Every day we share and use large amounts of real-time data. As a Compliance Officer, I regularly ask myself: is my data in good hands? We often mindlessly share personal information via cookies, webshops and emails, and trust that this is always done properly and securely. But how obvious is this assumption really? And can you rely on that blindly? In this blog, I will take you through my work as a Compliance Officer, and share tools to make expectations around data more aware and better.

• Confidentiality
• Integrity 
• Availability 
• Non-repudiation 
• Authenticity 
• Privacy
• Security

In addition to these information security principles, additional requirements may apply, such as financial, HR, environmental, sustainability, product or contractual obligations. Take a conscious look at this when you share or consult information online, you can often already see where the first headaches arise.

What do you actually agree on when you share data, and how do you monitor those agreements? In my role, I ensure that we within Conclusion AMIS act in accordance with the frameworks that we have agreed with our stakeholders. These are internal stakeholders, such as the management, employees and the works council, but also external stakeholders such as customers, suppliers and governments. All these stakeholders have certain requirements and expectations. We translate these internally into policies, guidelines and procedures. Your requirements may also be part of this and translate into, for example, ISO, ISAE or GDPR requirements.

In the entire data lifecycle, the general expectations are therefore essential. Both during the creation, storage, use, sharing, archiving and deletion of data. But how do you, as a consumer or organisation, know whether a party is complying with this? Do you trust the other person's blue eyes? Or do you only settle after the demonstrability of facts? This is where compliance comes into its own. As a consumer, a degree of trust is often sufficient, but as an organisation, more is needed, such as regulation, supervision, risk analysis, sanctions and reporting obligations.

As a consumer, I also need transparency. I don't mind that a service like Google learns my preferences so that better search results come out, after all, I don't pay for it. But as soon as I do pay, I want to be able to decide for myself what happens to my data. Then I want to know what has been agreed and who is responsible for what.

Terms of use with references to privacy policies and terms of service provide clarity. But let's be honest: who really reads them? You probably recognise this: you visit a website and blindly accept all cookies because otherwise the site will not work properly. During the ordering process, you accept all delivery terms and conditions, without reading them. And when using the online service, the terms of use are also accepted. What you are actually doing with this is possibly giving the other organisation carte blanche over your data. The question is: do you really want this?

As a Compliance Officer, I therefore need transparency, both internally and in cooperation with external parties. I see two points of extra attention: 

Small organisations that do not (yet) fully meet all requirements. This requires additional guidance and testing.
Tech giants such as Microsoft, Google, Amazon and Oracle. Although they meet all the formal requirements, they are difficult to call on extra transparency.

1 | The scope

The scope determines the scope of, for example, a quality or information security management system. Does the system apply to your data? Without knowing the scope of a certificate or assurance statement, it is difficult to estimate whether an organisation is managing your data properly.

2 | The maturity of the organisation

The maturity of an organisation is also important. Is it a start-up organisation, or does the organisation already have years of experience with processes that are continuously improved through the so-called PDCA cycle (Plan-Do-Check-Act)? You will often find little or no information about maturity on websites or in certificates. Assurance reports can sometimes provide more clarity.

3 | Mutual responsibility agreements

The so-called 'shared responsibility matrix' of tech giants indicates where their responsibility extends and where the customer must take responsibility. With tech giants, the responsibility for the data often remains with the customer, even if this data is stored in the cloud. This means that as a consumer or organisation you hand over your data, without the other organisation being formally responsible for it. So you determine your own data risks!

Does your data storage still meet the general expectations? Yes and no. Formally, you are responsible for your data in these cases, especially if something goes wrong. The risk you run depends on the measures that the organisation offers you and that you may have taken yourself for protection. Think of:

• A well-designed backup and restore procedure
• Redundant environments for optimal availability
• Sufficient monitoring to protect your data
  

At Conclusion AMIS, we don't take data lightly. If we don't have our affairs in order, it has direct consequences: trains come to a standstill, logistics chains get stuck, planes remain on the ground and in some cases there is no power at all.

As a master of real-time data, we are very aware of the responsibilities that come with it. Stakeholders demand not only speed and availability, but also reliability and security. That is why we use quality, security and privacy as a starting point, and we ensure that general expectations are guaranteed. We actively maintain various national and international quality systems, including ISO 27001, NEN 7510 and ISAE 3402.

As a Compliance Officer, I am a line judge along our 'data fields'. I raise the flag when necessary, and let myself be guided by internal and external referees (the auditors). It is up to you as a spectator (organisation) to assess the quality of our performance. So make sure you get enough information to be able to give the confidence justified. And feel free to talk to me if you have any questions about that.