In May, the General Data Protection Regulation (GDPR) will bring the most significant overhaul of how firms use personal data, and as the year progresses, they will have to formalise plans for Brexit as the 2019 deadline approaches, writes Phil Beckett, Managing Director Disputes and Investigations at consulting firm Alvarez & Marsal.
While this is keeping the lawyers and compliance teams understandably busy, there are also other issues bubbling under the surface which will need acknowledging and solving, to help move them to a proactive, instead of reactive position. The crux of this is two-fold; implementing the correct working practices, but also creating a cultural sea-change in their workforce to mitigate risks. This will help firms be more prepared. Working in the forensic technology sector, we see multiple areas in which firms need to improve, as they are not keeping up with key trends influencing the industry. If firms want to be shipshape for the upcoming legislative changes, along with other challenges facing them, it’s imperative they take heed and change their ways. These challenges are most strongly seen in global businesses, who are seriously behind where they should be. So, if they want to be confident of success in 2018, the following business critical functions need addressing.
1.Compliance
Part of the reason firms are largely unable to keep up is because compliance is not taken seriously enough across the whole business. With the GDPR coming in, the need to ensure a clear data governance policy, outlining how personal data is handled within an organisation, should be top of management’s agenda. This is the easy bit. It’s the next step firms are struggling with – implementing it so everyone in the business lives and breathes it, so no sloppy short-cuts start creeping in, which will undo the good of the policy. A policy is one thing, but compliance from the CEO to receptionist is more critical. For example, common issues comprise of getting to grips with BYOD (bring your own device), and how employees use their personal and work devices, both at work and at home. This includes drawing up guidelines around employees’ rights to privacy, and if an employer has the right to check work devices (such as Whatsapp or social media) for signs of wrongdoing. Firms are leaving themselves open to data breaches or theft if they do not implement clear and stringent policies around compliance, so for them to stay ahead of the curve and reduce the likelihood of a breach, it’s time to take this seriously.
2.Cross-border regulation
Despite so many firms working internationally, it always amazes me how many are ignorant of how regulation varies from jurisdiction to jurisdiction. Previously, it was less complicated, with many developing countries, such as India, taking the lead from the U.S. However, this is now changing, and demonstrates the need for local, on-the-ground experts more than ever if businesses want to be ahead of their competition. We should not underestimate the power of local, human intervention here, as opposed to a central ‘one size fits all’ diktat.
We see a divergence in how countries approach personal data, and therefore the collection of it. Countries such as Germany and India, are now very much on the side of the individual; thereby making it hard for firms to harvest personal data. Alternatively, China and Russia are more concerned about state secrets being exposed, so have strict rules on how data is collected, and how this is supervised. They require requests and approvals across various stages of an investigation to ensure any data is being collected in a fair and legal manner. This knowledge of the legal environment is key when working in these areas, and we are seeing many firms fall foul, due to taking the wrong approach, or mistakenly believing their jurisdiction’s ruling will cover them when collecting data from another. This is not the case, and firms and their legal teams need to get better at utilising on-the-ground support if they are to improve their cross-border data governance.
3.Increasing sophistication of threats
Another challenge firms are facing is the ever-increasing sophistication of threats, and this highlights another reason why firms can’t keep up. We saw in 2017 the devastation caused by WannaCry and the continued CEO fraud, and it’s catching corporations unaware. The first step, of course, is to get the basics right – from software patch updates through to training. Firms are not doing everything they can to prevent breaches or implement the much needed cultural change necessary to aid their cause. A burglar alarm alone will not prevent a break-in, and firms are continuously failing to lock the front door when it comes to protecting their data. To rectify this, businesses need to focus on two areas: people and process. Engage your employees on the threats, so they know how to use the software you’re asking them to utilise, and put processes in place so that if something were to go wrong, everyone knows their role and responsibility to help resolve the situation.
Take note, action
I hope that 2018 is a turning point for firms, with the challenges above tackled head on. It won’t be easy, and involves more than just a well-written policy. To help make a sustainable and meaningful change, below are my five key steps businesses should consider:
1.Get C-Suite buy-in – too often we see the C-Suite not adequately engaged around the issues firms are facing, and can sometimes be the biggest risk of a breach. They need to be aware of any potential repercussions and be driving issues such as compliance and awareness from the top-down, to ensure this culture is adopted across the business.
2.Get the basics right – from updating software patches to knowing who is a data custodian; know what data you have, where it’s stored and how to protect it to prevent security issues.
3.People, people, people – educate the entire workforce to be more cognisant of the importance of compliance, and train them, so they know how to get the best out of software. It’s also key to get a watertight process in place in case of emergency with allocated roles and responsibilities. Test this on a regular basis to ensure it’s up-to-date.
4.Use local experts – as data becomes more prevalent and sophisticated, so does the legislation controlling it. Using local experts who can help navigate the local landscape will save firms time and money, along with ensuring legal compliance.
5.Think ahead – it’s no longer good enough to react to legislation, to stay ahead of the curve, firms need to start anticipating future challenges and put measures in place to prevent them. Otherwise, they will be in a constant state of catch-up.
