So, what exactly are business information technology pundits referring to when they discuss ‘data custody’? The term generally refers to the legal right to hold and authorize control over a particular set(s) of data elements in an effort to ensure safe storage, transfer and use of that data.
The rules of engagement for all data custody arrangements clarify the uses and distribution of the data as well any set of restrictions applicable to the custodian(s).
From the business prospective, data custody specifies the holding and management of the enterprise data in the eyes of the law. The owner(s) or any nominated entity may have the right to make, modify, and even divide the restricted access to the data without seeking anyone’s consent and concern. With the increasing switchover to cloud-based data management services and big data analytics, data custody is an area of vital concern to corporations and small businesses alike.
Data custody is of equal importance to the individual: be it a client or a user. In the world of social media, the topic of data custody is complex and polarizing. A case study worth mentioning here is that of Facebook. In 2016, over 50 million Facebook users were affected when their data was distributed to third parties without their explicit consent. The aftershocks of the incident are still being faced by the company nearly three years after the incident.
Importance of data custody
In a time where identity fraud and data theft is increasing, individuals and businesses both are coming together to tackle the issue heads on.
A company’s database is the physical and conceptual manifestation of its entire operation. The elements that make these databases are worth much more than the cost of the hardware that supports them: their actual value includes, among other things: customers’ financial information, the company’s most closed trade secrets and it’s future plans.
For individuals, the importance of securing rightful and safe custodianship of vital data is no less serious. In 2017, according to findings published in Javelin Strategy and Research, 16.7 million people fell victim to identity fraud. Breaches such as the one at Equifax in September 2017 highlighted how sensitive information, such as the Tax IDs and driver’s licenses entrusted to organizations, can be leaked when entrusted to poor data protection and security practices.
Responsibilities of a data
If we resort to industry definitions, a data custodian is concerned with the basic storage and transportation of the data rather than what’s inside the data set. A data steward, on the other hand, has the obligation to scrutinise the data contents in line with business rules. The difference between the two, therefore, is that the prior applies the technical environment against data structure while the latter has the additional duty to regulate what is being stored. Facebook, Twitter and Instagram are, in essence, data stewards.
Many small businesses are forced into being cost-conscious, and their decisions (or lack of) around data custody may eventually translate to long-term losses. .
- The most common mistake is the failure to devise formal business rules to define the process of data custody and management.
- The second common mistake is engagement of low-end or unqualified custodianship. The risk is magnified when grave security concerns are met with cheap solutions. Assigning someone who is not experienced can leave the business liable to severe damages through negligence.
Taking data custody seriously
The after effects of a breach may not be immediately felt. In fact, it may take months or several years before the effects of poor custodianship are exp ringed by an organization or individual. Taking a holistic approach to data custody can avoid any such long-term setbacks.
- Recycling of data storage devices should be met with great care. Physical storage hardware may be disposed, but the data can be still salvaged from its components. Proper certifications of the disposals should be visualized in order to avoid surprises. For individual users, destruction of old hard drives should be carried out after wiping them clean.
- Companies and individuals should not take data related terms and conditions casually; be it the disclaimer box prior to signing up for an online file sharing service or the licenses for a cloud-based ERP, all forays into data custodianship – formal or informal – must be taken seriously.
- Regardless of the circumstances, applying an efficient chain of custody strategy during a server replacement or other maintenance excercises is essential.
Taking data custody seriously is fundamental to the long term viability of any organisational strategy; a company not only holds information critical to its own success, but it also possesses the personal data of it’s customers and partners.