Data protection has become one of the hottest issues in the boardroom since General Data Protection Regulation (GDPR) was introduced in the European Union in 2018. But some companies are still struggling to find the right strategies to protect their customers’ data.
GDPR gives data subjects—the public—the right to control how their personal data is used by organizations. The law obliges businesses to protect the personal data of prospects, customers and staff, and is backed up with a system of penalties for failure to do this. Regulators can impose fines of up to 4% of a company’s worldwide annual revenues if they fail to protect the personal data of individuals in Europe from misuse, theft or loss.
Since GDPR’s introduction, regulators have imposed $126 million in fines on companies for failing to protect data. More huge fines are on the way. One company is contesting a levy of more than $100 million—3% of its annual revenue. Another is facing a fine up to hundreds of millions of dollars for a major breach of customer data.
The regulation affects any company handling data of individuals located in Europe, so that pretty much includes most global corporations. While many boards of directors and chief executives are taking data protection seriously and have put in place strong measures to comply with the rules, too many are leaving it to chance or are not exercising proper oversight.
Regulators are more likely to go easy on companies that can demonstrate they have made every effort to comply with GDPR, even if they do suffer a breach. However, those deemed to have paid scant attention to data protection could be heavily sanctioned.
Privacy by Design Is Best Practice
So, what should the C-suite do to protect the personal data their organization holds and ensure they are complying with GDPR?
Above all, the rules require that companies implement “privacy by design.” That means building data privacy and data protection into the organization’s technology infrastructure from the start, rather than adding it later as an afterthought.
For every activity or project, an impact assessment should be made to consider how it affects personal data. Where possible, entities should consider pseudonymization, which reduces the risk to personal data. Companies should only process the data necessary to achieve their legitimate business aims and must only store data for as long as is necessary for such legitimate purposes.
Data hygiene should be as much part of the corporate DNA as food hygiene is in a restaurant. To achieve privacy by design, the C-suite must ensure that their organization has total visibility of all the data they hold and that they have clear policies in place for how the data is handled.
An organization must always know where personal data is stored, which members of staff and third parties have access to it and how it is used. There needs to be a clear distinction between personal and non-personal data. The system should ensure that data cannot be accessed by those without authority and cannot be used for purposes that are not known to the data subjects.
Demand Answers to These Questions
To make sure that privacy by design is embedded in corporate operations, company boards need to request regular updates from staff members who oversee GDPR—be that the data protection officer, the chief data officer, chief risk officer, or chief information security officer. Questions they need to ask include:
- Who owns data protection at our company?
- What is the status of our privacy compliance?
- Do we have the right processes in place?
- What is our data handling policy? How well developed is it?
- Do you know where all the personal data resides in our systems?
- Is data secure with our vendors?
- How do you ensure data handling complies with GDPR and other applicable laws?
- What is the likelihood of a data breach happening?
- How serious could it be?
- Are we prepared to respond if it happens?
- What are the concrete steps we can take to mitigate these risks?
As with any issue of risk, boards must weigh the costs of complying with GDPR against the possible losses from fines and the operational and reputational damage caused by a data breach.
Compliance doesn’t come cheap. It includes paying for specialist staff to oversee data protection, maybe also investing in technology that maps all of the company’s data and displays it digitally. The data protection officer can then look at a digital spreadsheet to see where the data resides and identify risks and protections for key personal data.
What’s This All Going to Cost?
How much should an organization invest in data protection? That depends on how the organization uses personal data and what kind of risks it is exposed to. CISOs should be able to assess the risks of a data breach and the likely costs. They can do this by carrying out a risk assessment and assigning scores, for instance between 1 and 5.
For example, if there is a high risk of a breach because the data is widely used and may attract the attention of hackers or be misused by employees, the risk score might be a 5. Then a different score between 1 and 5 should be assigned to the potential damage a breach could cause.
In the case of a company handling customer credit card details, it might be high—for instance, a 4. By multiplying these two figures the risk score would be 20. This is a high risk, so the company should invest heavily in the staff, tools and impact assessments needed to protect this personal data.
A major benefit of such an investment is that it dovetails neatly with the best approach to cybersecurity. Organizations that take cybersecurity seriously and create strategies for security by design will succeed at GDPR compliance too.
Data protection regulators have flexed their muscles and shown they are willing to impose penalties on companies that fail to implement state-of-the-art data protection policies. Every organization needs to take heed and make sure their systems and processes are up to the task.
I welcome GDPR because it forces businesses to treat data with care. The best practices for complying with GDPR are also the building blocks of a credible cybersecurity strategy. Privacy and security by design are the baseline for doing business in the data age.
Fred Streefland is Chief Security Officer for North and Eastern Europe at Palo Alto Networks.