By Simon Loopuit, CEO, trust-hub
Following a distinguished career in the City, Simon is now a successful technology entrepreneur and passionate privacy advocate. As CEO of trust-hub, he has developed an innovative SaaS platform for managing personal data and has won multiple awards in the process.
He views privacy as a strategic opportunity for businesses to demonstrate market leadership rather than a compliance overhead. Simon read law at university before qualifying as a chartered accountant. He is the proud father of two children and in what is left of his spare time, Simon is a keen skier, squash player and a private pilot.
Data privacy has risen from relative obscurity to become a Board-level priority in little over two years. The reasons are many – cyberattacks are the fastest growing crime, fines for regulatory transgressions are growing exponentially, litigators are circling with class action lawsuits and individuals are becoming more aware of their rights. Add to this the complexity of our dynamic and interconnected digital ecosystem and you have a potent cocktail of emerging risks that need to be managed.
However, too often the response has been to treat data privacy as another compliance obligation with a focus on doing the minimum necessary to satisfy the relevant regulator. The problem is that people are not compliance obligations – they are your business – and you cannot discharge your duty of care to them or mitigate your own risks with a box-ticking exercise.
When the UK’s regulator fined British Airways more than £183m for a data breach earlier this year, Information Commissioner Elizabeth Denham (currently also Chair of the International Conference of Data Protection and Privacy Commissioners) said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
That’s why the law is clear – when you are entrusted with personal data you must look after it.” If doing the right thing is not incentive enough, consider that the eventual cost to British Airways of this breach is likely to be orders of magnitude greater than the fine once the impact of remediation, litigation and reputational damage impacts its P&L over the following three or more years.
In fact, data privacy represents a strategic opportunity for those that are prepared to recognise their duty of care and respond accordingly. For example:
1) Risk needs to be fundamentally reassessed. Firstly, the primary risk lies with the individual – after all, it is their privacy. This typically requires a cultural change for most businesses who have viewed personal data, and therefore the associated risks, as their own. Secondly, technical transgressions are undesirable, but the consequences are likely to be manageable whereas data breaches, and especially a failure to mitigate them effectively, could be very costly and even existential. Understanding the “value at risk” for each process is essential for determining where investment on data protection should be prioritised.
2) Cybersecurity is a pre-requisite for data protection but you can’t protect what you don’t know about. As more and more services become digitised and the concept of a perimeter becomes less relevant, a dynamic data map of the personal data ecosystem is essential not only to an effective cybersecurity strategy but also for data governance generally.
Indeed, this map should become the focal point of collaboration between all the stakeholders such as privacy, cyber-security, risk, compliance, customer experience etc.
3) Breaches are becoming more frequent, so preparing for them with regular simulations is a very worthwhile investment. This not only sharpens your team, partners and advisers, but may also highlight some important anomalies.
For example, where breaches occur downstream of the initial processor and/or in another jurisdiction, the challenges facing the data controller can be daunting. In some cases, this elevated risk may justify a reassessment of the benefits case for certain data sharing relationships.
Equally, in the event of a breach, cyber-insurance policies regularly mandate the selection of specific advisers (forensic, legal, customer service, PR etc) from the insurer’s panel and this may not include the company’s preferred suppliers. Addressing this in advance will avoid an unnecessary complication and inefficiency when attention should be focused on the mitigation strategy.
4) Regulatory reporting should be viewed as an output rather than the objective of a privacy program, just as the regulation should be viewed as a minimum standard rather than an aspiration.
For example, the GDPR and CCPA allow 30 days and 45 days respectively for responding to individuals’ requests concerning their data (DSARs) whereas a consumer facing brand might target a seven days response time for responding to complaints. Is the DSAR request a compliance obligation or retention opportunity?
In conclusion, privacy is becoming an increasingly important component of digital trust for any organisation whether public or private. Whilst emerging privacy regulations are an important catalyst for this transition, and must be complied with, it is the human dimension of privacy that will ultimately determine the winners and losers in the competition for digital trust.
Implementing systems that demonstrate an ethical approach and duty of care, as opposed to regurgitating standard formats of regulatory text, will deliver real value and benefits both to the business and the individual.