News -

Don’t be driven by the fines of others

The General Data Protection Regulation (GDPR) was implemented in May last year. Despite a lot of talk around the high level of fines associated with the new legislation, there were not record numbers of penalties issued by the Information Commissioner’s Office (ICO) under the new data protection regime – in fact, just over 90 fines were issued in the following twelve months.

Although fines often get the attention of executives and data protection professionals, financial penalties should not be the main catalyst for an organisation to re-evaluate how it handles data. The real driver of change should be doing the right thing for our customers.

Enforcement notices issued by any regulator, not just the ICO, can be seen as a reference for what organisations should be doing. It is important therefore that as data protection officers we make sure our own organisations are not exposed to risk by thoroughly investigating the regulatory landscape.

Before embarking on any changes to the way an organisation handles data security, it’s vital to carry out a comprehensive audit of how it handles data in the first place. There are several important questions that must be considered, with some of the most prescient being:

What are the privacy and information security risks your board should be made aware of?

  • In relation to the products and services you deliver to the market, does your organisation have a clear idea of what personal data it needs, where it is stored and processed and what suppliers are involved?
  • Does your organisation have a risk-based supplier assurance approach that includes auditing high risk suppliers?
  • Does your organisation have an information security framework in place that is risk-based and explicitly includes personal data?
  • For the online products and services you offer, do you have a robust change management approach that ensures changes by third parties are assessed and controlled?

How soon can your organisation run an executive-level exercise to test its incident response plan?

This isn’t an exhaustive list, and it’s essential that your organisation regularly audits and monitors data handling processes to ensure security best practice is adhered to.

Of course, even with thorough preparation in place, it’s important to be ready for the day that something does go wrong. The most common reason given for data breaches is a failure in information security and many of its causes are easily avoided given the right preparation.

Uncontrolled changes to systems or applications, for example, are one of the major reasons for these failures. This can typically be avoided by enforcing robust and consistent change control throughout an organisation, particularly when third parties are being used.

With data protection regulations set to become even more stringent in the future, it’s vital that businesses takes data security seriously. Doing so not only helps to avoid financial penalties and reputational damage that are often associated with a data breach, but can also offer a competitive advantage by demonstrating to customers – and to the broader competition – that data security is a priority.

Topics

  • Technology, general

Categories

  • insights & viewpoints

Contacts

Related content

  • Risky business: How better cyber security can future proof your business

    ​With cyber threats now more ubiquitous than ever, investing in cyber security is crucial in order to protect both businesses and customers. This does not just mean investing in technology, but also in the people and processes that drive this forward and this must be appropriately planned, designed and implemented.

  • Marriott International acquires data breach

    The world’s biggest hotel company Marriott International has announced that up to 500 million guest records may have been exposed in a data breach targeting the Starwood Hotel part of the business.

  • International Data Privacy day: How to face your data with confidence

    Having good quality data protection initiatives leads not only to important regulatory compliance but can also give organisations a competitive advantage and contribute to maintaining brand reputation. We have compiled some of the best tips to getting started with a free downloadable guide to confidently address data protection and demystify any privacy concerns.