Getting Data Security Right
Over the last few weeks we’ve been asked about data security from places as far afield as Lithuania and Korea. As one journalist from Asia Business Daily asked us: “Security issues are paramount in MyData. How does Mydex manage customer privacy?
There is no single ‘magic bullet’ that can guarantee data security or customer privacy. Indeed, the belief that there is such a magic bullet (usually some techno-fix such as blockchain) is one of the biggest dangers. That’s because data security is about system-wide design, where many different elements need to fit together to create a working whole.
Mydex’s approach to data security is therefore multi-faceted and multi-levelled. It includes:
- Encryption: all data handled by Mydex is encrypted in motion and at rest.
- Architecture: big, centralised databases holding records about millions of citizens attract hackers. With our infrastructure, each individual’s personal data store is separately encrypted. This means that to get a million records, hackers would have to conduct a million separate, successful hacks.
- Operating procedures: Each individual holds their own private key to their personal data store. Mydex itself does not know or hold this key, so Mydex employees cannot see the data held by citizens in their personal data stores.
- Business processes: We only work with known, reputable organisations that themselves work to the highest standards (e.g. government departments). To connect to our platform they have to agree to Terms and Conditions and Information Sharing Agreements with citizens designed to protect citizens’ privacy and data.
- Citizen control: Citizens can easily see what data they are sharing with which organisations for what purposes, via their own Consent Dashboard. They can use this Dashboard to view ‘consent receipts’ that confirm their agreements with each organisation, and can change or revoke these permissions if they wish to.
- External audit and accreditation: All our systems and processes are independently audited to international standards. We have held ISO 27001 accreditation for Information Security and Management for the last nine years.
We don’t believe it’s possible to ensure data security without thinking through how the system as a whole works, looking at it from every angle: structure, incentives, governance, processes and, yes, technology.
With the way our current data economy works however, many necessary elements are either missing or badly designed — generating incentives that undermine rather than enhance data security for example. That’s why our current system is so insecure, and why there is so little trust in it.
There isn’t a magic bullet for ensuring data security and customer privacy. But there is a way of tackling the challenge so that robust, reliable ways forward are found.