Managing data protection compliance effectively
New legislation around data protection and breach reporting means organisations need to put the right processes, people, and technology in place to comply. Failing to do so can create significant challenges for businesses. The new laws have already seen breaches become public that may otherwise have remained hidden.
For example, around the end of May 2018, PageUp detected unauthorised activity in its computer systems. PageUp acted promptly in declaring the data breach and has engaged cybersecurity experts to help resolve the situation. Prior to the introduction of the Notifiable Data Breaches scheme (NDB) in Australia on February 22, some organisations might have sat quietly on bad news of this nature, but, with some 63 breaches declared in the latest quarterly statistics from the Office of the Information Commissioner, it seems that transparency and openness have been improved.
An incident of this nature is not just a breach of security, but of the confidence and trust of clients, past, present and future. We will probably never know exactly how much it costs PageUp to resolve this, but we have a reasonable starting point, with the average global cost of data breach estimated to be around USD $3.6m.
Data protection could become more complex in light of privacy regulations such as Australia’s Privacy Act and Europe’s General Data Protection Regulation (GDPR), and the obligations placed on organisations to protect personal information under that legislation, as well as the rights of people to have access to that information, and to have it amended, or deleted. In Australia, the right to access and correct personal information was introduced in the Australian Privacy Act 1988. So, it’s safe to assume that Australians are becoming increasingly better informed about their rights to access their own information.
The business process around assessing, collecting, cleansing and providing information will, for many organisations, be complex, time-consuming, and expensive, and it will not scale well. According to the Institute of Privacy Professionals, subject access requests were among the top three most difficult GDPR obligations for those surveyed, specifically, data portability, followed by right-to-be-forgotten requests and gathering explicit consent.
Personal information is usually stored across a range of systems including marketing, sales, fulfilment and support, plus maybe a shared content repository for contracts, etc. Businesses need to understand how long it would take, and how much it would cost, for someone to collate all of that information, redact it and provide it back to the requestor, or to remove it on request, or both.
The ideal solution will be a blend of good process, competent and skilled people, and appropriate technology.
Process
From the moment a subject access request is received, businesses have one month to respond. Given that personally-identifiable information (PII) could include anything from job application data to phone call recordings or CCTV footage, the amount of information to collect could be considerable. It’s helpful to understand where PII is stored and what business processes cause it to be stored in those places. An initial data flow and process mapping exercise could provide this information and act as a guide for the collection process.
When providing PII, it’s important to avoid compromising the privacy of other individuals, so a cleansing or redaction process may be necessary. Plus, organisations will likely need governance and management processes to ensure that the process is completed within quality, time and cost parameters.
People
Potentially, many different roles could be required to play a part in a subject access request. For example, system administrators or owners, information architects, security officers, legal counsel and project managers. All of these people will need to know what they’re supposed to achieve, understand the parameters within which they will perform the work, and have the necessary skills and competencies to undertake the work. A training program may be needed to ensure that people understand and can meet the relevant legal obligations.
Technology
Automating the process could help scale it and reduce business risk. Online forms could be used to enter information about the request; workflow software could automate the review and approval components, and potentially retrieve information from information stores such as CRM, email, or document management systems using connectors; and documents could be automatically generated. Although some investment will be required to build this capability, the return on investment and total cost of ownership can be reliably calculated, especially when combined with workflow analytics.
Most organisations’ information networks are complex and include on-premises systems such as file shares, databases, business systems etc. Nevertheless, GDPR and NDB aren’t optional so it’s important to ensure businesses are prepared. A well-prepared business can build customer trust and, potentially, use its security posture as a competitive advantage.