Regulation such as Europe’s GDPR truly put privacy information management on every corporate agenda in 2018. Individual ownership of personal data was emphasized and companies across the globe forced to protect this right in a legally compliant way.
Consistently protecting personal data continues to challenge companies. A recent Espresso survey by DNV revealed that maturity has only slightly increased since the comparable 2019 survey. When GDPR was implemented 4 years ago, companies were scrambling to ensure compliance. It seems this may have remained the main angle for many companies. However, approaching privacy information management from a legal perspective only could be very limiting.
People main source of risk
Companies in the survey indicated human error as the main source of risk (44.5%). It is followed by lack of awareness among employees or poor organizational culture (27.7%) and lack of legal competence/interpretation of legal requirements (25.3%). Concern over organizational, cultural and competence issues, rather than external threats is not necessarily very different from the picture painted in the 2019. However, there is a shift in actions from IT to people. In 2019, IT security enhancement was the primary investment area, it has now been surpassed by staff training and awareness. This is prioritized by almost 1 in 2.
When human error and lack of awareness are considered major risks, it often means that effective culture building has not taken place. This could easily be mitigated by implementing a formal management system assurance model. Every organization experience transitory resources due to attrition and hiring of new resources, for example. This requires training of new or awareness refresh of existing staff at regular intervals.
Building a consistent security culture
This need can best be met through a management system model based on the best practice captured in the privacy information management system standard ISO 27701. The standard sets forth specific requirements on regular training and awareness to ensure a consistent level throughout the organization. This leads to increased engagement and empowers employees to think in terms of “privacy”, helping them manage “uncertainty” related to privacy better. Experience from other areas, such as information security, has clearly demonstrated the ability of an organization to build and improve a security culture through the implementation of a management system.
In a multi-connected society, the threats to privacy span from information and cyber security to wrongful, even if unintentional, use or storage of data by the company itself or other legitimate actors. Rising on all corporate agendas as most companies seem at risk these days, IT security investments are essential. However, the weak point in the data chain is often the person using the information and the devices or software handling it. This underscores the strong need of regular training. It can be elearning, smaller training pills or more extensive training for all personnel involved in data management.
Systems drive a robust, reliable approach
Of course, there are other aspects that are important in addition to a compliant management system. For example, the presence of internal subject matter experts, properly trained, who are the focal point related to request or doubts among personnel are essential. Such experts can also help any company really expand the logic of privacy by design and default. It systematically ensures data security by implementing processes limiting collection and processing, ensuring quality, managing retention and disposal and controls during transmission of data at the design stage of any project or changes in how data is handled.
The DNV survey revealed a heavy investment by companies in training and awareness of staff to mitigate the risk of human error. Investing in competence is always a constructive approach. We do see an opportunity for companies investing heavily in training to pair this with implementation of an ISO 27701 privacy information management system to get a more robust, resilient and reliable approach.
By Nanda kumar Shamanna, ICT Business Manager, DNV