Ensuring Data Protection
Madan Mohan, Director - Technology Risk Advisory, MBG Corporate Services on the growing need for organisations to incorporate privacy laws and regulations within their structures
In our daily lives in this digital world, we often accord higher value to convenience than to the security of our data. However, the threat to our personal data, which increasingly accompanies or even determines many of our important personal decisions, such as securing a loan or buying an insurance policy, is immense. The risks range from spam emails, to the more serious matter of identity theft and other variations of organised cybercrime. Hence, trust — whether an individual can leave their data with a second party without the latter sharing it with third parties — is too big a factor to leave unregulated anymore. And that is where data protection and privacy laws come in.
Companies today face increasing pressure from regulators and the marketplace to improve how they collect, use, store and delete personal information, and how they manage data privacy. Frequent high-profile data breaches by some of the largest companies in the world over recent years has led to growing focus on privacy rights, leading to increasingly strict data protection enforcement.
Data privacy is a combination of legal, compliance, technology and cyber security elements; cyber security perhaps being the most important one, not only in protecting data from external and internal threats, but also in determining how digitally stored data can be shared and with whom.
Recent data from Risk Based Security, a research company, revealed that the number of records exposed to cyber harm increased to a staggering 36 billion in 2020. There were 2,935 publicly reported breaches in the first three quarters of 2020, making it the ‘worst year on record’.
What is data privacy law?
Data privacy laws protect individuals’ privacy by empowering them with ownership rights over their personal data. According to UN statistics, 128 out of 194 countries have put in place laws which ensure personal data privacy. Africa and Asia have a similar level of adoption with 55 per cent of countries having adopted such legislations, of which 23 are least developed countries. Of these regulations, the European Union’s GDPR (General Data Protection Regulation), which requires businesses to protect the personal data and privacy of EU citizens is perhaps the most well-known. Many other data protection regulations have been inspired by and modelled after the GDPR, making interpretation easier.
Data privacy laws deal with the control process around sharing data with third parties, how and where that data is stored, and the specific regulations that apply to those processes.
Recently, the ‘Personal Information Protection Law 2021’ in China and the ‘Data Protection Law 2021’, in the UAE respectively, have been enacted, further improving the country’s international business and personal data security outlook.
Why is it important?
One of the main reasons why companies comply with data privacy regulations, is to avoid fines and penalties. However, it goes well beyond that. You must take data privacy seriously in this age of consumer-citizen activism and consciousness with powerful considerations as ethics, corporate governance, and brand equity. Compliance does the following:
- Boosts corporate brand perception as an ethical, socially responsible business
- Improves the security structure of the organisation
- Gives organisations better control over data that protects their consumers’ rights
Naresh Manchanda, CEO - Risk, Technology and Foreign Enterprise Group, MBG Corporate Services said: “Data, its governance and protection is critical for the sustainable growth of any organisation. Entities should consider full governance and protection by design. They should assess multi-dimensional risks at regular intervals and continually enhance their data privacy framework. Societies must work together as a public-private partnership in spirit and letter. Hence, governments and organisations as well as individuals too must be aware and vigilant about their data usage, protection and stay alert to any breach or misuse.”
Regulatory compliance begins with an understanding of the organisation, and its objectives, risks, and opportunities.
Multiple data protection laws: Since laws exist in most countries and regions, businesses must consider not only local laws but also other applicable laws around the world. For example, GDPR seeks to protect EU citizens’ personal data, not only within the EU but also outside. Similarly, the Abu Dhabi Global Market Data Protection law and the Data Protection Law DIFC, are not only confined to processing within the ADGM and DIFC respectively, but also applicable for data that goes outside those geographic and jurisdictions as well. The UAE has also enacted the Data Protection law to be applicable to all.
Documentation: Organisations must prepare data protection policies and procedures. Response plans for managing incidents and records of processing activities, enable control over the management of personal data. These documentations, along with an efficient content management system, can help the organisation achieve data protection law compliance.
Awareness: Organisations must conduct training and other awareness programmes for all employees. Each employee must understand the importance of ‘securely’ managing both personal and organisational data. And every employee must feel responsible.
Sensitive/special category personal data: Data that is more sensitive in nature or data whose exposure could place an individual at risk are considered sensitive personal data. This needs special attention. Businesses must assess the purpose of collecting such information and analyse the level of security in processing that personal data.
Platforms for exercising privacy rights: All data privacy regulations give data subjects rights over their personal data such as right to access, right to remove and right to amend. The organisation must be clear about how to protect the data of their customers / consumers. They should provide convenient platforms for raising data subject requests and respond to their queries.
Data Protection Impact Assessment: When launching new products, processes or services, organisations must assess the impact of the launch on personal data. This assessment involves identifying the risks and evaluating how well they may be controlled. The residual risk after implementation of controls will help the management decide whether to proceed with the launch.
A matter of culture
Privacy laws and regulations should be considered part of organisational culture and not merely as regulatory compliance. A strong data culture protects organisations’ businesses and reputations by preventing data breaches and cybercrimes.