Pro­tect­ing Pri­vacy – En­sur­ing Your Or­gan­i­sa­tion Is Ready For Reg­u­la­tion

With per­sonal data likely be­ing used by many parts of your or­gan­i­sa­tion, a first step to­wards com­pli­ance is con­duct­ing a study of where that per­sonal data is held, who holds it and who is re­spon­si­ble for it

Dataquest - - CONTENTS -

Ev­ery week it seems there’s a new cor­po­rate se­cu­rity breach un­cov­ered, and it seems like com­pa­nies pre­fer to con­ceal the se­cu­rity breach and pay the ran­som quickly – given that it’s of­ten cheaper than the fi­nan­cial and rep­u­ta­tional li­a­bil­i­ties that come with dis­clos­ing a se­cu­rity is­sue.

Some com­pa­nies op­er­at­ing in the Asia Pa­cific re­gion may soon have to own-up if their cus­tomer data has been com­pro­mised, or face stiff penal­ties. In Aus­tralia, the No­ti­fi­able Data Breaches (NDB) amend­ment to the Pri­vacy Act will force com­pa­nies op­er­at­ing lo­cally to re­port data breaches to the Of­fice of the Aus­tralian In­for­ma­tion Com­mis­sioner, as well as make the data loss known to the pub­lic. This leg­is­la­tion comes into ef­fect on 22 Fe­bru­ary 2018.

The Euro­pean Union’s Gen­eral Data Pro­duc­tion Reg­u­la­tion (GDPR), ef­fec­tive in May 2018, is an­other gamechang­ing reg­u­la­tion. The GDPR will be the first global data pro­tec­tion law, as it ap­plies to the or­gan­i­sa­tions that con­trol or process per­sonal data of EU res­i­dents any­where in the world. That means Asia Pa­cific busi­nesses that process EU res­i­dent’s per­sonal data will fall un­der the scope of the GDPR.

Both the No­ti­fi­able Data Breaches amend­ment and the GDPR lay out hefty penal­ties for non-com­pli­ance – or­gan­i­sa­tions in breach of the GDPR could be li­able for fines up to four per cent of an­nual global turnover or 20 mil­lion Eu­ros (which­ever is higher). Per­haps more im­por­tantly, there is the po­ten­tial for rep­u­ta­tional im­pact, which can of­ten be harder to quan­tify.

Pri­vacy and risk prac­ti­tion­ers need to be laser-fo­cused on en­sur­ing that not only is per­sonal data pro­tected, but by early 2018 com­pa­nies should en­sure ad­e­quate data gov­er­nance and se­cu­rity prac­tices are in place to en­sure they have full knowl­edge of where cus­tomer and em­ployee per­sonal data is kept, and how it is safe­guarded.

Hav­ing an over­ar­ch­ing view of a cus­tomer’s per­son­al­data isn’t easy. Or­gan­i­sa­tions will have cus­tomer’s per­sonal data stored in var­i­ous places and in var­i­ous ways. These data siloes make per­sonal data harder to pro­tect, as well as mak­ing it harder to know ex­actly what has been lost in the event of a per­sonal data breach.

So what can be done to im­ple­ment an ef­fec­tive data gov­er­nance prac­tice?

With per­sonal data likely be­ing used by many parts of your or­gan­i­sa­tion, a first step to­wards com­pli­ance is con­duct­ing a study of where that per­sonal data is held, who holds it and who is re­spon­si­ble for it.

Teams can ask them­selves a se­ries of ques­tions, be­gin­ning with what sort of per­sonal data is col­lected, why it is be­ing col­lected, how it flows through the or­gan­i­sa­tion, where it is stored and re­tained, and what sys­tems have ac­cess to it.

Ask­ing these sorts of ques­tions cre­ates a type of busi­ness con­text that will as­sist in ad­dress­ing com­pli­ance chal­lenges as­so­ci­ated with laws such as the No­ti­fi­able Data Breaches scheme. Or­gan­i­sa­tions should also con­sider what other roles this busi­ness con­text can play. More on that later.

Pri­vacy and risk pro­fes­sion­als may not need to com­pletely re-in­vent the wheel when it comes to an­swer­ing some of these ques­tions. Some of the answers may al­ready ex­ist.

For ex­am­ple, an or­gan­i­sa­tion with a ro­bust busi­ness con­ti­nu­ity pro­gram will most likely have also con­ducted a busi­ness im­pact anal­y­sis (BIA) –an ac­tiv­ity that may have al­ready iden­ti­fied rel­e­vant in­for­ma­tion flows and repos­i­to­ries that can pro­vide insight for your pri­vacy ini­tia­tives. While it’s un­likely that this will paint a com­plete pic­ture of how and where data is be­ing stored, it can be a valu­able ac­cel­er­a­tor to­wards ad­dress­ing your cur­rent com­pli­ance chal­lenges.

With you now on your way to build­ing a solid base of busi­ness con­text, it’s im­por­tant to take a mo­ment to con­sider other pur­poses within your or­gan­i­sa­tion that it may serve – such as help­ing cy­ber teams pri­ori­tise alerts and in­ci­dents that im­pact your most crit­i­cal as­sets. In short, the ef­forts de­signed to en­sure a busi­ness is com­pli­ant with the NDB are also use­ful in other con­texts.

In essence, col­lab­o­ra­tion is key, with good busi­ness con­text gath­er­ing ac­tiv­i­ties in one area po­ten­tially pay­ing off in other ar­eas yet to be con­sid­ered. When tak­ing on new pri­vacy ini­tia­tives that de­mand good busi­ness con­text, don’t for­get to stop and think about where some of this may al­ready ex­ist. There is a great op­por­tu­nity to not only ac­cel­er­ate your jour­ney to­wards com­pli­ance, but to build re­la­tion­ships and help out other parts of your busi­ness in the process.

Pro­tect­ing the per­sonal data that your or­gan­i­sa­tion uses is not just the right thing to do for com­pli­ance – it’s the right thing to do. Full stop.

With the in­tro­duc­tion of new reg­u­la­tions, we can hope­fully start wav­ing good­bye to the bad old days of data breach hid­ing. Your ef­forts to­ward com­pli­ance will re­sult in bet­ter data pro­tec­tion prac­tices, not only ben­e­fit­ing your busi­ness, but also your cus­tomers by as­sur­ing them that their per­sonal data is in good hands.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.