of private, corporate and government organizations. With today’s rise in the use of and reliance on the Internet, the volume of data has increased dramatically, but the quality and accuracy has actually decreased — industry analysts report extremely high degrees of inaccuracy in files maintained by credit bureaus, collection agencies, health providers and direct mail services. Unfortunately, inaccurate information that is erroneously released or shared can negatively affect people’s privacy and damage their reputations.
Security and privacy also can be compromised by any alteration of data that takes place as a result of activities such as format conversions or system migrations that increase the likelihood of errors and inaccuracies. In-house systems that attempt to integrate customer data with basic customer relationship management (CRM) systems are susceptible because data must be moved and/or stored in large databases, rendering that information vulnerable to theft or loss of integrity.
Organizations that lack systems to manage who is allowed access to data and what subset of the data they see also expose themselves to increased security risks. A business that grants unrestricted access to every employee experiences more data misuse than a company that implements a tiered access policy. Easy access to information stored in large databases can result in unauthorized disclosure of private information.
In addition, organizations and businesses that share data by sending extracts from their systems face an increased risk of exposure any time they send information beyond their network firewalls. This common method of data sharing has been responsible for a large percentage of public security breaches.
Organizations that access and use sensitive information (e.g., hospitals, financial institutions or law enforcement agencies) face the greatest potential damage in the event of any loss or breach in data integrity.
One of the most important measures an organization can take to maintain privacy and security of data is to use technology to institute and enforce a minimal use principle for data access, which means people have access only to the data they need to execute their tasks — no more, no less.
Robust CDI Solves the Problem
Comprehensive CDI systems identify, link and synchronize customer information across systems, sources and external lists to create integrated customer data from disparate applications and data sources.
CDI systems access and compare similar records about a specific customer, eliminate duplicates, evaluate possible errors and link them to form a single accurate version of a record, which can help improve customer service, streamline business processes and enhance delivery of services.
Creating one accurate version of a record enables organizations to ensure the accuracy and integrity of the information they provide to avoid cases of mistaken identity that could cause personal embarrassment and hardship for the parties involved, not to mention the potential expense of litigation pursued by dissatisfied clients and angry individuals.
The most comprehensive CDI solutions provide data management solutions that enable organizations to comply with stringent security and privacy regulations while allowing continued on-demand, real-time data sharing with employees and customers.
CDI models, which allow organizations to publish real-time data-sharing services while maintaining control over what information is seen and by whom, are much safer than the commonly used extract-and-transport method — with the extract-and-transport method, once an extract of data leaves an organization’s firewall, the owning organization loses control.
To support this safer method, CDI systems and data administrators must know where all the data in the enterprise reside so they can examine individual records and enforce appropriate security rules.
With this awareness, a CDI administrator can centrally manage and enforce policies, regardless of where the data have been collected, generated, used and stored. This capability enables a CDI system to serve as the foundation for comprehensive security and privacy control within an entire enterprise or organization.
The most robust solutions also provide multilevel security to control access to information down to the attribute level (such as Social Security number, blood type, credit rating and specific information that only designated representatives may be permitted to access).
Such systems track additions and changes to opt-in/opt-out lists and other laws that govern privacy and security, ensuring information is used appropriately, according to individual choices, and that these choices are readily accessible at all customer contact points within the enterprise.
Advanced capabilities include the ability to ensure compliance with the most comprehensive systems that provide special tools for setting user and group permissions.
Other tools enable administrators to limit the number and type of attributes about a customer that can be viewed at a given time. Only the information needed for a given customer interaction is revealed in accordance with privacy, access control, data ownership and other company policies.
Comprehensive CDI systems also monitor and log changes and additions to customer records, and they track factors such as the reason, time and search results. This enables organizations to catch errors before they cause problems.
In addition, reporting and task-management capabilities for creating audit trails help organizations show due diligence and avoid potential fines.
CDI Must Haves
Data administrators in the process of evaluating CDI systems should look for a solution that provides the best method for collecting and managing private data in a secure, sensitive and trustworthy way. Essential features and capabilities include:
- Central notification control: This provides the ability to configure and manage notices sent to users attempting to access personal records, and it enables enforcement, auditing and verification during the data-notice process.
- Flexible management: The CDI system should be able to enforce opt-in/opt-out rules, regardless of the platform used to gather preferences. It should support flexible privacy models (i.e., contact point or individual), and it should support age as a criterion for the enforcement of the Children’s Online Privacy Protection Act.
- Customer accessibility: Data administrators must be able to pinpoint exact locations of all customer-related data so they can provide individuals with access to their data within a reasonable period of time. Capabilities that assist in this process include real-time search capabilities for finding all data and providing a composite view, flexibility to decide how data can be viewed and a method for finding structured and unstructured data.
- Security for stored and shared data: CDI solutions that allow local storage of data enable individual divisions within an organization to retain control of their own data. Such solutions also enable administrators to define the extent of viewable data with a high degree of specificity — administrators can decide at the row and attribute level who can see what kind of data. Federated CDI models encrypt data in databases and logs, and they support encryption or hashing of data from source systems, enabling secure data sharing between trusted partners.
CDI solutions provide the framework for a comprehensive data-sharing strategy, which protects privacy and security. With today’s increased concern regarding confidentiality of personal information, robust CDI systems and data administrators provide a required infrastructure component to minimize security risks and protect personal privacy.
Scott Schumacher serves as chief scientist at Initiate Systems, where he is responsible for research and development of matching algorithms and the overall management of product development. He can be reached at email@example.com.
Want to learn more about data administration? Just search the term at CertScope, CertMag.com’s search engine, and you’ll find hundreds of articles and Web sites on the topic.