Governance, Risk & Compliance: GRC
Facebook’s Data Privacy Wake Up Call
It's all over the news: personal data on Facebook has been used without people's consent, for purposes where consent would likely not be given. The shock waves of this scandal shattered global perception about the handling of personal data and raised the visibility of personal data protection and the real impact of data misuse. Companies around the globe now understand their obligations to protect individual's data at the risk of brand reputation. And all of this is happening on the eve of the General Data Protection Regulation (GDPR), which will come into effect in May. Not only will organizations need to satisfy regulators but perhaps even more importantly, protect their own brand reputation and business resilience.
Consider the impact on Facebook: Their $40bn in advertising revenue is expected to be impacted, shares will no longer be kept by many institutional investors, major brands like Tesla are breaking ties, regulators are coming after them with huge fines and individuals might bring law suits against Facebook and their partner Cambridge Analytics seeking justice for treating their personal data with disregard. On top of this Facebook's reputation and brand may be damaged beyond repair.
The honeypot of using personal data for commercial or political goals has an enormous attraction. Every time we fill in personal data in apps to get rewarded we add to personal profiles being sold to others. If you are not paying, you are the product.
It's only recently that global audience and regulators are starting to understand the impact of being digitally 'owned' by companies and parties that have objectives we are not always aware off. It's this awareness that led to the new EU regulation.
GDPR defines the measures organizations have to take to protect the personal data they keep on their digital systems. It defines the obligation for 'user consent', permission to be granted to use the data and also the 'right to be forgotten'. Regulators across the globe are reviewing their regulations and it may be expected other geographies will tighten their laws as well.
In order to comply with GDPR organizations initially were focused on appointing a Data Privacy Officer (DPO) and reviewing contracts with their IT vendors. But now increasingly they are looking for policies and processes to be in place in order to comply with the regulation. A GDPR requirement is “the ability to ensure the ongoing Confidentiality, Integrity, Availability and Resilience of processing systems and services.” and “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” In order to achieve this, a comprehensive cyber security framework needs to be implemented to embed the processes for GDPR compliance, including protection of (access to) information systems.
Where are the risks?
In essence, organizations need to sufficiently protect the personal data on their systems. Where are the risks that need to be managed and mitigated? In three buckets: employees, IT systems and IT vendors. Let's start with employees.
An alarming amount of data breaches are caused by current employees. Staff of all levels across a variety of departments either have access to or process personal data every day. But if employees are not aware of the GDPR and red flags to be aware of, a simple action like opening a phishing email, losing a USB stick, sharing a laptop or leaving a workstation unlocked could lead to a catastrophic data breach.
The second bucket of risk is within the organization's IT systems and IT Security technology.
The investments on securing IT systems are high but what if the vulnerability scanner isn't updated with the latest security patch in time? Or the firewall? Or the virus scanner? Do we trust our cyber security staff or do we need to validate timely updates and password changes on a continuous basis? Asking the question is giving the answer.
The third risk to focus on is with IT vendors. Increasingly we outsource to cloud vendors, which means the personal data we are responsible for sits on their systems. Who are these vendors? How solid are they from a financial perspective? Who are the beneficial owners? And also important: how do they manage their IT infrastructure towards cyber security resilience. Did they update their firewalls and scanners in a timely manner?
How to stay out of trouble
52% of cyber security issues globally are caused by human error. Implementing a robust training program with interactive, engaging reminders to embed the importance of data protection throughout the organization is the best way to protect the business and ensure ongoing consumer trust.
The IT systems and IT security systems should be verified on their cyber risk resilience. Not by asking the cyber security team questions around the effectiveness of the defined controls (did you install the patch in time, did you change the password regularly) but by connecting an IT Risk supervisory system to the IT systems and IT security systems and testing the controls in an automated way. This should be tested continuously and not by asking the cyber security team once every three months or prior to an audit, often the common practice. The result is reporting that can be used to identify defence weaknesses, or for audit purposes and to share with regulators and other stakeholders.
The third bucket of risk is with the IT vendors that keep personal data on their systems. In the vendor on-boarding process questions are usually directed to the vendor about their cyber security resilience. A better way is to connect the IT Risk supervisory system to 'public' sources such as the World Check database and retrieve all relevant information of the vendor and its directors online. Based on the results of that online assessment, the IT Risk systems raise a red flag and kick off workflows that initiates appropriate action and response to the findings.
And a good way of measuring the IT vendors' cyber resilience is to not ask the vendor questions but to verify their Internet facing IT systems and check online and in real time if they installed the required patch in time or if there is a port open on their firewall. Continuously and automated, done by the IT Risk system. Based on how they score again the relevant workflows and reports are initiated to take appropriate action, taking into account the risk category the vendor is in.
If organizations take an integrated view on where the personal data risks are in their organization and take appropriate measures that really are effective, GDPR compliance will be within reach and brands can be protected. The other way of staying safe is to not connect any IT system or application to the outside world but in nowadays digital world that's difficult to imagine.