Get the insights and action you need to improve your security posture.Read more
Regulatory compliance is a well-known risk management challenge faced by many organisations. Last year, data protection and privacy dominated media headlines, spurred by the introduction of the General Data Protection Regulation (GDPR), which came into effect in May 2018. This caused a stir globally regarding data protection principles and personal privacy rights.
Following the implementation of the GDPR, a number of countries have introduced new data protection regulations or are ‘beefing up’ existing data protection frameworks and regimes to meet the GDPR’s new benchmark. California’s Consumer Privacy Act has been lauded as the next GDPR’esque implementation and will commence in 2020. Australia introduced the Notifiable Data Breaches scheme under the Privacy Act, while Canada implemented new data breach notification laws, among many other developments in Asia Pacific and South America in particular.
Looking ahead, I believe we can expect more countries to adopt data protection regulations that uphold or improve upon the GDPR. This will be, largely, to continue the free flow and transfer of information between themselves and the European Union (EU) to support commerce. However, as more countries add their flavour of data protection regulation to the mix, businesses will need to become more vigilant in understanding who their customers are, where they do business and what their data and third-party landscape looks like, in order to meet the myriad of data protection frameworks and regimes with which they’re required to comply.
In particular, the US will be an interesting country to watch. For some years, they’ve been debating the need to implement a federal data privacy law, rather than have disparate sets of state legislation that may offer inconsistent privacy protections for individuals, which is currently the case. In recent years, many technology companies, such as Apple and Microsoft, have stepped up to the plate and are strong proponents for comprehensive data privacy law in the US.
So, while it’s interesting to watch all this unfold, there’s still a lot of uncertainty within many businesses around the world about how to practically apply the requirements of the various new pieces of legislation. However, the good news is that we can expect to see increasing levels of guidance in terms of ‘What does this really mean for my business?’ and we’ll benefit from more case laws regarding what is and isn’t acceptable, as more businesses are put to the test by regulators. This will help organisations better understand how regulators evaluate and interpret various new laws and, in turn, will influence many businesses’ practices regarding how they design and build their systems and applications.
Google’s recent record fine of USD 57 million by the French data protection authority, CNIL, is an interesting development in the growing body of case law under the GDPR. It raises interesting questions regarding the GDPR’s ‘one-stop shop’ mechanisms for data protection and how organisations build to support data protection principles.
Take our industry – technology – as an example. I think there are some fascinating developments on the horizon in terms of how compliance regulation applies to emerging technologies such as artificial intelligence (AI) and machine learning. Take robotic calling, chatbots, and automated messaging, which are already used extensively by many businesses. These have all been flagged as potential areas of concern because the question is: Should customers be aware ─ or necessarily feel comfortable ─ that it’s a machine, not a human, processing their information, answering their questions, making decisions on their behalf, and even interpreting their mood and behaviour? The EU Commission recently issued some ethical guidance regarding the use of AI and proposes a framework for building and assessing trustworthy AI, but there’s still much to consider. How do businesses design and structure their technology environments in a world where AI is moving to the forefront of the systems or solutions they use, while avoiding falling foul of any laws?
I believe that successfully capturing the board’s attention requires that you translate or map technical expertise into information that’s meaningful to the business. You need to make a direct connection between functional domain insights and how they impact the organisation’s overall strategy and vision. Essentially, it’s all about joining the dots regarding how cybersecurity and data protection can deliver (or, if ignored, may erode) tangible business value. That’s critically important to the board and, if you can get their attention and buy-in, it will help secure the appropriate investment and drive a top-down focus on changing the behaviours and culture throughout the organisation.
These are some key messages you need to convey to the board, to gain their attention:
Achieving a comprehensive overview of these matters is complex, especially if you’re a multinational organisation, and need to consider a web of global and local data protection regulations. That’s why we recommend that you engage with an independent cybersecurity partner to help you plug any dangerous gaps in your posture and chart your course forward. The right insight, at the right time can fundamentally impact and direct the success of your cybersecurity programme.
For example, Dimension Data’s Cybersecurity Advisory takes a business ─ rather than technology-led ─ approach to benchmark an organisation’s current cybersecurity maturity level and establish their desired future state.
Initially, we focus on gaining a deep understanding of the organisation’s overarching business objectives, via interviews with C-level stakeholders and heads of functional areas (such as cybersecurity, legal, and risk management). We also assess the company’s existing technologies and security processes and controls, and the relevant compliance regulations to which they must adhere depending on the locations in which they operate. By integrating our findings, we subsequently present cybersecurity advice and recommendations, which will help move the business towards its target state.
As a large multinational organisation with a presence in 47 countries, Dimension Data takes information security and data protection compliance seriously. In fact, we use our own Cybersecurity Advisory capabilities and best practices to gauge our current and future maturity levels.