Seven months into the year and it’s clear data privacy will continue to be a critical issue in 2021. We’ve seen critical infrastructure and multiple credit agencies experience significant data breaches, with some even suffering two in less than a year. According to a recent report, European businesses were fined $40.56 million in privacy-related violations in the first quarter of 2021. The breaches and data leaks we see in the news almost every day have resulted in devastating consequences for both organizations and consumers.
But in today’s complex IT landscape, many organizations are just one employee click away from a cyberattack. Many of our colleagues have been discussing this for years, if not decades: an organization is only as strong as its weakest link and we are all vulnerable to the human factor. With cybercrime up 600% due to COVID-19, 73% of IT leaders are more concerned about protecting their data from ransomware than ever before. Even while hard at work, employees can pose a security threat to companies, with 57% of IT decision makers concerned remote workers will expose their firm to the risk of a data breach.
Organizations are also navigating an increasingly complex regulatory landscape where failure to comply can and has led to costly fines, a damaged corporate reputation, and lost business opportunities. Data has truly proven to be an invaluable asset, but also an unbounded risk if not properly managed. As we close out our reflections around the third anniversary of the General Data Protection Regulation (GDPR), this moment serves as an important reminder for many that security and privacy is critical every day of the year.
The evolution of privacy and compliance in the workplace
The World Economic Forum predicts 463 exabytes of data will be created every day by 2025; that’s about the equivalent of 562 trillion pages of text. In light of the rapid proliferation of data, ensuring privacy and compliance has become increasingly challenging. Although the GDPR wasn’t the first data privacy regulation, it has become the blueprint for the majority of privacy legislation that has followed. At first, many companies either waited too long to prepare for, or thought the GDPR wasn’t something they were impacted by. But in the global economy, users and customers are everywhere. This has helped elevate the GDPR as an eye-opening disruptor. Since its implementation in 2018, many states such as California, New York, and Nevada have followed suit, introducing their own privacy legislations on how businesses should store and collect data. Most notably, this past year California passed the California Privacy Rights Act (CPRA), aimed to bolster the privacy protections set by the California Consumer Privacy Act (CCPA).
The GDPR and CPRA, among other privacy laws, also apply to a business’s employees and contractors, meaning organizations must apply the same amount of protection and care for employee data as they do for customer data. Prior to the CPRA, no US privacy regulation defined “sensitive personal information,” such as Social Security numbers, driver’s license numbers, demographic information or the contents of emails and text messages. Now it is absolutely critical to properly categorize and protect this information to not only avoid a privacy violation fine, but also build trust with staff.
The CIO game plan
Ensuring security and privacy is exceptionally important as more companies prepare for a hybrid working environment. As more companies prepare for this workplace shift, CIOs will not only be tasked with managing company data, but ensuring proper data hygiene related to health records when employees come into the office.
As CIOs prepare their organizations to charge forward in this privacy-driven world, there are several things they can do to set themselves and others up for long-term success:
- Keep the business compliant by adopting cloud — Data regulations are changing all the time. While it may not seem immediately intuitive, there are native capabilities and services in the cloud that can ease the burdens and challenges of navigating these new regulations. Cloud-based search of backup data can cost-effectively meet privacy regulations because it can scale up and down its resource usage and only charges for what you use.
- Ensure the protection for all of your data — With hybrid work, business critical data is now everywhere. CIOs must look for holistic solutions that offer globally accessible, unified visibility spanning data centers, endpoints, SaaS applications, and cloud environments. The ability to meet data residency requirements also ensures that no matter where the business’s data is being stored, it’s available, compliant, and secure.
- Review data practices and internal processes — While it’s easy to see data protection and privacy as a ‘tick the box’ exercise, such standards are typically a way to enforce a minimum level of security and safety. Businesses should focus on making the safety of data a core value proposition, not just a one time only exercise.
- Revise workforce disclosures to include new rights — Organizations that are collecting employee health data, such as COVID-19 vaccination records, must update their employee disclosure agreements to ensure everyone is on the same page. Systems should also be put in place for inbound requests to remove an individual’s data. Such a process requires a tight integration between security, IT, privacy and legal teams to ensure requests are fulfilled.
Companies are increasingly turning to data to power their business, so they must in turn accept the responsibility to protect it with the level of care it deserves. With the third anniversary of GDPR now behind us, this is as good a time as any for CIOs to lay the foundation of a data protection strategy which will protect valuable assets and maintain compliance for years to come.