Developing a privacy-conscious and data securityconscious culture
Developing such a culture is a journey, because the culture in an organization has to change. Awareness that customers and stakeholders and co-employees have rights and that their data need to be protected, has to be built – from top to bottom in an organization.
Organizations have to understand that data is an asset and a liability. Let's be very clear that Zuckerberg's ‘I am sorry' comments in Washington and Brussels will not work for your organizations. The biggest threat to organizations is not the massive fines or even the jail terms: it's the reputation damage – it's the loss of customer trust and brand damage. On the flip side, accepting data as an asset opens the door to competitive advantage and investments that can create value.
I was surprised to see that the National Privacy Commission – as of April 30 – recorded 57 breach notifications, 21 complaints, 126 inquiries and 4 investigations. The information - that around 82,150 records were exposed in an incident Wendy's, and - that Jollibee had to suspend the operations of its delivery website and other online processing operations with the public due to identified vulnerabilities in JFC's website indicate a ‘very high risk' that expose approximately 18 million persons to potential harm, clearly indicates that data privacy and data security have to be taken much more seriously by organizations.
Security is so much more than purchasing antivirus software and conducting penetration testing; it also entails changing corporate culture and helping employees realize that the duty of keeping intellectual property, customer information and other business data safe isn't limited to security and information technology personnel; it's a task that requires the full effort of the entire company.
Companies have to accept that, despite their best defensive efforts, they will likely be breached at some point. It will be essential that an incident-response policy is in place and a response team is ready to respond.
With perhaps a few exceptions, every business that collects personal data from customers, clients, and vendors is exposed to a security breach where that data is exposed, comprised, and/or stolen. This inevitable fact is just one of the costs of doing business in an interconnected world.
The EU's GDPR and the Data Privacy Act of the Philippines (DPA) do not, and cannot, expect businesses to patch unknown security vulnerabilities or avoid security incidents altogether. However, they do require businesses to make every effort to mitigate the damage security breaches have on people.
To that end, it is vital that all enterprises take measured and documented steps to close security vulnerabilities, prevent security breaches, and mitigate the risks when prevention fails. The mere fact that an enterprise made a substantial and documented effort in this regard could be enough to establish data privacy compliance and avoid substantial fines and penalties after a security breach.
If companies need assistance in establishing and implementing security processes, there are teams available that can reduce risks and provide systems management tools.
Comments are welcome – contact me at Schumacher@eitsc.com