In the same way that the financial crisis created a more financially astute public, data security breaches, privacy stories and scandals are making people more aware of their data privacy rights – and more concerned about how companies and the government use their data.
Data breaches affect all organisations. Those that have been hit by major breaches in the last five years range from tech corporations such as Facebook (April 2019) and Alibaba (November 2019), to hotel chain Marriott International (September 2018) and airlines British Airways (September 2018) and EasyJet (May 2020)
But data breaches are more widespread than many realise. Indeed, organisations that think they have not had a breach may not be looking in the right place.
Data is often described as the oil of the 21st century, with personal data about people being central to many business processes, and to new technologies that drive the way we work and live in the modern information age.
At the same time, organisations are facing increasing challenges and legal obstacles when using personal data, with complex legal rules that also vary from one country to another.
Boards of directors, CEOs and general counsel have started to realise that data breaches and irresponsible uses of data can jeopardise customer trust, destroy reputations, affect their share price, lead to fines and even result in senior executives losing their jobs.
What does a data privacy officer do?
It would be a mistake to assume that the role of a data privacy officer (DPO) is limited to data security.
While the detailed responsibilities of a DPO will vary from one company to another, the key focus of a DPO is to oversee data privacy compliance and manage data protection risk for the organisation.
This is not just about legal compliance with data privacy laws and breach prevention. A DPO can actually help companies assess new business opportunities that utilise data assets.
Typically, the DPO’s will revolve around ensuring the company complies with data privacy laws, uses data protection as a business enabler, addresses data privacy requirements early on in new technologies, and manages reputational risk that can arise from data protection mistakes.
Why is the DPO role so important?
As companies search for new ways to understand their customers, manage their businesses and monetise their data assets, a DPO can play a central role to help realise these opportunities, including the safeguarding of existing data assets and enhancing and protecting corporate reputation. Unfortunately, the reverse is also true, and failure to focus on data privacy issues and allocate resources can have catastrophic consequences.
Why do businesses need a DPO?
The DPO’s tools of the trade generally fall into three buckets: policies and processes; people; and technology. Policies are the rule book; they describe the company’s approach to data protection, and set out the guidelines and rules that staff are expected to follow. Processes include specific tools that help the company, and the DPO, to identify and calibrate privacy risk.
People are key in implementing the company’s data privacy rule book. Training and awareness-raising are essential to implementing a privacy programme and building a corporate privacy culture.
Staff need to know what the baseline legal requirements are, what the company’s approach is, and why the company thinks data protection is important. The DPO plays a key role in raising awareness and rolling out training.
Technology refers to systems and automated controls. The DPO needs to work with companies’ IT and information security functions to ensure that systems operate in a privacy-compliant way, and that data security is ensured.
Sourced from Bridget Treacy, partner at Hunton & Williams
Data encryption: what can enterprises learn from consumer tech? — Siamak Nazari, CEO of Nebulon, discusses the data encryption lessons that enterprises can learn from consumer tech.
High-tech legislation through self-regulation — Denas Grybauskas, head of legal at Oxylabs, discusses the important role that self-regulation can play in high-tech legislation.