Legislation, hackers and consumers all contribute to the growing complexity of information privacy and data security – Tim Crtichley argues that a Data Protection Officer is the only answer to keep your business protected in this data-driven era.
It would be an understatement to say that the thought of suffering a data breach keeps business leaders awake at night. There are countless research papers and studies dedicated to investigating exactly how concerned CIOs and CEOs are when it comes to securing their company’s information systems and it’s fair to say that they are scared rigid.
One such report from Protiviti and ISACA indicated that cyber-security and privacy issues ranked among the biggest technology challenges for businesses. A study from GITNS, meanwhile, found that 54.8% of c-level executives believe data security is one of their key three concerns in 2017. But neither of these reports are likely to raise eyebrows when you stop to consider the current state of data protection.
According to the UK government, in 2016 two-thirds of large British companies experienced a cyber-attack in the preceding 12 months. Clearly, any business that operates in the online world needs to be prepared for a hack that breaches their information systems. But your business probably has a CIO, a CTO and countless IT directors or managers. Surely they are capable of keeping a sharp eye on your data security?
Unfortunately, they simply aren’t enough. To pull together all the strands of data security risk you need someone whose role is dedicated entirely to protecting information and who can assess your business to find the areas of risk, and then advise on how to address these risks, whether that’s a new piece of technology or new information security processes. In other words, you need a Data Protection Officer (DPO).
Why you need a DPO
The UK’s community of IT experts is facing a new era of complexity in terms of information privacy and data security, which only strengthens the argument for employing a dedicated DPO. This comes down to a few key factors:
The perfect storm of legislation
Currently, new legislation has security experts struggling against two significantly conflicting regulations: the EU GDPR and the Investigatory Powers (IP) Act. While the EU GDPR is all about protecting the privacy of European citizens and ensuring companies are implementing the highest possible information security measures, the new IP Act flies directly in the face of this.
Essentially, this latest piece of legislation from the UK government, nicknamed the Snooper’s Charter, requires communication and internet service providers (CSPs and ISPs) to hold data on customers for at least 12 months, with the aim of combatting terrorism. The clincher of this law is that a long list of 50 government agencies (from the Food Standards Agency to the Competition and Markets Authority) can request a warrant to access this information, with seemingly few hoops to jump through to prove why they need it in the first place. Clearly, having these two laws at loggerheads makes securing data all the more complicated.
Ironically, the EU GDPR specifically stipulates that all organisations handling customer data must have an individual in the DPO role. It’s clear that the position will be essential if only to sort out the data protection priorities within these two conflicting pieces of legislation.
The world of cyber-crime has become a minefield of traps set by cyber-criminals, all designed to steal information or money from not only individuals but also from businesses. The UK government noted in a 2016 report that nearly 70% of attacks on companies involved viruses, spyware or malware.
In spite of numerous preventative measures, many companies are still falling foul of hackers. As a real illustration of how sophisticated and dangerous cyber-criminals have become, you only need to look at the headline news stories of children who have managed to hack large corporations.
For example, it was only recently that a Pittsburgh teen admitted to undertaking a cyber-attack on the Brussels airport on the same day as the ISIS attacks in 2016. If a child can manage something like this, imagine what an experienced, motivated and well-resourced cyber-criminal is capable of.
A DPO is a critical part of the picture, if companies want to go head-to-head with cyber-criminals and keep sensitive data safe.
No matter how many times we repeat the message that data security starts at home, consumers seem to neglect their personal data security on a daily basis. In fact, our own research from 2016 showed that when it comes to banking for example, that people care far more about fees (41%) than they do about their bank suffering a data breach (only 24%). And they were also fairly unconcerned about losing financial data – just over half (52%) were worried about losing payment card details and 54% were worried about having their bank account details stolen.
This isn’t to say that they aren’t paying attention to the world of data breaches; you can be sure that they will hold you accountable should you lose their personal information, and are likely to desert your business if you do. When it comes down to it, they want companies to do the heavy lifting of protecting data, and rightly so. One of the roles of the DPO will be to protect customers from themselves.
Make data protection a priority
It’s true that many IT experts have admitted that being 100% protected against a data breach is simply unrealistic. But this doesn’t mean that those of us working in IT can afford to drop our guard, using inevitability as an excuse for lax data security. Bringing a DPO on board is one step towards ensuring that your information security processes align across the business, and that you are keeping up with the latest and greatest solutions for every inch of your internal and external technology. Whether you’re a multinational corporation, or an SME, now is the time to make sure you have the right person in place to make data protection a priority.