Fanny Evans, Senior Associate, Morgan & Morgan
In 2013, Virginia Ginni Rometty – CEO of IBM, said “I would like you to think of big data as the next natural resource that can be to our era what steam, electricity and oil were for the Industrial Age.”
Probably, you have read or heard: Data is the new oil! Data is the new bacon! Data is the new currency! These analogies have become very popular because data is now considered one of the most important commodities.
This is the result of the emergence of many successful Social Networks that, although they are not payment platforms, have turned the data into a source of value.
The need for a data-protection compliance program in business is becoming increasingly important after several high-profile leaks of companies’ data. Some of the biggest data breaches over the last two years include T-Mobile, Marriot, British Airways, Quora, Google, Orbitz and just recently, Capital One bank in the United States. A successful data breach may occur in less than one minute. Yet, businesses may take more than weeks to realize a breach has occurred.
When giving the first steps into complex waters like data protection, it is very common that companies get lost in the avalanche of legal requirements or in developing that product or service that might result attractive to its clients. However, for a business, changing the focus to issues that they may consider more interesting should never be an option because the results of data breaches include many types of damages: fromreputational to financial. Sometimes it can even affect an entire country as happened with, in my opinion, the wrongfully or unjustifiably called “Panama Papers”.
In the European Union, data protection is a fundamental right, and the General Data Protection Regulation (GDPR) which came into force on May 25th, 2018, is the new framework for protecting that right. Other countries are looking to the GDPR as they develop or implement their own laws to protect data.
Even if companies have an “it will not happen to me” approach to data breaches, in many countries, legislation is forcing them to rethink their reasoning. Here is where compliance plays an important role to help to plan a data-protection compliance program.
Here are five steps that can help as guidance when drafting or reviewing your data-protection compliance program:
- Understand your risks and legal and ethical obligations
One of the most important elements when building a data-protection compliance program is considering your risks and what is most important and mandatory to the business, instead of jumping into the requirements of a legislation without fully understanding your needs because not all risks or obligations are managed in the same manner or to the same extent. This program needs to set out the appropriate guidance in key areas.
Having said the above, the first step should always be to understand the business necessity to comply. This involves a careful analysis of what your obligations are, what the risk of breaching those obligations might be and what risks your company is willing to take.
- Document and review your policies
Your data-protection compliance program should be properly documented. Once the obligations and risks are understood, it is vital to document them. It is not just enough to know you are data privacy compliant. Your data-protection compliance program should be clearly verifiable and readily accessible through accurate reports and documentation for internal or external examinations.
The compliance officer shall perform a formal review on a regular basis to ensure that the data-protection compliance program is progressing as planned and that it is adjusted to meet any changes in legislation or the business.
- Allocate ownership
The responsibilities and tasks related to confidentiality and data-protection may overlap with other business policies, such as information technology security, recordkeeping, risks and audit, human resources, management of confidential information and others as it requires various skills to succeed. Therefore, the most advanced and elaborated data-protection compliance program will fail if there is no clear ownership of the tasks. Each business will structure the ownership differently, but it is vital that who is the owner of each task of the program is clearly understood and that the owners have the necessary resources, including training, so that they are competent to fulfil their role in a manner that is consistent with the business’ compliance culture.
- Provide training and the necessary resources
Always train your staff. If you have an informed team it will reduce your risk. Raise staff awareness.
Not only does training staff reduce the risk of breaches, it also demonstrates compliance before internal and external inquiries. For example, if an organization was to experience a data breach and they had documented their staff training on data protection, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the legislation seriously, if any.
Training should aim to ensure that all members of the team have an understanding of the data that they will have access to and the risks entailed. Training should be provided on a regular basis, and it ought to be performed again whenever there are significant changes to positions, structures, risks or obligations, or when actual issues arise. Also, the business shall incorporate data protection training into its process for onboarding new employees.
Businesses shall embed data-protection compliance program into it culture so that protecting information becomes second nature. This aspect, training and continuing education, should always include senior management.
- Review the Financial Action Task Force (FATF) Guidance on the Risk-Based Approach
A risk-based approach to compliance involves identifying the areas of high risk within the business’s compliance universe and building and prioritizing its compliance programs around these risks.
In order to assist both public authorities and the private sector in applying a risk-based approach, the FATF has adopted a series of guidance in co-operation with relevant sectors. Businesses shall review the guidance applicable to its industry to make sure that the appropriate mitigation measures in accordance with the level of risk are taken.
Data is one of the most important assets a business has. For that reason alone, data protection compliance program should be a top priority for any business.