Is it possible to really protect privacy anymore?
Data breaches are becoming a frequent feature in news headlines and their implications have been far-reaching. Organisations have been hit not just by the loss of customer and personal data that resulted in heavy regulatory penalties, but also by the loss of reputation and brand image. This is further exasperated by the pace at which new and emerging technologies are disrupting every aspect of our lives.
As a result, several data privacy-related laws and regulations have emerged to protect the population from cyberattacks that target confidential personal information.
For example, in April of last year, the European Parliament adopted the Global Data Privacy Regulation (GDPR) that introduced more stringent data protection compliance requirements, one of which is that GDPR will also apply to non-EU organisations that process personal data of Europeans when transactions are originating from EU countries.
Similarly, the Middle East North Africa (Mena) region has experienced an increase in regional data protection regulations as regulators are becoming more aware of the significant risks facing organisations.
For instance, the Dubai International Financial Centre (DIFC) Privacy Protection Law (modelled after the EU data privacy directives) is applicable to all Data Controllers operating out of the DIFC. In addition, the Central Bank of the UAE has put privacy at the forefront as its Regulatory Framework for Stored Values and Electronic Payment Systems mandates that user transactions’ data cannot leave the country.
As regulators, and people, look to companies to assume accountability for privacy, what can companies do to improve their accountability, become trend leaders and market differentiators?
Develop KPIs for privacy
Organisation leaders need to understand that it is no longer enough to know what data they are tracking but will have to know why. Organisations will want to consider adopting KPIs for privacy in the same manner they do for other performance-based programmes, which would enable companies to gather and analyse accurate privacy data to develop, implement, monitor and maintain robust privacy programmes that comply with regulations, and meet privacy demands.
Adopt a risk-based approach
The GDPR advocates a risk-based approach that allows organisations to tailor their privacy protection programmes based on the risks that are most material to the organisation. Privacy Impact Assessments (PIAs) analyse how organisations collect, use, share and maintain personally identifiable information. PIAs have been around for quite some time. However, where they were once optional, they are now mandatory.
Appoint a Data Protection Officer
Organisations that conduct large-scale processing, or processing of certain types of personal data as part of their fundamental business activities will be required to appoint a data protection officer.
Make adjustments if you are a data processor
Data processors are individuals or organisations that process personal data on behalf of the data controllers. Under the GDPR, processors are subject to the same compliance obligations, legal requirements, and punishment for noncompliance as controllers.
Get consensus on an approach to de-identification
De-identification involves the scrubbing of data until any hint of an individual’s identity is removed. The purpose is to make the data safe from a privacy perspective, but useful from a data analytics standpoint. As data analytics plays an increasingly important role in almost every decision an organisation makes, the debate over what data an organisation collects, stores, manages and protects will continue to be actively debated. In the coming years, we expect to see progress by the global community in finding consensus in terms of what constitutes deidentification, and a framework to help organisations develop a plan to achieve it.
Establish a robust incident management process
Organisations need to have clearly defined processes for incident identification and reporting, responding to complaints, reporting to regulators in case of an actual breach in a legally admissible and foolproof manner.
The days of ad hoc privacy policy-making are coming to an end. Organisations need to take ownership of their information practices, be accountable for the associated privacy risks in the course of doing business, and be able to prove how solid their programmes are. Otherwise, they would be risking reputational and financial damage that could be far more than just costly — it could be ruinous.
The writer is a cybersecurity Leader for Middle East and North Africa at Ernst & Young.