In the same way that the financial crisis created a more financially astute public, data security breaches, privacy stories and scandals are making people more aware of their data privacy rights – and more concerned about how companies and the government use their data.
Data breaches affect all organisations. Earlier this year, supermarket chain Morrisons informed the police of the theft of payroll data by a staff member.
In the US, retailer Target endured significant public criticism following a hack affecting 70 million records, and a dip in its share price.
But data breaches are more widespread than many realise. Indeed, organisations that think they have not had a breach may not be looking in the right place.
Data is often described as the oil of 21st century, with personal data about people being central to many business processes, and to new technologies that drive the way we work and live in the modern information age.
At the same time, organisations are facing increasing challenges and legal obstacles when using personal data, with complex legal rules that also vary from one country to another.
Boards of directors, CEOs and general counsel have started to realise that data breaches and irresponsible uses of data can jeopardise customer trust, destroy reputations, affect their share price, lead to fines and even result in senior executives losing their jobs.
What does a data privacy officer do?
It would be a mistake to assume that the role of a data privacy officer (DPO) is limited to data security.
While the detailed responsibilities of a DPO will vary from one company to another, the key focus of a DPO is to oversee data privacy compliance and manage data protection risk for the organisation.
This is not just about legal compliance with data privacy laws and breach prevention. A DPO can actually help companies assess new business opportunities that utilise data assets.
Typically, the DPO’s will revolve around ensuring the company complies with data privacy laws, uses data protection as a business enabler, addresses data privacy requirements early on in new technologies, and manages reputational risk that can arise from data protection mistakes.
Why is the DPO role so important?
As companies search for new ways to understand their customers, manage their businesses and monetise their data assets, a DPO can play a central role to help realise these opportunities, including the safeguarding of existing data assets and enhancing and protecting corporate reputation. Unfortunately, the reverse is also true, and failure to focus on data privacy issues and allocate resources can have catastrophic consequences.
Why do businesses need a DPO?
The DPO’s tools of the trade generally fall into three buckets: (i) policies and processes; (ii) people and (iii) technology. Policies and processes are the rule book they describe the company’s approach to data protection, and set out the guidelines and rules that staff are expected to follow. Processes include specific tools that help the company, and the DPO, to identify and calibrate privacy risk.
People are key in implementing the company’s data privacy rule book. Training and awareness-raising are essential to implementing a privacy programme and building a corporate privacy culture.
Staff need to know what the baseline legal requirements are, what the company’s approach is, and why the company thinks data protection is important. The DPO plays a key role in raising awareness and rolling out training.
Technology refers to systems and automated controls. The DPO needs to work with companies’ IT and information security functions to ensure that systems operate in a privacy-compliant way, and that data security is ensured.
Sourced from Bridget Treacy, managing partner and head of the UK privacy and cybersecurity practice, Hunton & Williams