Data protection: complexities ─ and opportunities

Data protection and personal privacy rights should put cybersecurity firmly on the boardroom agenda

Regulatory compliance is a well-known risk management challenge faced by many organisations. Last year, data protection and privacy dominated media headlines, spurred by the introduction of the General Data Protection Regulation (GDPR), which came into effect in May 2018. This caused a stir globally regarding data protection principles and personal privacy rights.

Following the implementation of the GDPR, a number of countries have introduced new data protection regulations or are ‘beefing up’ existing data protection frameworks and regimes to meet the GDPR’s new benchmark. California’s Consumer Privacy Act has been lauded as the next GDPR’esque implementation and will commence in 2020. Australia introduced the Notifiable Data Breaches scheme under the Privacy Act, while Canada implemented new data breach notification laws, among many other developments in Asia Pacific and South America in particular.

What’s next – more of the same?

Looking ahead, I believe we can expect more countries to adopt data protection regulations that uphold or improve upon the GDPR. This will be, largely, to continue the free flow and transfer of information between themselves and the European Union (EU) to support commerce. However, as more countries add their flavour of data protection regulation to the mix, businesses will need to become more vigilant in understanding who their customers are, where they do business and what their data and third-party landscape looks like, in order to meet the myriad of data protection frameworks and regimes with which they’re required to comply.

In particular, the US will be an interesting country to watch. For some years, they’ve been debating the need to implement a federal data privacy law, rather than have disparate sets of state legislation that may offer inconsistent privacy protections for individuals, which is currently the case. In recent years, many technology companies, such as Apple and Microsoft, have stepped up to the plate and are strong proponents for comprehensive data privacy law in the US.

So, while it’s interesting to watch all this unfold, there’s still a lot of uncertainty within many businesses around the world about how to practically apply the requirements of the various new pieces of legislation. However, the good news is that we can expect to see increasing levels of guidance in terms of ‘What does this really mean for my business?’ and we’ll benefit from more case laws regarding what is and isn’t acceptable, as more businesses are put to the test by regulators. This will help organisations better understand how regulators evaluate and interpret various new laws and, in turn, will influence many businesses’ practices regarding how they design and build their systems and applications.

Google’s recent record fine of USD 57 million by the French data protection authority, CNIL, is an interesting development in the growing body of case law under the GDPR. It raises interesting questions regarding the GDPR’s ‘one-stop shop’ mechanisms for data protection and how organisations build to support data protection principles.

Take our industry – technology – as an example. I think there are some fascinating developments on the horizon in terms of how compliance regulation applies to emerging technologies such as artificial intelligence (AI) and machine learning. Take robotic calling, chatbots, and automated messaging, which are already used extensively by many businesses. These have all been flagged as potential areas of concern because the question is: Should customers be aware ─ or necessarily feel comfortable ─ that it’s a machine, not a human, processing their information, answering their questions, making decisions on their behalf, and even interpreting their mood and behaviour? The EU Commission recently issued some ethical guidance regarding the use of AI and proposes a framework for building and assessing trustworthy AI, but there’s still much to consider. How do businesses design and structure their technology environments in a world where AI is moving to the forefront of the systems or solutions they use, while avoiding falling foul of any laws?

How do you get the board on board?

I believe that successfully capturing the board’s attention requires that you translate or map technical expertise into information that’s meaningful to the business. You need to make a direct connection between functional domain insights and how they impact the organisation’s overall strategy and vision. Essentially, it’s all about joining the dots regarding how cybersecurity and data protection can deliver (or, if ignored, may erode) tangible business value. That’s critically important to the board and, if you can get their attention and buy-in, it will help secure the appropriate investment and drive a top-down focus on changing the behaviours and culture throughout the organisation.

These are some key messages you need to convey to the board, to gain their attention:

• Firstly, you don’t want to learn the hard way by not taking appropriate, proactive action. The implications of this include financial and reputational damage, loss of revenue, plummeting stock prices, and regulatory fines, to name a few. There have been some high-profile examples of this in recent years and transgressors are facing increasing regulatory and public scrutiny. When Target suffered a data breach a few years ago, several C-level executives were asked to step down and it saw some negative impacts on its share price. A more recent example is Facebook. We all remember the company’s CEO, Mark Zuckerberg, being called to appear before the US Congress to explain a data breach that engulfed the popular social network in a legal and regulatory nightmare and resulted in many individuals closing their Facebook profiles in its wake. Never mind Yahoo’s recent settlement offer of USD 117.5 million in April. This follows the rejection of a proposed USD 85 million settlement by a US district judge in January this year for a number of breaches that occurred between 2012 and 2016 that compromised approximately three billion user accounts. This would be the largest settlement for a data breach to date.
• Also, point out to the board that increased focus on data protection and privacy over the past few years has driven heightened awareness among consumers about their rights to privacy and the value of their personal information. The uncomfortable truth is that today, if you’re unable to adequately demonstrate that you can safeguard and protect your customers’ information, they may well go elsewhere . In any business, customers are your most critical assets. You want them to trust you; you want to retain them and attract new ones. Getting this wrong could potentially compromise your ability to sell your products and services to customers and remain reputationally sound and commercially viable in the long term.

The uncomfortable truth is that today, if you’re unable to adequately demonstrate that you can safeguard and protect your customers’ information, they may well go elsewhere. Read more @Dimensiondata Tweet this

How do you manage and measure your compliance and cybersecurity maturity?

Achieving a comprehensive overview of these matters is complex, especially if you’re a multinational organisation, and need to consider a web of global and local data protection regulations. That’s why we recommend that you engage with an independent cybersecurity partner to help you plug any dangerous gaps in your posture and chart your course forward. The right insight, at the right time can fundamentally impact and direct the success of your cybersecurity programme.

The right insight, at the right time can fundamentally impact and direct the success of your cybersecurity programme. Read more @Dimensiondata Tweet this

For example, Dimension Data’s Cybersecurity Advisory takes a business ─ rather than technology-led ─ approach to benchmark an organisation’s current cybersecurity maturity level and establish their desired future state.

Initially, we focus on gaining a deep understanding of the organisation’s overarching business objectives, via interviews with C-level stakeholders and heads of functional areas (such as cybersecurity, legal, and risk management). We also assess the company’s existing technologies and security processes and controls, and the relevant compliance regulations to which they must adhere depending on the locations in which they operate. By integrating our findings, we subsequently present cybersecurity advice and recommendations, which will help move the business towards its target state.

As a large multinational organisation with a presence in 47 countries, Dimension Data takes information security and data protection compliance seriously. In fact, we use our own Cybersecurity Advisory capabilities and best practices to gauge our current and future maturity levels.

My top 5 recommendations for navigating compliance, data protection, and cybersecurity challenges:

1. Data protection by design is key, wherever you are in the world. Make sure your new products or services consider data protection at the design stage – not as a bolt-on.
2. Put compliance and data protection on your board’s agenda alongside cybersecurity and prioritise compliance efforts with all other operational initiatives.
3. Ensure you have access to good data protection and cybersecurity advice, and that it’s appropriately aligned to your business’ priorities.
4. Ensure that everybody in your business understands that they have a role to play in ensuring security and compliance, and conduct relevant training and awareness initiatives. As Peter Drucker once said, ‘Culture eats strategy for breakfast’. So, if you don’t get the culture right, even the best strategy will fail. You need to drive the cultural change within the business, walk the corridors, and regularly measure your progress. Also, ensure that there’s consensus and collaboration among functional areas and lines of business and break down any silos that exist among IT; information security and cybersecurity teams; HR; and legal and risk, so that these don’t hamper your progress.
5. Understand that compliance and a robust cybersecurity posture are part of your organisation’s overall risk profile. But it must be prioritised, along with other risks such as technology, geopolitical, environmental, legal, and third-party related risks.