The world of data security is a highly complex and fluid environment where businesses must set in place policies and procedures that are proactive, rather than reactive, to the ever-present threat of data- security breach, as well as complying to an increasingly rigid regulatory framework. The need for C-suite level data-protection officers is only one of the requirements of the European General Data Protection Regulation (GDPR). Unlike the current Data Protection Directive, GDPR will also apply to organizations or “data controllers” based outside of the European Union.
The European Union is not the only region that is beginning to take notice of the fact that data-protection legislation is well overdue. In Singapore the Personal Data Protection Act 2012 (PDPA) mandates that organizations are required to designate at least one individual, known as the data-protection officer (DPO), to oversee the data protection responsibilities within the organization and ensure compliance with the PDPA.
Other countries in Asia, Southeast Asia and Oceania have also instituted similar legislation, to a greater or lesser degree. For instance, in Australia the approach to data privacy and protection is currently made up of a mix of federal and state/territory legislation. Although there is no requirement for organizations to appoint a DPO, but it has been noted that it would be “good and usual practice under the current law” and guidance has been issued by the privacy commissioner strongly recommending it. In the Philippines, of course, we have the Data Privacy Act (DPA) in place and it is strictly implemented by the National Privacy Commission (NPC).
Need for a data-protection officer
Given both regional and global concerns surrounding data protection, the importance of appointing a suitable data-protection officer is becoming more and more urgent. In the Philippines you have hopefully informed the NPC about the appointment of your DPO last September.
However, even the most qualified data-protection officer cannot act in an institutional vacuum. If a proactive stance toward the issues surrounding data security is to be maintained then it is essential that a core team of DPOs, IT staff and other information security professionals need to work closely together.
This is especially important given the onerous nature of the compliance required by the GDPR, and the data-privacy law in the Philippines.
In terms of the regulations governing the functions of the data-protection officer, it is strongly recommended that the DPO be a C-Suite level executive, reporting to executive management. Furthermore, the data-protection officer should have autonomy, the related budget and the necessary resources and decision making powers to execute data protection plans, address issues of noncompliance and report these issues to the relevant data-protection agency.
The DPO support structure
The task of the DPO is further complicated by the requirements for the handling of the data itself, as well as the associated processes mandated by the GDPR. There are several requirements regarding access to the data, the security of the data, the development of a remedial plan in the event of a data breach, regular audits, as well as handling changes to the data. Compliance will result in a significant drain on organizational resources. It is simply not possible for a single employee to handle all aspects required to achieve compliance.
There are software systems available that can assist the DPO. Consequently, it is only through close coordination between the DPO, IT, information security and compliance staff of the organization that these requirements can be met on a day-to-day basis. This requirement for an integrated and aligned support structure becomes even more urgent when the functions of the DPO are handed to someone with existing work responsibilities, as has been the case in the past.
According to a 2015 study by IBM and the Ponemon Institute the average cost of a data breach has increased 23 percent over the past two years to $3.79 million per incident. The same study indicated that the average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from $145 in 2014 to $154 in 2015.
These figures give are only the tip of the iceberg and indicate the potentially massive blow to a company’s cash flow (and reputation) that can occur in the event of a data breach.
Given that the threats to data are increasing at an exponential rate, it is imperative that the data custodians within the organization are clear as to their roles and responsibilities within the data-protection framework of the organization and as governed by the relevant legislation and guidelines issued by statutory bodies in their regions—and for that matter internationally.
The importance of familiarity with roles, responsibilities and accountability assumes an even greater importance in today’s highly competitive and digital business environment. In a marketplace, which is characterized by increasing consumer and client choice, any breach can have catastrophic effects on customer faith—and in the event of a data breach, stakeholders are likely to vote with their wallets.
A more strategic approach whereby vendors, systems and processes are brought into alignment to ensure that breaches do not occur and when they do the fallout is minimized is today a strategic imperative. This requires close cooperation between the data-protection officer, IT, information security and compliance professionals within the organization who are responsible for the integrity and protection of data on a day-to-day basis, as well as compliance with legislation and legal requirements. The higher-level reporting requirements, auditing and compliance issues should fall within the remit of the DPO—while operational issues must be the responsibilities of in-house information security professionals and IT staff.
The consequence of a strategic misalignment of these responsibilities can mean disaster for the organization. Aside from the ever present risk of hefty fines for noncompliance, the risk of damage to corporate reputation are enormous. A single breach (or an accusation of noncompliance for that matter) can ruin the trust between the organization and its clients. And in the Philippines, the CEO can spend time in jail.
Clear, concise and effective communication to restore customer faith is simply impossible without having the facts at hand and being able to explain the processes that are in place to mitigate against further occurrences. Only through close cooperation across all levels of the organization and the elimination of silos between the reporting functions of the data-protection officer, information-security professionals within the organization and the IT department can this sort of communication take place.
Faced with the costs of compliance, some companies have decided that it would be simpler and more cost-effective to ignore the requirements and trust in blind faith that data breaches will not occur. This is an extremely dangerous risk equation.
Consequently, we have assembled a team of experts that can help you in the implementation of data protection and there are solutions for small-to medium-sized companies that are more cost-effective.
For more information, contact me—Schumacher@integrityinitiative.com.