The world of data security is a highly complex and fluid environment where businesses must set in place policies and procedures that are proactive, rather than reactive to the ever present threat of data security breach, as well as complying to an increasingly rigid regulatory framework. The need for C-suite level data protection officers is only one of the requirements of the European General Data Protection Regulation or GDPR. Unlike the current Data Protection Directive, GDPR will also apply to organisations or “Data Controllers” based outside of the European Union.
The European Union is not the only region that is beginning to take notice of the fact that data protection legislation is well overdue. In Singapore, the Personal Data Protection Act 2012 (PDPA) mandates that organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA.
Other countries in Asia, Southeast Asia and Oceania have also instituted similar legislation, to a greater or lesser degree. For instance, in Australia the approach to data privacy and protection is currently made up of a mix of Federal and State/Territory legislation. Although there is no requirement for organisations to appoint a Data Protection Officer, but it has been noted that it would be ‘good and usual practice under the current law’ and guidance has been issued by the Privacy Commissioner strongly recommending it.
Need for a Data Protection Officer
Given both regional and global concerns surrounding data protection, the importance of appointing a suitable Data Protection Officer is becoming more and more urgent.
However, even the most qualified Data Protection Officer cannot act in an institutional vacuum. If a proactive stance towards the issues surrounding data security is to be maintained then it is essential that a core team of DPO’s, IT staff and other information security professionals need to work closely together. This is especially important given the onerous nature of the compliance required by the GDPR.
In terms of the regulations governing the functions of the Data Protection Officer it is strongly recommended that the Data Protection Officer be a C-Suite level executive, reporting to executive management, furthermore the DPO should have autonomy, the related budget and the necessary resources and decision making powers to execute data protection plans, address issues of non-compliance and report these issues to the relevant Data Protection Agency.
The DPO support structure
The task of the DPO is further complicated by the requirements for the handling of the data itself, as well as the associated processes mandated by the GDPR. There are several requirements regarding access to the data, the security of the data, the development of a remedial plan in the event of a data breach, regular audits, as well as handling changes to the data. Compliance will result in a significant drain on organisational resources. It is simply not possible for a single employee to handle all aspects required to achieve compliance.
It is only through close coordination between the DPO, IT, information security and compliance staff of the organisation that these requirements can be met on a day-to-day basis. This requirement for an integrated and aligned support structure becomes even more urgent when the functions of the DPO are handed to someone with existing work responsibilities, as has been the case in the past.
Cross functional teams are a necessity
According to a 2015 study by IBM and the Ponemon Institute the average cost of a data breach has increased 23 percent over the past two years to US$3.79 million per incident. The same study indicated that the average cost paid for each lost or stolen record containing sensitive and confidential information increased 6 percent, jumping from US$145 in 2014 to US$154 in 2015.
These figures give are only the tip of the iceberg and indicate the potentially massive blow to a company’s cash flow (and reputation) that can occur in the event of a data breach.
Given that the threats to data are increasing at an exponential rate it is imperative that the data custodians within the organisation are clear as to their roles and responsibilities within the data protection framework of the organisation and as governed by the relevant legislation and guidelines issued by statutory bodies in their regions – and for that matter internationally.
The importance of familiarity with roles, responsibilities and accountability assumes an even greater importance in today’s highly competitive business environment. In a marketplace which is characterised by increasing consumer and client choice, any breach can have catastrophic effects on customer faith – and in the event of a data breach, stakeholders are likely to vote with their wallets.
A more strategic approach whereby vendors, systems and processes are brought into alignment to ensure that breaches do not occur and when they do the fallout is minimised is today a strategic imperative. This requires close cooperation between the Data Protection Officer, IT, information security and compliance professionals within the organisation who are responsible for the integrity and protection of data on a day-to-day basis, as well as compliance with legislation and legal requirements. The higher level reporting requirements, auditing and compliance issues should fall within the remit of the Data Protection Officer – while operational issues must be the responsibilities of in- house information security professionals and IT staff.
The consequence of a strategic misalignment of these responsibilities can mean disaster for the organisation. Aside from the ever present risk of hefty fines for non-compliance, the risk of damage to corporate reputation are enormous. A single breach (or an accusation of non-compliance for that matter) can ruin the trust between the organisation and its clients.
Clear, concise and effective communication to restore customer faith is simply impossible without having the facts at hand and being able to explain the processes that are in place to mitigate against further occurrences. Only through close cooperation across all levels of the organisation and the elimination of silos between the reporting functions of the Data Protection Officer, information security professionals within the organisation and the IT department can this sort of communication take place.
A clear and present danger
The overriding requirement for proper process and a structured approach to data breaches is becoming even more urgent with authorities in many countries becoming more proactive on the issues of notification of individuals and organisations affected by any breach. For instance, Australia has requested public comment on its recommendations on action to be taken in the event of a data breach. In this jurisdiction authorities have recommended that if there should be a ‘real risk of serious harm’ as a result of a data breach, the affected individuals and the Office of the Australian Information Commissioner (OAIC) should be notified. The OAIC has emphasised that notification can be an important mitigation strategy for individuals, and can promote transparency and trust in the organisation or agency.
It is anticipated that recommendations like this will very shortly have the force of law in a variety of jurisdictions across Asia and Southeast Asia – and across the world. Given this situation, organisations need to come to terms with the fact that there’s nowhere to run – data breaches will become public knowledge. This only adds urgency to the fact that a single, focused team made up of the DPO, IT, security functions and in many cases compliance personnel is required to handle data breaches. Without close cooperation the organisation will be faced with a rapidly escalating situation which can spiral out of control in a very short period of time.
The requirement that the DPO and IT professionals work closely together is made even more urgent due to the fact that many organisations have exhibited a knee jerk reaction to the increasing clamour for more stringent controls due to the threats and consequences of data loss. For some companies, this resulted in a patchwork quilt of data security software – much of it from numerous different vendors.
This approach, characterised by lack of planning and attention to the processes that are mandated by governing bodies has meant that companies are struggling to meet auditing requirements.
Faced with the costs of compliance, some companies have decided that it would be simpler and more cost effective to ignore the requirements and trust in blind faith that data breaches will not occur. This is an extremely dangerous risk equation.
As digital initiatives such as cloud, social use and the mining of big data become normal practice for organisations that range from small and medium enterprises to large conglomerates so the necessity for a unified and strategically aligned approach to data security become more urgent. A developing trend seems to be an approach where the responsibilities of the Data Protection Officer, security and IT are shared – each with their responsibilities that are aligned to data protection imperatives. The danger is that a silo mentality can render cooperation between these functions extremely difficult. In order to avoid this pitfall, all players in the organisational data protection function must continually upgrade their knowledge of the issues and threats that characterise data protection in today’s complex information driven environment – and ensure that communication between the functions is clear and timeous.