Building a data privacy culture within an organisation is much more than just having privacy policies in place. The organisation should be in a position to identify the personal data of individuals whose personal information is being held by them over all these years. This is no trivial task if systems were not designed to this.
More organisations are taking a "privacy by design" approach to their applications, says Barry Cook, group data protection and privacy officer at VFS Global, the world's largest outsourcing and technology services specialist for governments and diplomatic missions worldwide.
In this Q&A, Cook shares insights about balancing risks to privacy versus benefits
As we settle into the post-pandemic “new normal”, how safe is our data in an increasingly digital world?
The pandemic has accelerated digitalisation, and one frequently asked question about privacy is how much of our online information is processed. As a company in the travel business, we have to use personal data, including identifiers such as biometrics in the form of fingerprints and photographs. A majority of consumers say that companies must protect consumer’s privacy and companies have a responsibility to manage their data. However, only 20 per cent of consumers in surveys are ready to sacrifice convenience for a higher level of privacy. That’s the challenge we face as privacy professionals, balancing risk of privacy versus the benefit of convenience.
What are the key benefits of complying with the EU's general data protection regulation for VFS Global?
As the global gold standard for data protection, the GDPR represented a significant evolution in the management of personal data protection when it came into force in 2018. The law includes stringent requirements for organisations who process personal data of EU residents or are based in the EU, with many multinationals in the Middle East undertaking GDPR compliance projects.
GDPR has been a great transformer in terms of how we handle data. A major change is that companies now are obligated to demonstrate their compliance. The GDPR has set a benchmark for a standard to which companies should act responsibly while processing individuals’ personal data. For VFS Global it was not a huge journey as we already had strong privacy and security requirements in place based on the nature of our business. GDPR formalised what we were already doing and provided a framework for businesses to manage the data that they were collecting and processing.
What are your thoughts about using a "privacy by design" approach to balance risk and security?
Privacy by design states that any activity a company undertakes that involves processing personal data must be designed with data protection and privacy in mind from the outset and at every step of the process. Data protection must be an integral part of technological development as well as how the product or service is delivered. For many organisations adopting a privacy by design approach will require a significant culture change.
Cook is a data protection officer at VFS Global, the world's largest outsourcing and technology services specialist for governments and diplomatic missions worldwide. He has over 20 years of experience in industries including private banking, pharmaceuticals, EdTech, retail, AdTech, civil aviation, and information technology and has provided leadership in data privacy, data protection, information security, and risk management.