As data privacy regulations tighten, compliance is key when handling sensitive data. But what factors should you consider to ensure your data privacy strategies go far enough?
The strict data privacy rules introduced by GDPR have cast a spotlight on the protection of sensitive consumer data and the financial and reputational damage that can occur if it is mishandled. It is therefore vital that your Chief Compliance Officer oversees the development and implementation of your data privacy strategy to ensure it is not vulnerable to falling foul of these data privacy regulations. Here are seven crucial red flags that every business leader needs to be aware of to understand if their data privacy strategy is strong enough to protect their organisation…
1. Your data privacy strategy isn’t regularly discussed with stakeholders across all areas of the business
Data protection is no longer only the concern of the IT department. The introduction of GDPR, combined with the fallout of several high-profile data breaches, means that data protection is now a compliance priority for the board room.
Under GDPR, organisations must demonstrate accountability for data protection, and the creation of a clear strategy should involve multiple stakeholders from across the business, overseen by the Chief Compliance Officer (CCO). With every department handling data in some form, this should include representatives from finance, HR and marketing, among others.
“Companies need to recognise that privacy is not just a compliance tick-box, but an ongoing process that will develop as the organisation and regulations advance over time – this cannot be achieved without a strategy,” says Christine Andrews, director at data and privacy consultancy, DQM GRC.
“Multiple stakeholders need to be engaged to ensure that data protection and privacy issues are not isolated within the role of the Data Protection Officer (DPO) but embraced by the whole organisation.”[xyz-ihs snippet=“Navex-Graph-2”]
2. There isn’t a dedicated data protection officer or privacy committee in place
Not all organisations are required to appoint a DPO under GDPR – the role applies specifically to a public authority or body, or if you carry out certain types of data processing activities.
However, organisations that do appoint a dedicated DPO, and is supported by a privacy committee, find their day-to-day guidance on data compliance issues invaluable, deriving value from their monitoring of business-wide compliance, their expertise when advising stakeholders on any data protection obligations and their acting as a contact point for data subjects and the local supervisory authority.
In addition, it demonstrates your organisation’s commitment to data privacy, says Ms. Andrews: “Not having any dedicated full or part time privacy support indicates the organisation isn’t taking an approach to privacy that’s meaningful.”
If the organisation lacks the in-house resources to appoint a DPO, the role can be outsourced.
3. Data protection and cyber-awareness training isn’t mandatory for all employees - including the board
More than two million cyber incidents occurred in 2018, resulting in more than $45 billion in losses, according to the Internet Society’s Online Trust Alliance (OTA). Importantly, 95 per cent of the breaches could have been prevented.
Human error is one of the most common causes of data loss and can lead to unintentional breaches when combined with weak or unenforced data security policies. It is therefore essential that mandatory training around both privacy and cyber-awareness is implemented for all employees including the board.
This is especially relevant as cyberattacks become ever more complex – employees need to recognise potential threats and understand how best to handle them. Companies may take the short-term approach to saving budget on training, but they may find the financial and reputational cost much greater in the long-term.
Training is also one of the key factors that can demonstrate accountability within organisations.
4. You haven’t ringfenced a budget for cybersecurity improvements
Along with training it is vital to allocate cybersecurity budgets to mitigate data loss.
“Budget is required to fully implement and enforce a comprehensive data privacy and security strategy – which is why senior, C-suite level representation and ‘buy-in’ is vital,” says Sarah Pearce, privacy and cybersecurity partner at international law firm Paul Hastings. “Boards are now recognising the value in allocating appropriate budget since the risks can be huge. In some cases, it can mean the life or death of a company.”
GDPR dictates that you take “appropriate technical and organisational measures”, which is known as the ‘security principle’. You should consider things like risk analysis, organisational policies, and taking physical and technical measures, but these must be appropriate both to your circumstances and the risk your processing poses. This means your budget must meet the size of the challenge, not the other way around.[xyz-ihs snippet=“Navex-Circles”]
5. You’re not regularly evaluating potential cybersecurity risks throughout your supply chain
Supply chain cyberattacks, where criminals exploit third-party services and software to compromise their target, are on the rise. According to a 2018 survey by the Ponemon Institute, 59 percent of companies have experienced a data breach caused by one of their vendors or third parties.
But despite being regarded as the ‘weak link’ in their security and privacy management efforts, many organisations still fail to properly manage their third party relationships to ensure their supply chain is secure. Only 34 percent keep a comprehensive inventory of their third parties, a figure that drops down to 15 percent for ‘Nth’ parties.
It is essential that organisations undertake regular evaluations of cybersecurity KPIs throughout their supply chain to ensure they have complete visibility of their partner ecosystem, including their security posture, and with whom they are also sharing data in order to contain 4th and 5th party risk.
6. Your incident response plan isn’t reviewed and adapted after a data incident
In the event of data loss or a cyber incident it is vital that organisations learn lessons and adapt their approach to data privacy accordingly.
“Security and privacy risks don’t inhabit a static landscape – as these risks evolve so must an organisation’s ability to react and prevent them. Not being willing to adapt will be to an organisation’s detriment, and such companies are news stories waiting to happen,” says Ms. Andrews.
She notes that making changes in the aftermath of a data security event is essential – if nothing else an organisation will at least avoid repeating its mistake again. She points to the example of a major telecoms provider, which was fined £100,000 ($125,000) in 2017 for leaving its customers’ data open to exploitation – it was the company’s second major fine within a year for failing to protect its customers’ data.[xyz-ihs snippet=“Navex-Bar-Chart”]
7. Your policy management programme doesn’t include regular reviews of your data privacy and cybersecurity procedures
Data protection isn’t a one-off endeavour or just a way to ensure the necessary tick boxes are checked to ensure compliance. Organisations that display this attitude typically write policies in isolation without relating them to risks, operational requirements and objectives, and fail to review policies regularly, leaving them vulnerable to data breaches.
Embedding data privacy and cybersecurity as part of policy management programmes puts regulation at the heart of the business and helps to demonstrate your efforts to comply with GDPR. This helps to avoid potentially ruinous financial and reputational damage to your organisation, while also protecting your relationships with customers and enabling you to glean the most business value out of essential data.
“This is a legal requirement for some companies, but even those not covered by law would be remiss to omit data privacy and security from their policies, procedures and management or governance programmes,” says Ms. Pearce.
For more information please see NAVEX Global’s Privacy by Compliance report.