The recent revelation that Uber chose not to disclose a data breach that occurred in October 2016, as well as nefarious actions to conceal the breach has had devastating effects on their already fragile reputation. It has also left them under investigation by authorities in the UK, Australia and US.
As this company, and others who have suffered large scale data breaches, struggle to pick up the pieces, it would be a much grimmer scenario had this happened after GDPR regulations come into effect. From May 2018, the global firm would also be fined up to 4 per cent of worldwide turnover, resulting in further significant financial consequences.
Organisations are currently in a watershed period, where it is not a question of if, but when they will suffer a breach, whether by third-party negligence, targeting by cybercriminals, or insider attacks from disgruntled employees. The key to being able to respond within 72 hours of detection as stipulated in the regulation document, is to ensure that organisations have the right processes and procedures in place.
Moving Beyond Identification & Classification Of Personal Data
Most companies have completed the initial steps of reviewing the information they have and classifying it in order to capture, tag and secure personal data in accordance with GDPR regulations. The challenge now lies in implementing technology that maintains this process going forward, in order to ensure that it is sustained. In some ways, this is even more challenging than the initial steps, as it requires a long-term strategy that is specific and tailored to an organisation. Processes must be robust and repeatable, as well as auditable, should they come under scrutiny.
Auditing is important and there are two aspects which should be regularly examined: 1) what personal information does an organisation hold that needs to be protected and carries risk and 2) what behaviours and processes need to be changed in order to protect that information on an ongoing basis. If an organisation is to mitigate the repercussions of a breach within the short timeframe, then they must be able to act quickly to understand the extent of the breach to be able to notify stakeholders.
Embracing The Role Of Automation
Not only must there be a shift in the processes implemented, but at a cultural level too. Employees must understand and be aware of how personal data is handled and transported, both within the organisation’s internal environment (for example, between departments) and external businesses. However, even the savviest employees are not infallible and this is where the benefits of automation become apparent: The more effort you can take away from the end users using process automation and embedded management controls, the easier it is to have consistency in how things are protected, monitored and reported. If processes remain manual, there are a lot of operational costs and the information handling is subject to a lot of mistakes.
Processes Must Keep Up With Changing Demands
The workplace is in a constant state of evolution with regards to how employees prefer to work. Remote working, connected devices, and cloud applications mean that the boundaries of a company’s environment are constantly fluctuating, making the tracking of sensitive information challenging. Processes that seek to ensure that this content is handled in the correct way cannot disregard the current culture within an organisation, particularly as changes to this can be met with resistance, or worse, workarounds that undermine procedures. Companies must anticipate these changes and look to design a mechanism to sustain compliance organically. Any changes required must therefore be carefully managed.