In a non-quantum digital world, data is all the same – ones or zeros. However, how we chose to define what ‘data’ actually is, tends to be much looser and (for convenience or otherwise) driven by our interpretations, differing context and intentions, all of which can differ widely. At best this creates confusion. At worst, the lack of specificity results in large and sensitive volumes of citizen data literally floating in the cyber-sphere (and anywhere around the world), with very minimal protection.
This misalignment in understanding about data, leads to misplaced risk assessment decisions and, as a result, potential for unexpected and adverse consequences. In an increasingly hyper cyber-sensitive world this is not only not a good thing but potentially damaging to individuals and organisations.
When you break it down, particularly when you think about how data moves in a digital world, data (and data sets) comprise five core elements.
- The core data/data set
- Related account management information about who owns/can use the data
- Metadata that acts like an index and provides information about the data set
- Monitoring data that ensures the core data retains its confidentiality, availability and integrity, and
- Insights – derived from all the above and often in combination with other data sets.
I first paused to consider the relevance of each of these elements when co-authoring the UK’s Data Capability Strategy in 2013 . I quickly came to appreciate that the tendency to focus (naturally) on (1) the customer data, is often at the expense of data in categories (2), (3), (4) and (5) – all of which can be moved (again, anywhere around the world) with far less attention or understanding of the inherent risks or indeed, the potential implications for the citizen who sits at the core of (1).
The point was further hammered home to me when drafting the response of the Cloud Working Party to the EU’s GDPR regulations.
The implications of extra-territorial jurisdictional legislation become clear when governments strive to create laws that assert their legal authority over the ones and zeros at the expense of sovereign governments, notwithstanding physical location or even ownership of organisations.
My point is this – extra-territorial, legislative over-reach, asserts jurisdictional priority over all the above data sets (not just core data), irrespective of where in the world and within which national sovereign territory the data physically resides. This is not a theoretical concept. It is law. It is fact.
Historically, when mandating controls to protect citizen data, governments have typically focused only on core data sets (1). Consideration of data elements (2) through to (5) is either silent or ignored, driven by a loose definition of “data”.
The risk posed by this poor understanding is exacerbated by lack of attention to the many services associated with supporting applications, related workflows (for example, authentication services, key management services, support desks, etc) and data flows.
As governments come to appreciate the significance of the different data elements and begin to understand the data flow of the disaggregated elements, my advice, to reduce the privacy risk to their citizens, is:
- Define data sets and the disaggregated elements accurately and precisely to ensure the risks of how each component is managed and moved is understood and addressed.
- Apply controls that relate specifically to each element of the data including related data flows.
- Know the implications of the extra-territorial power of other governments and their legal jurisdictions as it relates to data (and all its elements) and related data flows and mitigate accordingly. Understanding this ‘power’ is critical – it’s the difference between what you think is unlikely to happen (is “inconceivable” to quote the Attorney General’s Department) but what can actually and legally happen.
- Embed these considerations across government through security, privacy and procurement policies, processes and documentation to ensure you mitigate the risk barriers to the successful take up of digital native services.
Why – because failing to do this before we enter a world of ones AND zeros, has the potential to cause great pain.