Data is dangerous stuff. In spite of the old cliché about it being the ‘lifeblood’ of your business, having too much of it can be a problem.
Many companies merrily accumulate as much data as they can – not least by collecting unnecessarily large amounts of intelligence about their customers – on the basis that it is somehow an asset. But it can be a serious liability, too.
Data can be damaging when it’s wrong – as Lord Justice Leveson found out after information he cut-and-pasted from Wikipedia into his massive report on press standards turned out to include spoof information that was part of a prank. However, Leveson’s report – the conclusions of which some want to see being enacted into law as soon as possible – may also make correct and valuable information a burden.
While much of the press coverage of the report has focused on privacy for celebrities and the muzzling of tabloid newspapers, there are some less-reported suggestions that are causing concern for the Information Commissioner’s Office (ICO). Leveson has suggested that the Data Protection Act (DPA) 1998 should be amended so that people who are the subject of news stories should have access to information that journalists hold about them.
Journalists, not surprisingly, are deeply worried about this. There is the danger that they would be forced to reveal sources, which could have a severely chilling effect on investigative journalism.
The ICO isn’t happy, either. Christopher Graham, the information commissioner, has warned that this could effectively turn the ICO into a press regulator, as it would be dragged into any case involving access to journalists’ information and how they manage and store that data. He has said he will fight any attempt to force him into that role.
This also highlights a much broader issue. To paraphrase an old saying, if you have data, you have the care of data. In other words, simply possessing certain types of data can make you susceptible to all kinds of obligations and responsibilities – and even dangers – that are not justified by the value it brings to your organisation.
You may think you already know all about this. If you handle credit card data, for example, you’ll be only too painfully aware of how Payment Card Industry Data Security Standards (PCI DSS) regulations make you jump through hoops, and invest in expensive technology, audits and testing, in order to ensure the data is kept safe. But that’s just the data that falls into the scope of well-defined regulations. The DPA has often caught out organisations when people unexpectedly come knocking at the door demanding access to information they believe the companies are holding on them.
Then there’s the reputational and financial damage that can ensue when hackers steal data from you that, perhaps, you didn’t even know you were storing. Customer and marketing databases, for instance, have a habit of breeding out of control. Are you sure there isn’t some such information store sitting on a weakly protected server somewhere? Think again.
This problem has become all the greater since the rise of hacktivism. In the good old days, hackers simply wanted to steal your information in order to quietly fence it on the black market. Now, hacktivists want to share it as openly and loudly as possible.
Data is not something you should squirrel away on the basis that it might prove useful some day. If you haven’t got a well-defined and justifiable use for it now, you shouldn’t be storing it. It could cause you all kinds of problems if someone decides they want it.