When it comes to privacy and data protection, businesses need to get the fundamentals right

Are enterprises doing enough to protect data protection rights?

By Conor Hogan BSI

THIS COMING TUESDAY marks Data Protection Day, which is in place to generate greater awareness in the general public.

With increasing global regulations, there is an important focus on delivering the fundamental right to privacy.

Against the backdrop of numerous data breach scandals and a vast imbalance of power driven by data and privacy abuses, are enterprises doing enough to protect data protection rights?

Privacy matters, full stop

The UN Declaration of Human Rights recognises privacy as a fundamental but qualified right. This means it can be interfered with in limited circumstances for societal benefit.

People have the right to be free from unnecessary intrusions or unwarranted interferences. In the era of big data, artificial intelligence and machine learning, our privacy has never been more threatened, and the age of self-regulation must come to an end.

Your personal data is exclusively yours. However, we can be too ignorant of its true value in commerce. It is often not easy to see how it is used or sold to third parties or how organisations can leverage it for their own commercial goals.

Billions of consumers share their personal data daily, mostly unknowingly, with hundreds and thousands of businesses.

Every point of contact sees some sort of data exchange taking place. Be it tracking location via a mobile phone, social media, shopping, travelling, receiving healthcare treatments, undertaking financial transactions or during employment.

Embedding privacy at the heart of business

Privacy has been the subject of acute interest over the last decade due to large-scale surveillance disclosures and mounting scrutiny of how data is accessed and used by governments and private businesses.

The Irish State’s attitude towards data protection has been under the spotlight recently, with the Public Services Card and how the Department of Social Protection and others use it to process certain personal data.

In the corporate world, the DPC is currently investigating several tech multinationals due to numerous data protection concerns.

With such large volumes of personal data being mined, collected, stored, even sold, employees and other stakeholders are rightly concerned about data protection.

Embedding a person-centric privacy programme can reduce business risks, increase customer-trust and be a significant differentiator in the marketplace.

But how can data protection truly be embedded, especially when it is often seen as a blocker?

A first step is identifying what personal data you have and what you use it for. Knowing what you have is an important first step in identifying compliance gaps and planning improvements.

Businesses should also make the people whose data you collect aware of their rights and your practices for the collection and use of personal data using clear and plain language. Publish a privacy notice that can be easily accessed.

Be proactive, consider privacy measures at the earliest possible stage of changes, projects and innovation activities. It is also important to revise these privacy-enabling measures regularly.

Encourage a culture of data protection in your organization through properly resourced and targeted training and awareness programmes. Companies should also keep informed of the evolving nature of data protection regulations and privacy compliance obligations.

Strengthen your privacy credentials using training, certifications, accreditations and standards. Upskilling staff with privacy-relevant qualifications, such as Certified Information Privacy Technologist (CIPT) or achieving a standard such as ISO/IEC 27701 supports compliance and governance strategies, is a good step. 

Most importantly, make data-protection and privacy a board-level matter, where it can be directed, resourced and measured. If senior management is not made and held accountable for activities relating to data protection, the culture and cycle of privacy-abuses will continue, and privacy-protections will continue to be eroded.

Embracing data protection and privacy as a business enabler requires a change in commercial mind-set. Doing so facilitates a more transparent and proactive approach, strengthens brand reputation, addresses compliance and furthers commercial goals making it a fundamental part of the business strategy.

Conor Hogan is senior manager of cyber, risk and advisory at Cybersecurity and Information Resilience Services at BSI 

Get our Daily Briefing with the morning’s most important headlines for innovative Irish businesses.