Security Think Tank: Engage business to address commercial risk

When it comes to persuading senior management that better securing and handling personal information are objectives worth continuing focus and investment, there is no need to look further than the largest and most successful commercial enterprises on the planet.

They share a common characteristic – they are the largest companies because they make the best use of technology.

As any expert in generating consistent success – and profit – for companies will tell you, it is all a matter of understanding the success parameters and then engineering the processes to achieve those objectives as efficiently and effectively as possible into your business.

However, what drives commercial success is not technology alone; data is the oil that runs through technology – and the better your data is, the more likely you can use it to create profit.

This leads to the question of what exactly is better data? Is it best to have as much data as possible? Is it to have structured data, or is it to have targeted data?

Having vast data lakes of personal information can be a substantial asset to any organisation, but only when you can handle the compliance issues efficiently.

The gathering of personal information is no longer a zero-overhead exercise. Although many organisations can now find themselves spending double-digit percentages of their operational spend on marketing, gathering or using personal information without engineering-in privacy by design can be an expensive mistake.

Why did you have that data? Why didn’t you know you had that data? Why didn’t you better protect that data? These are questions that any enterprise wants to be comfortable to answer with a reasonable and compliant response.

Those responses should, of course, be:

• We had the data because we needed the data and had the explicit consent of the people involved.
• Some of our people did know we had the data but did not follow the required processes – and we will take corrective measures to ensure this does not happen again.
• We did adequately protect the data, but the method of theft exploited a previously unknown vulnerability.

Privacy by design resolves these questions because it ensures personal information is always gathered for transparent reasons, with the explicit consent of the people it relates to (the data subjects) and has reasonable protection applied.

There is a simple truth that risk avoidance is an easier way to sell investment into operations, but effective management of personal information is more than just trying to avoid punitive regulatory fines. The largest risks to most businesses do not come from the regulators; they come from the competition.

If your competition can gather and use personal information with greater ease and efficiency than your own enterprise, they will have a commercial advantage.

Whether your interest is as a privacy lawyer, privacy specialist or cyber security department, the most effective way to get more investment into improved security and management of personal information is by demonstrating the commercial value of doing it. And, of course, by demonstrating the commercial risk of not making those investments.

Only efficient privacy compliance can achieve minimised costs to respond to each request for personal information; centralised consent management, reducing costs and customer frustration; and asier collection of more personal information of benefit to the customer and organisation.

It is tempting for privacy specialists to seek to minimise the amount of personal information that is collected.

In reality, most regulations are not asking for less personal information to be collected, they are asking for transparency and consent for the people who have their data collected – and for the amount of information to be reasonable in the context of how it will be used for both the data subjects and the organisation collecting it.

Most of the tech giants hold many gigabytes of personal data about each person they track. They have not sought to downgrade the value of their lakes of personal data, but they have sought to be transparent and efficient about it.

For any organisation that cares about profit and long-term trust, the safe and effective management of personal information is key to success. Until increased fines for General Data Protection Regulation (GDPR) failings become more regular, the driver for improved personal information management needs to come from the fear of missing out.

Consider the market leader in your sector – is gathering and using personal information core to their success? Gathering personal information only infuriates customers when it appears excessive and inefficient.

Compliance with privacy regulations is an opportunity to outclass your competition. But failing to be compliant will leave any organisation battling to work out what personal data they can hold on to.

Isaca provides a range of resources and information about GDPR compliance.