BCS recently interviewed Lisa Woodall, Head of Strategy, Architecture and Governance at Zurich Insurance, on one of the Institute’s key challenges - personal data.

What should the role of BCS be in achieving a better world for personal data?

As an insurance company we are highly regulated and security of personal data is a key area that the regulators focus on ensuring we take the security of personal data seriously. The extent of cybercrime and activity can mean personal data isn’t safe unless you secure it in the right way, with the right approaches and it’s becoming increasingly a target for criminals. I think BCS could be raising awareness of the activity that is going on, as well as aligning to the different regulations that are required across different industry sectors.

I think another key angle which BCS could help on is: ‘What is personal data?’ What data should customers view as personal data is and the extent of data that we need to encrypt and make secure. It’s not just a person’s name, account details and date of birth but should it go as far as Twitter ID and other publically available data that could be viewed as personal. I think there is something BCS can do around, what are the risks of the various aspects of personal data being more public than private? What technologies are in the mix to help to secure data? What overhead does personal data management and security of data bring to projects?

It’s very much part of our project life to ensure we handle the data security aspects of all of our application development, but I don’t think we can yet quantify the costs of the personal data security agenda, the extent that it has driven up the cost of projects, the testing of projects, the software and the application landscape, and the personal data landscape, and I think, for BCS, bringing all these aspects to life would be good.

Can you tell us about Zurich’s take on the personal data challenge?

We, as with many of our competitors, are aware of the personal data challenge. We understand the need to secure our customers, our brokers, and our employee data and we are really driving significant investment in securing data. We’ve changed our project development methodologies and deliverables as a result; our risk assessment around our IT landscape is much more heightened as a result of that and globally we’re investing significant amounts of money in information security.

What do you think the main challenges are regarding personal data for your industry?

I think we’re starting, as an industry, to tie ourselves up in knots with the data agenda. And one of the other questions to address is: ‘how does data sharing allow Zurich to innovate and offer better services to their customers?’ I mean in many ways we can’t share as much data as we’d like to share with people to help innovate and solve the challenges that we have. Also the cost of some of the technology out there to protect data isn’t insignificant. So the costs are also becoming prohibitive. So I think as an industry that’s becoming a real challenge.

What does a desirable future for personal data look like from your perspective?

From a Zurich point of view, the desirable future is the current state, which is to secure personal data, to ensure that we’re meeting regulations and even going beyond the regulatory needs.

Does data sharing allow Zurich to innovate and offer better services to their customers?

Yes. I mean if you look to the future, and looking more beyond Zurich, there are some exciting initiatives that are being discussed. For example, enabling customers to have greater control of their personal data and providing options on where they choose to hold their data and to be able to get access to that data in an encrypted fashion. So data is only held once, with whichever supplier an individual chooses to work with, and they access to my personal data. The individual gives the access and chooses when to turn it on and off. I think this is the future. It has to be the future.

What ethical codes do you follow to safeguard your customers?

Zurich has quite a few ethical codes, not just from a data point of view but from a business practice point of view. Words like integrity are part of our codes of practice and these ways of doing business embedding awareness across the organisation of how to ensure we secure data and classify data accordingly in our business processes. We want to be ethical, not just to be safeguarding customer data, but safeguarding everything about our customer.

How are you minimising risk to personal data?

We’re investing heavily in encryption and reviewing all areas of data security storage, access, and data usage principles

What is the risk if society fails to address the issues around personal data?

The IT industry is addressing these issues. So much of what we do is handled online and on mobile devices and the extent to which we’re providing personal data in our daily lives is growing. It just used to be the bank and insurance companies, now we’re providing personal data to every website that we register on. With a lot of these ‘register with your app’, register with various services, you have to put in your name, your address, your date of birth in some instances, and through online shopping channel; whatever you choose for shopping, you know, with Facebook, with Twitter, with LinkedIn. So much more of our personal data is available publicly on the internet. And that does raise so many more risks around what that means in society, for fraud, identity theft and so on.

I think a subset of society - informed individuals - have good security habits in their personal life anyway. But those who are not informed and do not see the vulnerability - and I think there will always be a larger percentage of those - won’t take it as seriously and then it does fall on those people who provide the services to make sure the data is secure and controlled and the risks are minimised.