Lessons on data privacy from VFS Global

The global visa processing firm's data privacy officer shares tips for locking down your data habits.
29 August 2019

Some of the most personally identifiable information available. Source: Shutterstock

In a few recent months marred by monumental penalties incurred by British Airways and Marriott– not to mention the exposure of thousands of biometric data– never has the need to safeguard data been higher on the CIO’s agenda. 

It’s not just the firm hand of the ICO to fear though; loss of sensitive data can irreparably damage trust among your customer-base and, of course, highlight major flaws in your cybersecurity. 

When it comes to experience in handling sensitive data, there are perhaps few organizations as well prepared as VFS Global. 

Operating in 147 countries worldwide, the Dubai-based technology company works with more than 60 governments to process thousands of visa applications each day, across 3000 application centers in more than 500 cities. 

That’s a staggering amount of data and, crucially, it’s data that contains sensitive and personally-identifiable information, such as contact details and biometrics that could be of huge commercial value, and could be misused and manipulated in the wrong hands. 

Given the complexity of geographies it works across, VFS Global has built a standardized privacy framework based on the “highest global baseline”, the EU GDPR. That way, even in countries where there is no data protection to rely on, the highest standard of data protection is still in place. 

Ultimately, at VFS Global, we’re in the trust business,” Barry Cook, VFS Global’s Privacy & Group Data Protection Officer told TechHQ

With former roles as a Royal Navy avionics technical officer, an Electronic Warfare specialist, and within the Swiss banking sector, “information security was in my DNA,” Cook told usm before leading data protection efforts at the world-renowned visa processing company.

Too hot to handle

Cook told us that a central tenet of VFS Global’s data protection policy lies in processing the data as quickly as possible, and not storing it longer than it’s needed, which can be as little as one day. 

“[…] unless specified by a client government, we process personal information, such as biometrics, within 24 hours of receipt, and ensure that basic contact details are held for no longer than 30 days from submission.”

This drastically limits the timeframe in which data could be accessed or compromised under VFS Global’s watch. 

“It’s important to stress that highly personal data is encrypted on collection and retained only as long as is absolutely necessary,” said Cook. “We don’t copy or keep any of the data we receive; it is securely disposed of, upon its fulfilment, in line with our internal rules or those specified by our client.”

Treating data as ‘too hot to handle’ is an effective code to live by, but that’s not to say the organization doesn’t have a strict culture of cybersecurity woven into its “People, Processes and Technology”, where each component supports (but doesn’t rely on) the other. 

“Let’s say someone tries to access a system outside normal hours,” explained Cook. “The Process prohibits this type of access – a directive, in IT, controls parlance– and the attempted access is flagged and prevented by Technology, with detective & preventative controls.” 

“This would then create an alert at the SOC [Security operations centre] and a member of the SOC staff, the People component, would examine the CCTV from the location. We aim to design all our security measures using this multifaceted approach.”

A changing privacy landscape

The last few years have been “without precedent” in the data privacy space, Cook told us, thanks to the emergence of “ground-breaking and far-reaching legislation.” 

With hundreds of new data protection laws being introduced– GDPR in Europe being the most talked about– the need for data protection has fallen firmly on the shoulders of organizations, while recent media coverage has done much to wake consumers up about the use and value of their data. 

“Barely a week passes without some headline that relates to a data privacy matter, be it a massive fine or news of personal information being misused or leaked,” said Cook.

“This, naturally, has piqued the interest of the public and sharpened users minds about how their personal information is handled and processed by organizations.

“I suppose one could say that the general public has come to the realization that their personal information has a tangible monetary value, something that many companies have known for a long time.”

That means that showing a commitment to data privacy can have a positive impact on your brand’s image in the eyes of the consumer or, as Cook puts it, “good data privacy is good for business.”

All businesses have a vested interest

Of course, data privacy compliance will arrive more naturally to companies in a compliance-based industry– where data protection is just another “rule to follow”– than smaller operations where the knowledge and resources are lacking. 

While SMEs are increasingly prepared (thanks to sector-specific guidance by the ICO in the UK, for example) the varying complexity of data privacy compliance doesn’t make any business, sector or industry anymore exempt from the rules.

“The reality is that we’re moving into a new, digitalized world, and businesses of all sizes need to embrace and ready themselves for change,” Cook said. “In short, no– organizations that fail to understand the importance of data privacy will not survive. 

“The digitalization of the global economy, and onset of automation, is, rightly, raising questions about trust and how personal information is shared, stored, and exchanged by businesses.

“It’s therefore crucial for businesses to prove their worth to consumers and show that they’re serious about safeguarding sensitive data. Because this shift is not a passing fad; it’s here to stay.”

For businesses looking to ensure they have a fundamental data protection in place, VFS Global’s Barry Cook, shared these five tips: 

# 1 | If you collect it, protect it

Follow reasonable security measures to ensure that customers’ and employees’ personal information is protected from inappropriate and unauthorized access.

# 2 | Know what you are protecting

Be aware of all the personal information you have, where you are storing it, how you are using it and who has access to it. This not only mitigates the risk of a leak, but allows you to pull information, quickly, in the event of a user request.

# 3 | It’s better to be safe than sorry

Recent industry surveys have revealed that between 75 percent and 85 percent of small business owners believe larger enterprises are most likely to experience data leaks. This is not true – data protection is important for all businesses, large and small.

# 4 | Do you need the data?

Personal information is both a commodity and a liability. Apply a NEED – WANT – DROP approach across your operations to ensure you’re maximizing the benefits, and limiting risk, from the data you collect.

# 5 | Develop long-lasting, trust-based relationships

…by having a strong privacy and data protection policy. Customers will want to know that you are protecting their information. Make sure you have a clear, and honest, policy they can refer to explaining how you use and keep their information safe.