Compliance & Strategy

Data security and privacy is here to stay: what you need to know


Data security and privacy have taken centre stage. Businesses routinely identify these risks as their number one concern, and for good reason. The legal and brand ramifications can be severe if a business fails to adopt adequate security measures. Close behind is a company’s ability to respond promptly to consumer requests for information a company may have about them, and how it is being used – generally referred to as Data Subject Access Requests under the European Union’s recently enacted General Data Protection Regulation (“GDPR”), and California’s much-anticipated Consumer Privacy Act of 2018 (the “CCPA”). The CCPA and GDPR also give citizens the right to sue businesses that fail to protect their personal information or disclose what is being collected and how it is being used.

Most notable may be that both of these initiatives are expected to spawn a cottage industry of individual enforcements and class actions, not just against companies registered to do business in California and the EU, but for any entity that serves customers in those jurisdictions. The European Union’s GDPR authorises fines up to €20 million or 4 per cent of annual revenue for businesses that fail to comply with its requirements. Not surprisingly, the new EU and California initiatives have breathed new life into the prospects for a single US-wide data privacy and security standard, the precise details of which are certain to be contentious.

The challenge that most medium to small-sized businesses face today is whether to commit the resources necessary to comply with the letter of the laws as they now exist, or hold off until a clearer picture emerges knowing that regulators will not give a pass for non-compliance simply because the target keeps moving. There is in all of this change, however, a comforting fact: even as data privacy and security laws continues to evolve rapidly, businesses can take simple steps to begin preparing themselves for the challenges that lie ahead by implementing some of the core principles of basic information governance.

The task of identifying all of the laws that may apply, much less complying with them, may seem herculean at first, but experience teaches us that most businesses – those whose revenue comes from doing something other than analysing data profiles – can meet this challenge by addressing the process in manageable bites:

First, understand what data you collect, and why. Second, map how data flows through your organisation, who has access to it, and how it can be gathered in response to a request. Third, update your internal and external privacy policies (and if you don’t have any, start the process of developing one by understanding what your data risks are, as well as your organisation’s appetite for such risks). Fourth, review your contracts with vendors. Do they include adequate and consistent data security and privacy clauses? Fifth, prepare an incident response plan. Sixth, evaluate your cyber risk profile and which of the dizzying array of cyber insurance products actually suits your needs.

By taking these basic steps, you can build a solid foundation of information governance principles that can be applied regardless of where the regulatory initiatives may end up, and at the same time establish a culture of commitment to data security within the organisation that will be your first line of defence.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *