So, what is data custody? It refers to the process of having the legal right and  authentic control over particular set(s) of data elements which are then authorized for storage and use by any particular custodian(s) of that data. The rules of engagement for data custody provide and define  information about the identity of the rightful owner of those data assets, as well as of all acquisitions associated with it. It also clarifies the use, distribution, as well as any financial stakes that a custodian may have with regards to the data.

From an organizational context, data custody specifies the holding and management of the enterprise data in the eyes of the law. The owner(s) or any nominated entity may have the right to make, modify, and even divide the restricted access to the data as per the rules of engagement without seeking anyone’s consent and concern. With the increasing switchover to cloud-based data management services and big data analytics, data custody remains an area of crucial importance to corporations and small businesses alike.

Data custody is of equal importance to the individual: who may either be a customer or a user. In the world of social media, the topic of data custody is complex and polarizing. A case study of particular note here is that of Facebook. In 2016, over 50 million Facebook users were affected when their data was distributed to third parties without their explicit consent. The aftershocks of the incident are still being faced by the company nearly three years after the incident.

Importance of data custody

In a time where identity fraud and data theft is increasing, individuals and businesses both are coming together to tackle the issue of data custody by increasing the buy-in of all stakeholders in the process: companies, individuals, and public institutions.

A company’s database is the physical and conceptual manifestation of its entire presence. The elements that make these databases govern much more value than the cost of the hardware in which they are being stored. Its actual value is linked to its customers’ financial information, the company’s most closed trade secrets and the other variables that it contains. Even the smallest organizations have specific data elements which they may never regard to disclose to certain internal stakeholders and competitors.

For individuals, the stakes to rightful and safe custodianship of vital data is no less serious. In 2017, according to findings based on the Javelin Strategy and Research, it was observed that there were 16.7 million people that fell under the hood of identity fraud. Breaches such as the one at Equifax in September 2017 highlighted how sensitive information such as the Tax IDs and driver’s licenses entrusted to organizations can be leaked when managed under poor data protection and security practices.

Responsibilities of a data custodian

Cases such as Facebook and Equifax indicate the importance of ensuring that the custodians of our data remain on guard.

A data custodian is the regulator of the stored data sets. If we resort to industry definitions, a data custodian is concerned with the basic storage and transportation of the data rather than what’s inside the data set. A data steward, on the other hand, has the obligation to associate the business rules as applicable to the data contents. The difference between the two, therefore, is that the prior provides the technical environment to the data structure while the latter has the additional duty to regulate what is being stored. Facebook, Twitter and Instagram are, in essence, data stewards.

Many small businesses are forced into being cost-conscious, and their decisions (or lack) around data custody may eventually translate to long-term setbacks.

  • The most common mistake is the failure to devise formal business rules to define the process of data custody and management.
  • The second common mistake is engagement of low-end or unqualified custodianship. The risk is magnified when security concerns are met with cheap price outfits. Assigning someone who is not experienced can leave the business liable to severe damages.

Data Custody Is A Massive Issue

Taking data custody seriously

The after effects of a breach may not be immediately felt. In fact, it may take months or several years before the effects of poor custodianship are felt by an organization or individual. Taking a holistic approach to data custody can avoid many long-term setbacks and losses.

  • Recycling of the data elements should be met with great care. Physical storage hardware may be disposed, but the data can be still salvaged from its components. Proper certifications of the disposals should be visualized in order to avoid surprises. For individual users, destruction of old hard drives should be carried out after wiping them clean.
  • Companies and individuals should not take data related terms and conditions casually; be it the disclaimer box prior to signing up for an online file sharing service or the licenses for a cloud-based ERP, all forays into data custodianship – formal or informal – must be taken seriously.
  • Regardless of the circumstances, applying an efficient chain of custody strategy during a server replacement is essential for the proper protection of the data.

Taking data custody seriously is fundamental to the survival of any company; a company not only holds information critical to its own success, it also possesses personal data of it’s customers and partners.