ISACA: Investing in Privacy Training

Ever since Snowden made his first revelations over a year ago, ‘privacy’ has become a bit of a buzzword. Once the prerogative of royals and stars (whose computers and online accounts continue to be among hackers’ favourite targets) in the information age the average consumer struggles to reconcile the benefits of personalised services and tailored advertising with the apprehension of not knowing what personal information about them is held by whom, where it is stored, and how it is used. Forrester calls this the ‘privacy-personalisation paradox’.

Equally, companies and public bodies face a difficult challenge: to paraphrase Voltaire, with big data must come big responsibilities. Get privacy right, and you have gained a competitive advantage. Get it wrong and—well, you’re in trouble. Target’s former CEO and its board of directors know this well. At stake: financial and reputational damages.

Add to the picture the fact that one of the global pillars of privacy legislation, the European Union’s Data Protection Directive 1995, is currently undergoing a substantial overhaul, and recent developments such as the May ruling of the Court of Justice of the EU on the so-called ‘right to be forgotten’, and the scenario becomes even more complicated.

So where to start? Many companies have appointed chief privacy officers (CPOs)—in Europe, data protection officers (DPOs)—whose focus is solely on privacy and data protection. In 2006, Harriet Pearson, then-CPO for IBM, said: ‘A good CPO must do more than just ensure that companies comply with the present-day law. They must also attempt to second-guess future innovation and design company security policies and procedures accordingly’.

Her words are still very contemporary and, as technology and innovation have evolved over the past eight years, so has the role of CPOs and DPOs, who went from almost invisible magicians behind the curtains of compliance to highly sophisticated professionals whose function has consistently been climbing up corporate hierarchies.

In Europe, the current draft of the General Data Protection Regulation, which will replace the outdated 1995 Data Protection Directive, requires the mandatory appointment of DPOs for public-sector entities processing personal data and for private-sector enterprises processing the data of more than 5,000 data subjects in a year. By the way, you may be interested to know that the draft Regulation also introduces fines of up to 1million euro or 2 percent of a company’s global annual turnover, and stipulates that personal data breaches should be notified ‘without undue delay’ to the relevant supervisory authority and, if the breach ‘is likely to adversely affect’ them, also to the data subjects.

Mind you, the Regulation is not yet law, and its text is likely to undergo some changes before it is finalised, but European leaders have made no secret of their intention to make the data protection rights of their citizens a top priority.

Now, if the major data breaches that dominated the headlines in the past years have taught us anything, it is that you can have the best policies and the tightest security measures in place, but nothing can be done against human error. Or can it?

The UK Information Commissioner’s Office released some statistics on data breaches in August 2013 and the data is unequivocal: ‘More than half of the 335 data breach incidents we looked at in the first quarter [of 2013] fall into the ‘disclosed in error’ category’, read an ICO blog post. ‘That covers everything from emails being sent to the wrong people to information erroneously included in freedom of information responses, but invariably they can be described as careless’.

Let’s face it: at any point in time, in any given organisation or public office, data is processed (accessed, shared, managed and transformed) by hundreds or even thousands of employees. These employees can be sitting in any department, and at any point in their career: they can be product developers designing a new product, sales and marketing managers trying to sell it, or human resources professionals handling employee data.

Clearly, the need for privacy training and awareness extends beyond the ‘core’ privacy team (the office of the CPO or DPO) to the entire office or corporation. Investing in privacy training for employees is a fundamental component when managing the risks associated to our data-driven economy. Marketing professionals look at privacy training and awareness through the lens of transparency: ensuring openness and customer control of their own data. Information security professionals, CTOs and CIOs know too well what a difference a robust data governance strategy that aligns security and privacy can make.

Any employee touching data in a significant way poses a risk; yet your biggest assets are your employees. How can you afford not to invest in privacy training?

Rita Di Antonio
Managing Director IAPP Europe

Rita will discuss this concept at ISACA’s European Computer Audit, Control and Security (EuroCACS/ISRM) Conference this September, in her presentation titled, “EU Privacy: Past, Present and Future.”

[Source: ISACA]