We continue our series on cyber security with a focus on data privacy. Governments around the world are introducing new regulations to ensure the secure processing of their citizens’ Personal Identifiable Information, or PII. Our Head of Cyber Security, Opeyemi Ore, and our Chief Information Officer, Alex Zverintsev, explain how we are adapting our information systems to ensure that we can continue to process personal data for visa applicants on behalf of government clients, while respecting these new privacy standards.
As governments around the world start paying more attention to the numerous ways in which organisations utilise data and information systems to achieve business goals or create new revenue streams, they are increasingly concerned about the potential abuse of this information.
Their concern is entirely justified. In recent years, we have seen clear examples of privacy violations by large international organisations who have used the personal information they hold for purposes other than those agreed with the data subjects (any person whose personal data is being processed). In some cases, these privacy violations could result in the abuse of personal information of data subjects, with the aim of carrying out multiple scams or stealing their identities.
Data Residency, Data Sovereignty and Data Localisation
These abuses have prompted many governments to scrutinise how organisations use their citizens’ personal information more closely, and has led to three very important concepts:
- Data Residency: the requirement to store data in a specific geographic location;
- Data Sovereignty: the requirement to store data in a specific geographic location, and for it to be subject to the local laws; and
- Data Localisation: the requirement to keep the master copy of data in a specific geographic location before onward processing elsewhere.
Non-compliant processing activities can be severely detrimental to the impacted organisations and can result in significant fines, bad press, and in worst cases, full business closure.
The complexities of international data processing
At TLScontact, we use information systems located in numerous geographic locations, to process the personal data of visa applicants from over 90 different countries. In this ever-shifting regulatory environment, handling citizen data within the confines of our regulatory and legislative obligations can pose a significant challenge. Any processing or cross-border data transfers not only have to be completed securely but must also comply with the privacy regulations of each country in which we operate.
The devil, as they say, is in the detail. As new privacy laws and regulations are introduced at both the national and international levels, we first need to understand the specific requirements and then make the necessary adjustments to our data processing activities. The first major change in this area was the introduction of the EU General Data Protection Regulation (GDPR). More recently, we have seen other, national laws brought in, such as the Russian Personal Data Law, the German IT Security Act 2.0 (BSIG) and the Moroccan Data Protection Law, amongst many others.
Working with colleagues from our Legal and Data Privacy teams, we have analysed the individual requirements of each regulation and established certain commonalities across them. This has allowed our Technology team to develop repeatable architecture patterns and reusable solution building blocks. These are now applied in our core applications to handle data in compliance with specific local regulations. In particular, this has meant:
- Creating isolated environments to ensure the segmentation of citizens’ personal data, respecting local regulations;
- Implementing robust security controls to protect access to this data;
- Encrypting data both ‘at rest’, when it is stored on our systems, and in transit to secure government platforms for visa processing purposes.
Adaptable information architecture
This approach not only allows us to meet the requirements of our government clients and the local laws we need to comply with. It also means that as our business expands into new regions, we are able to deploy these repeatable architectures easily, based on pre-defined implementation patterns. Recently, we have validated the effectiveness of our privacy measures by obtaining the ISO 27701 data privacy certification. This, in addition to our existing ISO 27001 certification, gives us a competitive edge as it demonstrates our flexibility and ability to comply with mandatory protective measures as they evolve.
This is certainly not the end. Government requirements will continue to evolve in response to advances in technology and new business innovations. At TLScontact, we have established a framework which allows us to respond quickly to these changes and thereby continue the secure international processing of personal data within any of our information systems, in compliance with the most stringent privacy standards. We have developed and are continually improving our capability to address local regulations and enable secure and compliant use of citizen data across borders, taking the burden away from our government clients and allowing them to focus on their core decision-making tasks.
Article written by
Opeyemi Ore, Head of Cyber Security and Alex Zverintsev, Chief Information Officer