The way we organise personal data in the enterprise yesterday and today is changing.
There is a new imperative, a need to ensure that personal data held by companies remains secured against all but the authorised. This is reinforced by the EU's General Data Protection Regulation (GDPR) which mandates that companies must accept responsibility for, and take serious measures to safeguard, that data, with penalties applied for non-compliance.
In previous blogs, we've looked at the process of researching where personal data is held and how best to collect it. Now we'll look in more depth at the culture shift required to protect it.
New security responsibilities
While many companies effectively outsource the consequence of data breaches to insurers, the GDPR makes this approach less attractive. Firstly, GDPR will force companies who suffer a data breach to declare it, raising the prospect of a large and “uninsurable” fine by the regulator, protracted litigation by the impacted data subjects and reputational damage to the company’s brand. Secondly, two thirds of data breaches originate at processors or co-controllers rather than the controller itself but GDPR introduces the concept of shared liability between all the parties in the data supply chain.
In other words, when the company becomes the custodian of personal data following the introduction of the GDPR, it will need to mitigate this heightened level of risk by taking seriously the risks and processes required to protect personal data. It also becomes incumbent on it to demonstrate its trustworthiness to regulator, supply chain and to customers.
In other words, personal data security can no longer be seen just as a process – such as periodically completing a privacy impact assessment (PIA) form – but a set of responsibilities that must be faced and measured. Note too that the relationship with the supply chain will need to be restructured to facilitate greater transparency and dynamic oversight.
So, the concept of protecting company-held personal data using insurance and resolvable by filling in a few forms will become unfeasible.
Instead, a cultural transition needs to take place, requiring managers to take on board the idea that they are custodians of personal data and unauthorised exposure will result in severe consequences that can no longer be swept under the carpet. Privacy breaches affect the lives of real people who will now have the power to punish organisations for their misdemeanours.
As part of that cultural shift, consideration needs to be given to the software used to map and protect personal data. What's required is an environment and software that is security accredited – such as ISO 27001 – and controlled using structured access. Further, you need to enable the supply chain to share information with you securely, because a key element of the culture shift is to enable third parties to understand that you take your security responsibilities seriously.
This cultural shift when yoked to the right tools for the job can help you navigate compliance with GDPR and improve your competitiveness. trust-hub offers services and tools that can help you along this critical journey.