Convenience right now
In this age of instant gratification, we as individuals prioritise convenience over security. We share our information all too easily and underestimate the extent to which it can be misused by others. Data protection and privacy is a fundamental issue for both individuals and societies.
As businesses, there are two aspects involved. The first and rather obvious one is data security for an organisation. In today's world, its very existence could depend on it. The second is the role of businesses as third party users of personal data, whether directly or indirectly. So businesses need to both protect their own data assets and resources and also ensure due compliance with laws that regulate their legal limits over others' data.
Data Privacy is a combination of legal, compliance, technology, and cybersecurity elements. Cybersecurity is perhaps most at the forefront. With the rapid pace of technology unleashing ever new threats, companies are increasingly more vulnerable to data theft and misuse. Research company Risk Based Security estimates that the number of records worldwide exposed to cyber harm stood at a staggering 36 billion in 2020, the worst year on record.
What is Data Privacy law?
Data privacy laws protect individuals' privacy by empowering them with ownership rights over their personal data. According to UN statistics, 128 out of 194 countries had put in place these laws.
Of these regulations, the European Union's GDPR (General Data Protection Regulation) which requires businesses to protect the personal data and privacy of EU citizens is perhaps the most well known. Many other data protection regulations have been modelled after the GDPR making interpretation easier.
Data privacy laws deal with the control process around sharing data with third parties, how and where that data is stored, and the specific regulations that apply to those processes. However, these regulations do not define 'data privacy' precisely. They require organisations to define what is 'reasonable' and leave it to them to determine what they consider best for their business.
Why is it important?
The most obvious reason why companies must comply with data privacy regulations is to avoid falling short of the law and be penalised with fines. However, it goes well beyond that. In this age of consumer-citizen activism and consciousness, there are such powerful considerations as ethics, corporate governance, and brand equity. Compliance does the following:
> Boosts corporate brand perception as an ethical, socially responsible business
> Improves the security structure of the organisation
> Gives organisations better control over data that protects their consumers' rights
Regulatory compliance begins with an understanding of the organisation, and its objectives, risks, and opportunities.
Multiple data protection laws: Since laws exist in most countries and regions, businesses must consider not only local laws but also other applicable laws around the world. For example, GDPR seeks to protect EU citizens' personal data not only within the EU but also outside. Similarly, the Abu Dhabi Global Market Data Protection law is not only confined to processing within the ADGM but applicable for data that goes outside as well.
Documentation: Organisation must prepare data protection policies and procedures. Response plans for managing incidents and records of processing activities enables control over the management of personal data. These documentations along with an efficient content management system can help the organisation achieve data protection law compliance.
Awareness: Organisations must conduct training and other awareness programmes for all employees. Each employee must understand the importance of 'securely' managing both personal and organisational data. And every employee must feel responsible.
Sensitive/special category personal data: Data that is more sensitive in nature or data whose exposure could place an individual at risk are considered sensitive personal data. This needs special attention. Businesses must assess the purpose of collecting such information and analyse the level of security in processing that personal data.
Platforms for exercising privacy rights: All data privacy regulations give data subjects rights over their personal data such as the right to access, right to remove and right to amend. The organisation must be clear about how to protect the data of their customers/consumers. They should provide convenient platforms for raising data subject requests and respond to their queries.
Data Protection Impact Assessment: When launching new products, processes or services, organisations must assess the impact of the launch on personal data. This assessment involves identifying the risks and evaluating how well they may be controlled. The residual risk after implementation of controls will help the management decide whether to proceed with the launch.
A matter of culture
Privacy laws and regulations should be considered part of organisational culture and not merely as regulatory compliance. A strong data culture protects organisations' businesses and reputations by preventing data breaches and cybercrimes.
Help is at hand
MBG's Data Privacy and GRC services ensure Data Protection/Privacy regulatory compliance and provide strong organisational controls like user access management and protection from cyber threat. Get in touch firstname.lastname@example.org/+971-52-6406240
Alok Bishnoi is partner for risk and technology advisory and Madan Mohan is director for technology advisory