An increase in cyber security attacks across commercial enterprises and service providers, and a consumer market wary of data privacy and protections, provide a backdrop for the forthcoming data privacy rule changes. Companies need to get ready fast, according to consultant Ryan Rubin.
Ryan Rubin is a Managing Director responsible for Security and Privacy IT Consulting at Protiviti, a global consulting firm.
As the European Commission works towards unifying data protection under the General Data Protection Regulation (GDPR), it is imperative that IT professionals familiarise themselves and take the necessary steps to reduce their organisation’s exposure to data privacy risks.
GDPR is a game changer for European data privacy regulation for two important reasons: greater transparency and greater accountability. Firstly, it calls for companies to respond more quickly to a data breach and also requires that they notify their customers within 24 hours of becoming aware of one. Secondly, fines for noncompliance have moved significantly; from a capped fee to one that will range up to 5% of global turnover. Equally important is that application of these rules will also apply to any non-European company handling EU-specific data.
Cyber security attacks across commercial enterprises and service providers continue to run rampant as organised criminals look for new ways to access credit card numbers, expiration dates, account holder names and CBB codes, intellectual property, and other sensitive information. Reputational management has also become a major consideration for organisations as consumers grow increasingly wary of data privacy and protections—quickly turning against any service provider or organisation viewed as ‘reckless’ with personally identifiable information (PII). In the last few years several high profile breaches have not only brought into focus the vulnerability of user data, but more importantly who consumers hold accountable for the loss of that data in the future.
Whilst reputational damage and unplanned costs for breach notification, identity theft protection, and increased cyber insurance premiums all directly impact an organisation in the short-term, many still continue to debate the long-term implications faced by companies who experience a major data breach.
In the last several years, we have witnessed several well-known brands weather storms associated with a breach and survive another day. This is large part due to the unique products or services offered to their larger and typically more loyal consumer bases. Despite the long-term survival of these brands, however many of the individuals steering the ship including, CIOs, CTOs and CEOs have not always survived the aftermath.
Five Key Steps to Prepare
What should companies be doing today to protect themselves and prepare for GDPR? In today’s digital economy, data privacy and governance will be as crucial for organisations as their financial integrity or sustainability – those with lower scores will simply disappear from the digital supply chain.
- Establish Ownership: Companies will need a data protection officer to oversee compliance, data privacy and drive an improvement programme. It is important that accountability remain with these stakeholders.
- Assess Risks: Understand your ‘crown jewels’ or what key PII your organisation holds, how much of it you hold, and how much is shared with third parties. Have a firm understanding of your stakeholder responsibilities and establish your risk appetite for data loss (e.g. number of records x 100 per record + potential fine + potential loss of future revenue).
- Discover: Seek out where PII exists in your business processes and within your IT systems – optimise and eliminate wherever possible to reduce the data footprint.
- Enhance Policy and Process: Establish necessary policies and processes to meet all privacy requirements including security, complaints, data accuracy, custodians, breach reporting, etc.
- Protect: Adequately protect the PII you process by:
- Applying least privileges – Limit the locations where you store data and also who and in what quantities has access to your PII data
- Only retaining what you need – If you don’t need it don’t store it – unnecessary data becomes a liability
- Using encryption where you can– In laptops, hard disks, data in transit in email, backups, etc.
- Logging and Monitoring – Logging and monitoring access to data, bulk downloads, security alerts, data leakage events, etc. are critical for accountability and also for early detection of security breaches