What's been done for data privacy since GDPR?
Businesses have developed new roles dedicated to protecting privacy
This year, privacy continues to be the most important aspect of data management as an increasing number of consumers are growing concerned about their privacy and the security of their personal information.
According to research from the Global Web Index, 51% of European respondents are concerned about the Internet eroding their personal privacy and 60% worry about how their personal information is being used by companies. In the US, these figures rise to 62% and 65% respectively. While in Europe GDPR was introduced to protect consumers’ privacy and safeguard their data, it also seems to have increased awareness of the misuse of data. People now realise the importance and value of their personal information and, as a result, are demanding greater control over their information and increasingly becoming unwilling to give up that information.
While organisations already put processes in place to drive compliance with GDPR, those organisations must recognise and acknowledge this consumer trend and continue to enhance their processes and policies to sustain a data privacy program and ensure the proper protections and safeguards. Failing to do so could result in dire consequences, not only in terms of fines from regulatory agencies, but also failing to protect privacy and safeguard personal information, even slightly, could cost them the trust of their customers.
- Why data privacy without data visibility doesn't cut it for GDPR
- Ten tips for GDPR compliance
- GDPR Subject Access Request: authentication cannot be an afterthought
Additionally, as companies come to grips with the privacy and security issues relating to personal information, the concept of information ethics is coming to the fore. So, what are businesses doing in order to provide for continuous improvement around the issue of privacy? And what does information ethics mean for data privacy?
Creating new roles
As businesses start to understand the idea of information ethics being a major corollary to data privacy and security, more and more organisations begin to look not only at what they could do with data but what they should do with data. And this should is not from the perspective of doing more with the data, but rather, doing more to add value to the relationship with the consumer.
There is a growing complexity concerning who should have access to personal information, for what the personal information can be used, and whether data should be used for anything other than its initial purpose, even if that is for the benefit of the consumer. Consequently, businesses must take a clear view on these issues to maintain trust with their consumers. Yet, while the subject of privacy is a board-level and senior management risk issue, barely half of organisations have adequate controls in place. To change that, it is vital that the message of data privacy, the support for controls throughout an enterprise, and the organisation’s stance on the ethical use of data comes from the top.
As organisations begin to look beyond compliance to drive competitiveness through the governance of personal information, the issues of trust and ethics pertaining to that information become more crucial to the success of the business. More businesses are beginning to treat personal information as a critical asset like they would treat money and are appointing senior people to lead the governance and ethics roles. One of the most effective ways businesses are doing this is by developing new roles with the sole purpose of protecting privacy.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
A number of organisations have already adopted this model, with businesses like InterSystems appointing a Data Protection Officer, a Trust and Ethics Officer, or a Chief Ethics Officer to ensure those organisations not only maintain compliance but maintain trust through the ethical use of personal information. The creation of these roles sends a strong message that trust, and by extension, privacy, security, and ethics, are at the forefront of the culture of an organisation. But more than that, this approach moves the discussion on from businesses purely being interested in being compliant, to focusing more on operating ethically and doing the right thing.
Developing a culture of accountability
While more organisations move to develop a senior leadership approach to data privacy, in the year since GDPR, a growing number of businesses are trying to put data privacy on the radar of their entire employee base. In these organisations, it is becoming everyone’s mission to have an understanding of provenance and the use of information, with everyone taking accountability for how the organisation collects, uses, and shares personal information. The idea of accountability is that “we say what we do and we do what we say” and, importantly, “we stand by doing what we do.”
This culture of accountability is something that is also being extended to how organisations talk to their customers about data privacy. Increasingly, businesses are being open and inclusive, telling customers about what they are doing with personal information and how they are protecting it. Some businesses recognise the need to close the gap in terms of the expectations, responsibilities, and actions relevant to privacy protections and information ethics.
With big data breaches, such as recent ones that exposed the data of almost 400 million people and health and credit card information easily available on the dark web, it is no wonder fewer people are now willing to part with their personal information.
That said, it may be possible to overcome the distrust these occurrences tend to inspire, by taking an open and honest approach to talking to customers about how their personal information is used, stored, and shared. The issue of trust is something that organisations have been coming back to time and again since the introduction of GDPR and is echoed by leaders like Shell CEO Ben van Beurden who believes that transparency and ethical behaviour are integral to gaining public trust.
Reducing the amount of data
Just as was the case when originally preparing for the introduction of GDPR, businesses must continually review and reduce the amount of data they hold. To adhere to privacy regulations, businesses must continue to identify what personal information they hold and what purpose, if any, this data continues to serve for the company.
According to Gartner, organisations that do not revise data retention policies to reduce the overall data held, and by extension the data that is backed up, will face a huge sanction risk for non-compliance as well as the impacts associated with an eventual data breach, within the next two years. The more data the more risk for an organisation.
Governance frameworks
Implementing a governance framework goes beyond compliance because it ensures appropriate behaviour in the creation, storage, use, and deletion of information through the integration of processes at all levels of an organisation. A governance framework can be used to look at the issues of privacy and security and how the related business processes can be consistently and reliably implemented across an organisation. Within such a framework, the organisation examines both privacy and security matters with for privacy putting a focus on the collection, use, and disclosure of personal information and for security setting a concentration on the confidentiality, integrity, and availability of that information. As organisations implement a governance framework, they may seek outside auditors to demonstrate that they are trustworthy.
A year on from GDPR, and compliance and data privacy remain at the top of the agenda for most organisations. While the initial work to achieve compliance may now be a distant memory, businesses must continue to improve their efforts in this area as the narrative moves beyond mere compliance and towards trust and ethics.
Ultimately, maintaining data privacy is an ongoing battle. As a result, companies not only implement new processes and ways of working, but also develop a culture of accountability that supports the company’s efforts to maintain a data privacy program led by a Data Protection Officer, Trust and Ethics Officer, or Chief Ethics Officer. In the coming time, we will see more follow suit, with trust and ethics driving decisions on the processing of personal information.
Ken Mortensen, Data Protection Officer at InterSystems