Privacy in the hybrid work era

The rise in remote and hybrid working has caused distress, as 77% of Australians are more worried about their personal data now that organisations operate distributed work models. On top of this, 49% of Australians said they’d no longer use or buy from a company they were previously loyal to if it failed to protect or leaked their personal data. IDM asked George Harb, Vice President, ANZ at OpenText, what organisations should be doing to protect data and establish cyber resilience.


IDM: What do you think of the key challenges that organisations face when coming to securing their enterprise information?.

GH: I think organisations have three key issues today. The first one is knowing their data; there has been so much collected over so long and there are so many platforms or applications that have been decommissioned and are still sitting there. People change, processes change, go to markets change. But that data is still there. Knowing what you have, and where it is, is critical. Then controlling your data. Who's got access to it? Where does it reside? What are the control mechanisms that you have in place in terms of reviewing, accessing, retrieving, etc. The next one is remediating and maintaining your data. So, what information should be redacted? What information should be made available? What information should be deleted and removed because it's no longer useful. These are the three key challenges and organisations need to understand and how to manage those challenges to stay on top of that issue in regards to customer data privacy.

IDM: Over the COVID period, many organisations rushed to move to Office 365 to enable remote working and the ability for knowledge workers to access data about their clients or citizens remotely. How is that impacting in terms of securing information management systems?

GH: Consumers are worried about their information being hacked. When you add on top of that there is awareness that people are working from home. People are working from coffee shops. Accessing public Internet Wi-Fi platforms. It adds to their concern. And so, as an organisation, if you're thinking about your consumers and their concerns, that transfers over to how you control information. When it's now being accessed from hundreds or possibly thousands of different locations versus what it previously used to be. Ultimately it comes down to the controls you put in place. And I go back to the control your data theme. It's around who's accessing, how they're accessing, understanding whether there's information that a person shouldn't be accessing, but they are, and being able to flag that. That to me is the concern that consumers have which transfers to organisational concerns.

The people that are responsible include your chief risk officers and IT officers; they're concern is how do I control that data? How do I control access? What's being retrieved? What's being downloaded? What's being uploaded and being able to track it. That's essentially one of the challenges that organisations have , how do you keep track of all of this. Can you stop it? Well, when you have a remote working workforce, it's difficult to stop, but you've got to be able to track it. You've got to be able to understand where and what is being used and I think that to me is the kind of question that needs to be answered.

IDM: Australia is trying to adapt its privacy regime to follow more European style privacy laws. Do you think Australia Enterprise and government is ready for that change?

GH: Technology can enable it. So, when you look at GDPR in Europe, organisations are having to adapt to it and that comes down to essentially knowing where your data is so that when the citizen comes along and says, I want you to remove my data, you know where it is and you can remove it. That's being enabled by technology. So, organisations are going to be able to understand what those policies are, when they're being presented to the industry to adapt to. But quickly being able to determine whether they have the technology in place to enable that, and I think you'll find that a lot of organisations in Australia have got customers in Europe, and they need to adhere to GDPR, and have already gone down that path and understand it and put in place. But what the Australian rules will look like and how they need to be adhered to and implemented is something we are yet to understand. But technology is available today that can enable it.

IDM: What do you see as the top priorities for organisations coping with data privacy issues operating today?

GH: I think there's four. The first one is updating your retention rules. So, make sure you're not adding more data that you don't need to add. So, stop the binge, in essence. Then you need to clean your data up, understand what you've got, understand what data you have and then clean it out. Then the next step is to review these subject rights. So, who can access, what they can access, when they can access and where they can move it to, or to whom. Review your rights/rules and make sure they support the new rules that we're all having to abide by. And then finally, internally, the business needs to update the privacy policy and educate the staff around that. I think it's important to make sure the mechanisms are in place, the documents, the training, the certification, so that people understand what they mean. Because when they come out, if your staff doesn't understand them, they can’t respond.

IDM: Small businesses with an annual turnover of less than $A3 million could soon have to comply with the Privacy Act. Do you think this will up new markets for ECM and data discovery, which have traditionally been enterprise or large government?

GH: It will, but it comes with complexity. And with complexity comes cost. So, while these rules are being pushed down towards the smaller to medium enterprises, it's going to come down to cost and whether they have the ability or capability to implement these types of solutions. Because it's not a case of plug and play. When you look at how organisations need to adapt, they need to understand their business and need to ensure their business rules and the way they work fits into that model. So, there isn't going to be one size fits all. It could be a 70 or 80% fit, but there's going to be certain ways that small organisations will work that has to be customised. And with that, either the business needs to adapt to what the technology and the rules allow it to do. Or they're going to need to go through some customisation, which comes with a cost. So possibly yes. Easily adaptable or easily implemented? Still a question mark.

IDM: OpenText offers solutions in a range of different areas, and one of these is privacy management. Do you see that as a separate product category to content management or document management solutions?

GH: Absolutely. Because within the document, there are going to be certain things that are privacy related or specific. And you need technology to be able to pick those up. How do you know what information you have that needs to adhere to privacy law? How do you know what information you have that could get you into trouble if it were hacked? And that's where those privacy solutions come into play. So yes, as a separate stream, absolutely.

IDM: What role do you see emerging technologies such as AI and machine learning playing in improving enterprise information management and security and how is OpenText incorporating those technologies into its solutions?

GH: We have our own Magellan AI platform, which we continue to incorporate in the solutions that we offer. This is a tool that enables us to detect and act on potential risks hidden from sensitive or inappropriate data, which is important today as there is a vast amount of information stored in business systems. With our AI capability, we are able to sift through this information—even those in the form of unstructured data—and identify any risks. ChatGPT presents an opportunity and also a risk. Because you don't know what information you're introducing into your business and how valid the IP around that information. Are you setting yourself up with an unknown set of data and information that you're then presenting as your own? Companies need to put in place policies that address the use of these AI tools because we don't know yet how powerful or how risky they are in incorporating them into the way that you work. Obviously, within the business, when you're using AI to leverage your own information, it's a massive value because you're able to provide customers with tools for them to self serve. Which is always something that organisations are looking at to help customers help themselves. So that's fine, but once you bring that other element in and bring the wider information that's available out there, that presents risks. And I don't think organisations fully appreciate or have concluded how they're going to use that in the way they work. There's a lot of trials going on but I don't think it's fully appreciated, yet.