BY MICHAEL IRENE, PhD
Data protection risks are uncertain. When one puts the increasing changes that technology presents and the amount of personal data processed for various reasons, the potential risks continue to expand in grotesque proportions. Small, medium and large enterprises have these risks. However, some significant risks stand out in this piece. I highlight what, from my experience, are the top five data protection risks within businesses.
When I think of the top five data protection risks affecting businesses, policies and procedures, training completion and compliance, third party risk, data sharing, and records management immediately come to my mind. But I also personally think that there are other areas that come to mind, and this depends on the processing activities in any company. It happens that in my years of doing the data protection management, these are the main ones that carry that consistent streak.
Objectively speaking, it is plain to most privacy professionals and stakeholders that the importance of policies and procedures plays a critical role. However, upon probing some policies within companies one finds out that these policies are not matched with procedures thereby springing personal data privacy risks. It is not enough to have these policies shelved in a database. They must be owned and accounted for. It is quite astounding to me how many stakeholders overlook the importance of how these policies must merge with business procedures. They can’t be separated.
There are some famous stories about companies like Equifax, Revolut and British Airways where the data breach happened because of lack of training completion and compliance. Equifax, for example, never seemed to have any qualms with ensuring that their staffs completed their training, and this invariably affected their compliance requirement. For any company to comply with existing data protection laws, there needs to be full training of staffs and much more than that, the staffs must understand their roles with regards to data protection. This area is quite an issue as staffs overlook this important piece. Ensuring that training is completed and complied to is another area of risk within data protection. When not acting in accordance with requirements leaves room for vulnerabilities.
I have written about third party risk in this space before. Third party risk is another key area that must be managed closely. One can’t dismiss the risk many vendors or third parties present in the whole data protection framework. As such, it is important that companies pay attention to all contracts with third parties and effectively audit these vendors on a quarterly or annual basis.
I must admit that the way companies share data amongst themselves is usually scary. First, there are no known sharing agreements and obligations and roles with regards to managing these data sets are usually left out. It is important to note that data sharing agreements must be employed in these relationships and establishing what party does what would most likely be critical in litigation cases. Second, the agreements must also imply the deletion and retention methodologies when sharing. This area of data sharing is another risk that is often overlooked.
Records management is another key risk within data protection. The security function of the records, who has access to it and the maintenance of audit trail of the records is often missing in many a data protection framework. Data discovery which is part of records management is often dismissed by many stakeholders and opens most companies up for vulnerabilities and threats. A good record management scheme will help the company prevent personal data breaches.
These are my top five personal data risks affecting businesses today. It is my opinion that these are the consistent and unique risks that stand out in most businesses. However, there might be other risks that present themselves or that might be prevalent in various industries, and companies must ensure they capture these and mitigate them. I must conclude that this, therefore, is not an exhaustive list but serves as a direction.