Christian Toon, Head of Information Risk at Iron Mountain, explains how organisations can implement a rigid Corporate Information Responsibility (CIR) programme to be ready for the EU “right to be forgotten” legislation before it arrives.
With 93 per cent of large and 76 per cent of small organisations admitting to falling foul of a security breach in the past two years, you would be forgiven for thinking that some form of data loss within business is inevitable. Indeed Iron Mountain research found that more than half (53.3 per cent) of European businesses expect to lose data. As a result, they are unprepared when it comes to protecting company information.
This complacency is cause for concern. Many businesses are choosing to insure their business against the financial impact of data loss, rather than doing something to protect against the loss in the first place. Surely it would be more cost effective and better for the long-term prosperity of the business to invest money in closing the gaps in its data-protection programme and keep information from getting into the wrong hands?
Losing control of your data - the business impact
The European Commission's draft revision to data protection legislation includes fines of up to one million Euros or two per cent of annual revenue for a data breach. The threat of the potentially huge financial impact of data loss on a business seems to do little to promote good governance when it comes to protecting information and has so far done little to encourage businesses to take greater information responsibility.
However, it's not just the financial hit that businesses will need to take. A data breach could, potentially, be far more damaging to your business' brand reputation and customer loyalty. With the use of social media in both a business and personal context on the rise, bad news now travels faster and further, meaning that even the smallest data breach can have serious consequences.
Managing data protection expectations
Before a business can put measures in place to protect its information, it firstly needs to assume responsibility and accountability for that data - wherever the information is stored. By law, companies are liable for the loss of their own data, even if the loss occurs while the information stored with a third party. It is therefore up to businesses to scrutinise, mitigate and manage their own information risk supply chain, as part of their Corporate Information Responsibility (CIR) programme.
The proposed new EU data protection legislation will mean a big change for businesses. According to the draft legislation, timeframes surrounding notification of a breach will only afford businesses 24 hours to notify regulators. This will require processes for the identification and reporting of an incident will need to be slick and efficient. Monitoring data integrity is also a key area for businesses to address. This has become all the more complex thanks to the prevalence of social media and mobile devices. Knowing exactly what information you hold in both physical and digital formats could prove a real headache.
The legislation will force businesses to take action and not be complacent about data loss. It will bring significant positive changes to the way organisations monitor and handle information risk issues, but it won't happen over night. Examples of good practice are there to be followed. In Germany, for example, organisations are already obliged to make a member of staff responsible for data protection and ensuring compliance with the law. The challenge will be to get all EU countries to pull in the same direction.
Data breaches must not be seen as inevitable. The proposed changes to EU legislation present a chance for companies to assess whether they have the right policies in place to prevent against data loss; a chance to sure up defences, reduce exposure to information risk and showcase the business as a responsible custodian of sensitive information - a business that will take the necessary steps to protect the personal data that it holds on behalf of European citizens. When it comes to exposure to information leaks, businesses would do well to stop mopping the floor and think about turning off the tap instead.
Christian Toon, head of information risk at Iron Mountain