Five Things Every Business Needs To Know About Storing & Protecting Their Customers’ Info
Card image
Marlene Lyhne Sørensen
Communications Manager, EMEA
January 21, 2021
…under GDPR, the data subject has certain rights e.g. deletion of their personal data and insight in their personal data, and you need to have procedures in place to handle this. Maybe the most important prerequisite you need for handling this is knowing what data you have and for what purpose you are using it. If you don’t know this — it is almost impossible to respond to any type of enquiry from a data subject.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?

As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Bjørn Skou Eilertsen, Chief Technology Officer of Milestone Systems, who looks after the Products, Research, Development, Global IT and Operations.

Bjørn came to Milestone in 2013, bringing a strong entrepreneurial background from the IT industry having fulfilled key roles at a series of startups as well as product management, marketing and sales roles with both IBM and Microsoft. Prior to joining Milestone, Bjørn was heading up the EMEA product management and sales operations for the Microsoft CRM business.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Perhaps I was always destined to be a tech ninja. I grew up north of Copenhagen, the capital of Denmark, and bought my first computer when I was 12. I started with some basic programming, and my fascination for technology and for what it can do for society has followed me ever since. I got my Master’s degree in Computer Science and Business Administration at Copenhagen Business School. I started out as a programmer and quickly moved on to the consultancy business. Here, software really caught my interest as well as the benefits using technology to promote ideas and collaboration.

Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.

I am often quoted saying “Technology should never be above people; it needs to be governed by our democratic institutions”. It is one of my strongest beliefs.

My mother was a CFO and my father worked in the Danish shipping industry, so I was surrounded with minds of sharp business acumen and strong moral values. The dilemma I had was choosing between technology or business but realized that it didn’t have to be either or, but rather a combination of both — a problem solver.

As a developer, I found it useful to ask the users and the companies what their needs were and what problem did they want us to solve? It made it a lot easier to develop the right software. This foundation has followed me ever since. It is also what inspired me to get closely involved with the business ethics and the responsible use of technology.
Can you share the most interesting story that happened to you since you began your career?

One single defining moment in my life and not just my career was when I met up with the crime prevention center in Hartford in the United States. The team’s main purpose for using video technology was to prevent drug dealing and attract more families to the small town. The meeting in Hartford was where I really felt and experienced the power of our software. It showed the difference we make at Milestone. I truly believe in fair and transparent societies, and that video technology can help us achieve that.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Would you believe me if I told you that it was a simple dinner and a book that left a profound impact on me?

I have a habit of keeping connected with all my previous managers. We never have perfect relationships with our managers, but I always learned something from them.

One manager who made a particular impact was my general manager at Microsoft’s Western European organization some 10–15 years ago. We had our first meeting — it was a dinner meeting — and we talked about leadership and the business. He was overseeing a greater scope than me, so I was curious to learn more about leading from a distance, and how you create sustainable leadership. Suddenly, he left the table. A few minutes later he came back with a book and offered it to me. It was his own copy of “How to see yourself as you really are” by Dalai Lama. That was quite a defining moment to me. Of course, being 28–29 years old at the time running a fairly sizeable operation, the idea of seeing myself as I really was, was a good and relevant challenge. I think it boils down to: if you can talk with crowds and keep your virtue; or walk with kings — nor lose your common touch. This idea of understanding the context you’re in and still be able to work on all levels in an organization. I still have the book.
Are you working on any exciting new projects now? How do you think that will help people?

Together with the rest of the senior management at Milestone I’m crafting out ideas for next generation of the modern workplace. The questions I’m burning to understand are: What does an organization look like five years from now? A lot of the leadership philosophy is based on face-to-face interaction so how do we manage things working from anywhere? How do you organize the workplace for the future, how do we maintain the level of psychological safety, empathy, passion and growth from a distance? How do you make that happen, while also giving the freedom to organize not only your own productivity, but also your team’s productivity?

We’ve got some pretty good ideas, and I’m curious and excited to continue this work and figure out how to keep growing our culture and the agility of how we operate, while also making every single individual the most productive and best version of themselves.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Burning out is a silent killer in almost any industry now. The right balance between passion and empathy is key. Too much passion and you will burn out and too much empathy it’s just going to be too comfy. In my leadership philosophy, I’m always returning to the principle of combing psychological safety with flow. As a leader you need to understand what psychological safety is for you and for your team, and how do you use that to create a flow for your team — and not just for yourself. My best advice is to ask your people how they would like to be managed. It is a simple advice, but my experience tells me it is very effective.

Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?

As a global company, Milestone Systems must live up to all legal requirements in all regions we operate in. Operating in EU and with EU subjects, we are adhering to strongest regulations in the world as set out in the EU’s General Data Protection Regulation (GDPR), which is also setting the standard outside EU — e.g. Australia. You either need a legal reason, a business reason and many cases also an active and retractable consent to use and store personal data.

From experience we can say that data protection begins with assessing the information gathered, identifying who has access to it and adopting best practices to keep it safe.

Digital trust is crucial for innovation, continuous growth and commercial advantages. Citizens must have confidence in the use of data and digital services we use — also in the future. To support this, I play an active role in the program called D-seal, looking to create digital trust as a driving force for IT security and data.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?

There are industry best practices and each company formulates their own strategy based on the information they gather. The best practice would be to take stock, scale it down, analyze it, lock what’s necessary and discard what is no longer relevant.

If you do not need the data or are not required by law to have them, get rid of them. Unlike wine, data does not mature and get better with age. Old data is a distraction in a fast page world. Considering the vast amount of physical and digital data we collect over time, effective ’clean-up’ policies and practices are now an integral part of doing business. A good policy and practice will save not only time and resources but also possible legal costs and loss of goodwill.

In the face of this changing landscape, how has your data retention policy evolved over the years?

As good practices turn into law and regulations, one must take a much more stringent approach to retention. This has also been the case for Milestone where retention policies and consent now are built into business and review processes as well as software development processes. Paradigm shift from rules like “We keep customer data for 5 years” to dynamically ensuring compliance to the six law full principles of data processing laid in the GDPR regulation is the way forward.

Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?

As a Danish based company, Milestone applies the data retention rules and principles found in GDPR and Danish laws. Our overall principle is to only keep personal data for as long as it is needed for the permitted purpose.

That being said, we don’t store much customer information. In fact, a core characteristic of Milestone’s business model is to let our customers keep the ownership of all personal data collected through our software.

This is very different to other digital platforms such as Facebook or WhatsApp, where the customer data is a key driver for growing the business. At Milestone, our primary focus is to deliver an open platform that enables our customers to keep control of personal data within the highest standards for cybersecurity and data privacy.

In fact, as a leading global video management software provider, we believe it is our obligation to help set the agenda for secure and responsible video technology use.
Here are some of the important steps, we have taken so far:
  • In 2017, we joined more than 150 representatives from technology companies around the world to author and sign the Copenhagen Letter. The letter is a declaration that calls on tech companies of all types to put people first — rather than business and profits — when designing and using technology.
  • Milestone has invested heavily in getting our product GDPR-certified by EuroPriSe. This is to help ensure data privacy in line with EU legislation.
  • We embrace the UN Universal Declaration of Human Rights for our platform’s use. In our license agreements it is stated that we are prepared to disable the license if customers abuse our VMS technology. And yes, we have executed on this.
  • Several times a year, we release new software versions to ensure updates latest security measures.
  • Milestone offers system configuration and maintenance to ensure proactive management of cybersecurity risk.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?

We have increased our focus on privacy and data protection, and we are observant of the data privacy movements across the world.

In Europe, GDPR is playing a leading role, obviously. But also motions from the European Union to protect data in cloud scenarios, e.g. Screms II, is something we follow closely to sense early impact for Milestone, our customers and partners.

Another example is GDPR Guidelines and local implementation of rules for storage of video feed.

In the US, there are also several data privacy initiatives we have our attention on, including the various encryptions standards being enforced.

In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?

This is an emerging and immature market where a lot innovation is happening. At Milestone, we have taken the approach of “light tooling”. We essentially believe that you need to have your practices and processes in place before you automate and tool.

Internally, we also use standard ERP and CRM systems to manage and store our data. They all come with — at least rudimentary — build-in tools supporting archiving and consent management.

There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?

Data collected through our software can be stored on-prem or in the cloud, e.g. AWS. It is the choice of our customers. Clearly, more customers are aiming for cloud solutions, and recent incidents don’t seem to have affected this trend.

For our software, Milestone only works with major cloud service providers, who invest significant sums in securing their data centres, both digitally and physically. Many have built their entire business on the same cloud platform, which makes security a top priority for cloud providers like Amazon, who invest billions in security research, innovation, and protection.

It is important to note that even if our customers use cloud storage, they keep the ownership and control of the personal data collected through Milestone’s software.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)

Video is transforming the retail environment, transport and logistics, and increasingly ‘smart’ cities, by acting as the ‘eyes’ for the Internet of Things. Not least during the pandemic, where we have seen organizations rapidly speeding up the digitization of business processes to remain operational, operate remotely and find new efficiencies.
The good news is that there are plenty of video tech solutions with the ability to anonymize data through meta data aggregation, privacy masking, data purging and much more, and thereby they can help keep people safe without compromising data privacy.

If you collect personal data, the crucial part is how you process the collected information. 

For this, 5 things you need to know are the answers to the following questions:
  1. DATA ANALYSIS: Which kind of data is processed? Depending on the type of personal data, there are different principles to follow. In short; the more sensitive the data is for the data subject, the better you need to protect it, and the more specific you need to be about what you are using it for.

  2. DATA STORAGE: Where is the processed personal data stored? Different regulations may apply depending on which country the data is stored in. For example, when you store data in the US, you are under very different obligations to disclose such data to the authorities, than if you store data in the EU.

  3. LEGAL REQUIREMENTS: What is the legal permission to process the personal data? This can be either consent from the data subject, legitimate interest of the data controller or the fulfilment of a contract with the data subject etc. To give an example; normally it would be in the legitimate interest of your company to use such an employee’s photo on an ID card, while you would need consent to publish it on your public website.

  4. DATA BOUNDARIES: Is the personal data being transferred to somewhere else? E.g. if the personal data is transferred outside of EU/EEA there must be a legal basis for this. Essentially one must make sure that the transferred data is under the same level of protection, regardless of where it is stored. It is not necessarily logical, which countries are considered secure and which are not. For instance, the EU commission considers Uruguay and Argentina as secure third countries, while the US is not.

  5. USER RIGHTS: What are the rights of the data subjects? E.g. under GDPR, the data subject has certain rights e.g. deletion of their personal data and insight in their personal data, and you need to have procedures in place to handle this. Maybe the most important prerequisite you need for handling this is knowing what data you have and for what purpose you are using it. If you don’t know this — it is almost impossible to respond to any type of enquiry from a data subject.
For any processing of personal data, we recommend customers to seek legal advice to comply with their local data protection and privacy laws or policies.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

If I could inspire a movement that would bring the most amount of good to the most amount of people, it would be the development of a digital constitution that spells out the digital rights of users for centuries to come. The constitution should provide a governing framework for the ethical use of data and artificial intelligence to ensure a healthy balance between protecting individual freedoms and taking advantage of technologies that far exceed human capabilities.

How can our readers further follow your work online?

I can always be found on LinkedIn or via any of our company social media.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

This article was originally published on Authority Magazine on January 21, 2021.