By Cyber Collective Partner Ankura’s Noriswadi Ismail, Managing Director of Data Privacy.
The UK Information Commissioner’s Office recently announced its intention to impose a £183 million fine on a company for a data breach.
This followed a sophisticated and malicious criminal attack by hackers that resulted in the theft of customers’ credit card details.
This is the first UK fine proposed for infringements of the EU’s General Data Protection Regulation (GDPR), which took effect in May 2018, a fine that is 367 times higher than any levied under previous data protection laws.
This strong enforcement action highlights the importance of having in place a privacy and security programme, as well as a robust framework to ensure that responsible data governance is socialised across the business, and that policies and procedures are stress-tested to ensure their resilience.
Viewing Data Risk Though a Data Governance Lens
The starting point for a company wanting to enhance its privacy and security programme is to look at it through the lens of “data governance”. Privacy, cyber risk and data management need to be viewed and managed holistically through an integrated programme.
What may be needed is a fundamental change in culture. Often, a traditionally deployed approach is siloed, with insufficient communication between technical security experts and privacy officers.
It will prove beneficial to replace this approach with one involving constant communication, collaboration, and an overarching strategy designed to ensure compliance with privacy laws, reduce cyber risk, and unlock data-related value.
Implementing a structured global data governance framework will provide a sturdy foundation for data-related policies and procedures, while improving the company’s threat resilience.
It also offers a baseline for companies that need to manage data risk globally; be it in the US, EMEA, ASEAN, APAC or elsewhere.
Without this, corporate data management will be disorganised, making it difficult to demonstrate compliance and accountability to global regulators. Not having a structured global framework in place also leaves companies vulnerable to cyber-attacks and data breaches.
A standard data governance framework used at a mature organisation typically includes a central data risk steering committee, a data governance steering committee, or a GDPR steering committee All data stakeholders should be represented, including operations, finance, HR, and marketing.
Such a committee ensures that policies and business practices are aligned, while taking responsibility for implementing policy and periodically auditing the organisation.
At a secondary level, mature organisations will also have data security and privacy champions who act as brand ambassadors for responsible data governance and as liaisons for all business units.
The heavy lifting, when it comes to ensuring compliance and protecting data, is carried out at the third tier of the data governance framework by dedicated privacy and cyber teams.
In addition to privacy compliance managed by legal, many companies now have data protection officers (DPO’s) tasked with stakeholder engagement and overseeing the operationalisation of policy.
For example, if the business is working with a new third-party technology supplier, a privacy impact assessment will allow the DPO team to vet the technology from a privacy compliance perspective. Cyber risk can also be assessed with input from the CISO.
The privacy officer will review any potential vendor agreements and put in place data transfer mechanisms to comply with data protection legislation.
The company’s incident response plan (IRP) can then be adjusted to account for risks materialising due to the new technology and related data flows.
Walking the Talk
The second fundamental step for companies to take on the path to mature cyber risk management is to ensure that all policies and procedures are socialised into all levels of the business and stress-tested.
Many companies have seemingly perfect policies, but applying the box-ticking approach to compliance will not withstand a challenge — such as a cyber-attack that is capable of bringing a company to its knees.
A more proactive approach starts with questions such as: How often is the IRP stress-tested? Is the plan easily accessible? Has a desktop drill been carried out to simulate a cyber-attack and test the actual response? Has penetration testing been conducted?
Privacy and cyber security champions are often the catalysts for socialising data governance.
These ambassadors, in addition to their day-to-day responsibilities, constantly engage with stakeholders to question their methods of data handling, review risk, and connect the organisation’s privacy and security dots.
Roadshows and campaigns — such as the “Know Your Data Campaign” — are also invaluable to ensure that policy and procedure is embedded into business processes, and risks are identified and mitigated.
In conclusion, implementing an integrated data governance framework will have a domino effect that ultimately reduces your company’s level of risk, as privacy and cyber programmes are put into use and data visibility is improved.
The framework will also provide a platform for innovation and help companies to manage and leverage their critical data assets more effectively.