Improving Global Privacy and Security Programmes

01 August 2019

By Cyber Collective Partner Ankura’s Noriswadi Ismail, Managing Director of Data Privacy.

The UK Information Commissioner’s Office recently announced its intention to impose a £183 million fine on a company for a data breach.

This followed a sophisticated and malicious criminal attack by hackers that resulted in the theft of customers’ credit card details.

This is the first UK fine proposed for infringements of the EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, a fine that is 367 times higher than any levied under previous data protection laws.

This strong enforcement action highlights the importance of having in place a privacy and security programme, as well as a robust framework to ensure that responsible data governance is socialised across the business, and that policies and procedures are stress-tested to ensure their resilience.

Viewing Data Risk Though a Data Governance Lens

The starting point for a company wanting to enhance its privacy and security programme is to look at it through the lens of “data governance”. Privacy, cyber risk and data management need to be viewed and managed holistically through an integrated programme.

What may be needed is a fundamental change in culture. Often, a traditionally deployed approach is siloed, with insufficient communication between technical security experts and privacy officers.

It will prove beneficial to replace this approach with one involving constant communication, collaboration, and an overarching strategy designed to ensure compliance with privacy laws, reduce cyber risk, and unlock data-related value.

Improving Global Privacy and Security ProgrammesImplementing a structured global data governance framework will provide a sturdy foundation for data-related policies and procedures, while improving the company’s threat resilience.

It also offers a baseline for companies that need to manage data risk globally; be it in the US, EMEA, ASEAN, APAC or elsewhere.

Without this, corporate data management will be disorganised, making it difficult to demonstrate compliance and accountability to global regulators. Not having a structured global framework in place also leaves companies vulnerable to cyber-attacks and data breaches.

A standard data governance framework used at a mature organisation typically includes a central data risk steering committee, a data governance steering committee, or a GDPR steering committee All data stakeholders should be represented, including operations, finance, HR, and marketing.

Such a committee ensures that policies and business practices are aligned, while taking responsibility for implementing policy and periodically auditing the organisation.

At a secondary level, mature organisations will also have data security and privacy champions who act as brand ambassadors for responsible data governance and as liaisons for all business units.

The heavy lifting, when it comes to ensuring compliance and protecting data, is carried out at the third tier of the data governance framework by dedicated privacy and cyber teams.

In addition to privacy compliance managed by legal, many companies now have data protection officers (DPO’s) tasked with stakeholder engagement and overseeing the operationalisation of policy.

For example, if the business is working with a new third-party technology supplier, a privacy impact assessment will allow the DPO team to vet the technology from a privacy compliance perspective. Cyber risk can also be assessed with input from the CISO.

The privacy officer will review any potential vendor agreements and put in place data transfer mechanisms to comply with data protection legislation.

The company’s incident response plan (IRP) can then be adjusted to account for risks materialising due to the new technology and related data flows.

Walking the Talk

The second fundamental step for companies to take on the path to mature cyber risk management is to ensure that all policies and procedures are socialised into all levels of the business and stress-tested.

Many companies have seemingly perfect policies, but applying the box-ticking approach to compliance will not withstand a challenge — such as a cyber-attack that is capable of bringing a company to its knees.

A more proactive approach starts with questions such as: How often is the IRP stress-tested? Is the plan easily accessible? Has a desktop drill been carried out to simulate a cyber-attack and test the actual response? Has penetration testing been conducted?

Cybe Decoder Survey banner

Privacy and cyber security champions are often the catalysts for socialising data governance.

These ambassadors, in addition to their day-to-day responsibilities, constantly engage with stakeholders to question their methods of data handling, review risk, and connect the organisation’s privacy and security dots.

Roadshows and campaigns — such as the “Know Your Data Campaign” — are also invaluable to ensure that policy and procedure is embedded into business processes, and risks are identified and mitigated.

In conclusion, implementing an integrated data governance framework will have a domino effect that ultimately reduces your company’s level of risk, as privacy and cyber programmes are put into use and data visibility is improved.

The framework will also provide a platform for innovation and help companies to manage and leverage their critical data assets more effectively.




  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article

  • Get everything you need, delivered straight to your inbox.

    Sign up to receive our latest news and insights here.


Services provided in the United Kingdom by Marsh JLT Specialty, a trading name of Marsh Ltd and JLT Specialty Limited (together “MMC”). Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 307511). JLT Specialty Ltd is a Lloyd’s Broker, authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 310428).

This is not legal advice and is intended only to highlight general issues relating to its subject matter. Whilst every effort has been made to ensure the accuracy of the content of this document, no MMC entity accepts any responsibility for any error, or omission or deficiency. The information contained within this document may not be reproduced. If you are interested in utilising the services of MMC you may be required by/under your local regulatory regime to utilise the services of a local insurance intermediary in your territory to export insurance and (re)insurance to us unless you have an exemption and should take advice in this regard.