Whether your company is large or small, it is vital to ensure that data, and indeed all confidential information, is kept safe.
Data privacy is not new. While there is a tendency to focus on recent legislation, it has always been the case that any responsible and well-run corporation will have adopted a broad range of measures to protect the data that it manages or holds.
For example, most companies are responsible for managing confidential employee records, accounting information, passwords and access codes, business plans, client information, as well as confidential product information. To successfully protect their internal data, companies must implement stringent privacy measures across a range of data streams.
For instance, physical and digital record-keeping should be enforced at all company levels, external access to internal systems must be managed, and when contracting or dealing with third parties, appropriate security or confidentiality measures must be established.
The rapid evolution of data mining, the increasing integration of computer systems, and the sophistication of information-gathering systems (matched by increasingly sophisticated means of stealing data and penetrating systems for illegal purposes) means that a greater degree of obligation needs to be imposed upon those that collect, manage and retain data. Indeed, governments worldwide are determining that this is a matter of importance to society.
The European Union introduced the General Data Protection Regulation (GDPR) in May 2018 as part of EU Privacy Law. It provides citizens of the EU and EEA a greater amount of control over their personal data and seeks to ensure that their information is being securely protected. Under GDPR, companies with over 250 employees must keep detailed records including the name of the data protection officer internally assigned to manage those records, the reasons the company is processing the data in the first place, and details on any potential data transfers outside of the EU. While data privacy in itself is not a sign of a prosperous and successful company, a large company that complies with relevant legislation such as GDPR and maintains pragmatic data protection policies is more likely to be a well-ordered and well-run company, which are usually two ingredients for success.
So how might a large corporation adhere to GDPR regulations and maintain a secure IT system? There are two critical facets to be taken into consideration. Firstly, a company must ensure it is system-focused. This means investing in an IT system that is as safe as it can be, including monitoring access, updating security passwords, and applying patches in a timely manner. According to a recent Global Resilience Gap study by Tanium, looking at organisations in the UK, Japan and the US, 81% of chief information security officers (CISOs) and chief information officers (CIOs) are routinely delaying security patches in order to avoid disruption to day-to-day business operations. Patches must be urgently implemented to fix security weaknesses in software, and any delay in patching is a dangerous practice.
Secondly, to ensure data protection within a large corporation, a company must also be people-focused. This means ensuring that staff are trained to understand what they need to do to keep a system safe (e.g.: regularly changing passwords), and understanding latest system threats (e.g. phishing ), and addressing risks and implementing easy-to-use systems that facilitate compliance and minimising risk by only allowing access on a needs basis.
Should a company fail to maintain a system-focused and people-focused position, it is vulnerable to a data breach. If there is any doubt about the importance of data protection, BA’s record fine of £183m this month for a passenger data breach should serve as a timely reminder. In addition, in 2018, Marriott also discovered that for four years a hacker was able to copy and encrypt information, including names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender and reservation details including payment card numbers.
No matter the company size, a well-organised company will have a breach policy in place. In immediate response to the breach, all efforts must be made to fix the problem as soon as possible to prevent further data leaks. As a next step, a company should look to notify all relevant stakeholders, while working alongside their PR team to communicate messaging around the breach clearly and efficiently. In order to best manage a breach crisis, such communications strategies should be prepared well ahead of time. In addition, a company could set up an online space for any consumers who are worried about the potential impact of the breach, to put these individuals in contact with a suitable customer services operator.
Analysis of companies that have followed the correct processes indicates that public confidence tends to return within six months of a significant event. However, this does not include the effect of any fines imposed for breach.
In conclusion, all businesses large and small must ensure that they are aware of all legislation applicable to their business, which of course includes relevant data protection legislation. All businesses should also factor into their operations the cost and time needed to ensure that they put in place the systems, people and processes they need to protect their businesses to the degree necessary. This is not optional, and in a world in which data holds increasing leverage, it should be considered obligatory.
Written by Michael Hatchwell, Partner at Child & Child, Globalaw.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.