The world is becoming a more complex place and this is especially true when it comes to the information technology requirements for businesses. With more and more data becoming core to the proper functioning of the organisation the security of information has become more challenging. Add to this the very real danger of cyber-criminals targeting data stored on the cloud and the necessity for dedicated resources tasked with meeting data compliance standards and building customer trust is rapidly becoming a business imperative. Is it time to appoint a Data Protection Officer (DPO)?
Mandatory DPO under EU legislation
In fact if you are planning to do business in the European Union or the United Kingdom you will very shortly be required to appoint a Data Protection Officer to be in compliance with the EU General Data Protection Regulation (GDPR).
The important part of the GDPR calls for businesses to make the appointment of a DPO a priority regardless of whether they are based in the EU or not. If the business sells goods or services in the EU, or ‘regularly monitors Europeans, or processes data on them’ at certain levels, then appointing a DPO is a must.
Safeguarding customer data for competitive advantage
According to Carolyn Holcomb, partner and leader in the risk assurance data protection and privacy practice at PricewaterhouseCoopers (PwC) in the U.S. it’s about time that companies appointed IT staff and Information Security professionals – such as a Data Protection Officer to safeguard private data. In fact she is of the opinion that in this day and age of increased threat levels in terms of data theft a company that doesn’t appoint these professionals is missing out on a unique opportunity to differentiate themselves from the competition.
“We see companies that are saying, ‘I can use this as a competitive advantage. Because if you can trust me more than you can trust a competitor, perhaps you’ll come to me more often,’ ” Holcomb said in a recent interview with CGMA Magazine (a magazine aimed at Chartered Global Management Accountants).
The glass is half full
According to a related PwC report business needs to stop viewing the negative side of data security – the potential loss of data and associated brand damage but rather look at the positive aspects of a proactive data protection policy. The report emphasised that data is one of the company’s most valuable assets. A more customer centric mind set is required, one that takes into account the fact that those companies that take concrete steps to protect data and allow customers to decide how that data is used are more likely to build trust in their privacy programs and their business as a whole.
The TRUSTe 2014 U.S. Consumer Confidence Index indicates that 89% of consumers say they avoid doing business with companies that they think do not protect their privacy online. With the latest move towards more cloud based storage and high profile data thefts this attitude is only becoming more prevalent.
Investor’s demand executive action
It’s not just customers who are demanding increased vigilance and the appointment of IT professionals who can ensure the integrity and safety of data. Other PwC reports show that investors are demanding the same thing. An Annual PwC Corporate Director’s Survey as far back as 2013 showed that 85% of investors said boards should be involved in overseeing the risk of compromising customer data. This has huge implications. It shows that investors are aware of the importance of data security and are demanding that C-Suite executives take responsibility for how data is treated – and Board members are by and large not comfortable they know enough about how their intellectual property and other data is being preserved. One of the problems is that Board members are by and large not IT savvy so the need for a Data Protection Officer that speaks ‘Executive’ is now more important than ever.
According Eric Cole, Senior Fellow at The SANS Institute “[Executives] will be scared but they won’t know why because they won’t know what questions they should be asking or whether the information they receive is sufficient.
“You need a security officer who is bilingual, who can convert the technology into the business language and present it with business metrics so the executives can make the right decisions about security moving forward.”
Avoiding negative outcomes
The value of having trained and professional DPO’s in an organisation has never been clearer. Quite aside from the E.U.’s demand for legal compliance in the form of a Data Protection Officer, the sheer risk of not putting in place systems and qualified personnel cannot be overemphasised. Data breaches can be incredibly costly – there are indications that the average breach costs a U.S. company $500,000 – and there’s no reason to think that Southeast Asian companies should be any different. Given the increasing frequency and sophistication of attacks this number is probably conservative.
Then there’s the reputational damage. The Ponemon Institute (a Michigan based research centre dedicated to privacy, data protection and information security policy) estimates that a breach increases customer churn by nearly 4%.
Don’t leave data protection to chance
The conclusion is inescapable. The time for companies to trust in luck to see them through the troubled waters that surround data protection is over – it’s now the time for them to appoint a professional Data Protection Officer who can operate at the very top of the organisation’s structure.