“Keep Calm and Carry On” seems a ﬁtting theme for the ﬁnally-published General Data Protection Regulation (GDPR) - a new Europe-wide legislation which is designed to give individuals greater control over their personal information. However, this is only the case if you’re one of the organisations already valuing customers’ data.
Unfortunately, for too long, some organisations have “presumed” consent, worked with “implied” permission, experienced data losses which have taken months to detect and report (remember Sony and Target?) and, in some cases such as TalkTalk, have been unable to properly classify which personal data has been compromised. No CEO wants to look as ill-informed as poor Dido Harding, and customers have an absolute right to expect better.
DQM GRC’s new research, in association with DataIQ, shows the extent to which consumers have become both suspicious and savvy about how companies use their personal details. Awareness of data protection controls is high among consumers, with 84 percent having seen cookies notices, 76 percent unsubscribe links in emails and 74 percent have noticed privacy policies. Yet only half say they notice registration forms and requests for their personal data, which suggests that they overlook the starting point of how an organisation comes into possession of their personal information and subsequently makes use of it.
A signiﬁcant proportion (49 percent) are reluctant to share details unless there is a clear justification behind why they should - except if they trust the brand. Equally, consumers expect companies to encrypt their data and use technology that is properly monitored to prevent hacking and the consequent distress that accompanies those events. This is with good reason, as half of those surveyed had experienced some kind of personal data breach (such as a website hack, account hack, or even identity theft).
The research shows that consumer expectations about how their data will be protected align with what regulators endorse, but that this may also prove taxing for organisations; 76.8 percent expect encryption, 67.5 percent believe that ﬁrewalls should be kept up-to-date and half think that usage will be both limited and monitored. Whilst consumers are perfectly entitled to demand organisations take these steps to ensure their data is protected, implementing these processes may be difficult for the 18.4 percent of organisations who admitted they will require 12-24 months to make the required changes – cutting the GDPR two-year deadline quite finely.
In some respects, it’s a shame that it’s the headline-grabbing, eye-watering ﬁnes of up to 4 percent of global turnover or €20m plus the requirement to notify customers and the ICO of unencrypted data breaches, that are catching businesses’ attention. However, if this is what it takes to make companies wake up and realise it is not their data, it’s our data that we are entrusting to them for safe keeping, then this is definitely substantial progress. It should certainly help the business case.
So what can organisations do?
Firstly, organisations need to evaluate the personal data they have; categorising the data so they are clear where the personal and sensitive data resides and where other less important data sits in the company. Usually, drafting a data ﬂow map will help businesses to understand the pattern of data through the company, provide clarity on who has “eyes on” the data, what skills these people have and, ﬁnally, highlight where the data ends up.
Once organisations understand just what personal data they have, they should then ensure that regular risk assessments are completed in order to understand the degree of threat imposed on the company when processing data. Indeed, the GDPR demands a “risk-based approach” with the development of appropriate controls. This should, in a single stroke, ensure that management recognise the dangers associated with the loss, misuse, theft or any other compromise of customer data.
For organisations that pass data onto third parties, there is often a tendency to presume that they must operate to high standards of data security and protection. However, the GDPR now states that controllers must only engage with processors who can provide “sufficient guarantees”. Basically, as the data owner, you must check they have effective “technical and organisational measures to ensure the security of the processing”.
Subsequently, there is now an essential need for organisations to prepare a breach notiﬁcation plan in the event that something does actually go wrong. If you’re already clear on what type of personal data you manage (categorisation) and where it is (data ﬂows), then this process will be somewhat easier. However, it’s worth being clear on who will co-ordinate the customer communication, the media response and the remedial activity - and make sure you rehearse this so you are practiced in the actual event; consider it a data breach fire drill.
The benchmark for what organisations should do when they suffer a data loss or breach is set high by consumers - 92 percent of those surveyed said they expect to always be notiﬁed and told exactly what information has been lost or stolen. In addition to this, the research also revealed that consumers would expect a public apology from the company, as well as compensation (57 percent each).
However, if consumers are demanding to know what personal information has been compromised in a data breach, organisations will need to classify their data assets. Worryingly, only 30.7 percent have done this for all of their data types and one in ﬁve companies resist the idea, with 11.4 percent saying they would not do it and 9.7 percent that they would only do so if required by law.
One of the best forms of data protection is to ensure all aspects of the organisation involved in using personal data are equally included in the data governance processes. This ensures all functions operate to a common standard, which is particularly vital in the event of a data breach. It is also important for organisations to try and spot trends in any data problems that occur, and to not just record issues separately. Otherwise there will be a risk that each incident will be seen as unique, rather than having common root causes – which can then be rectified and solve the entire issue.
Additionally, it is vital that organisations consider an engaging staff training programme to ensure all employees are aware of the valuable asset they are dealing with and understand the need to manage data securely. Data security is an important component of building consumer trust and conﬁdence. Finally, all organisations should respect the personal data they have in their possession and treat it like it is their very own – otherwise the new “privacy aware” consumer may decide to take it elsewhere…
Christine Andrews is managing director of data governance, audit and consultancy firm DQM GRC.