Home / Analysis / Enterprise  /  GDPR Lessons That Can Be Learned From The Uber Data Breach

Share This Post

Analysis / Enterprise

GDPR Lessons That Can Be Learned From The Uber Data Breach

GDPR

The recent revelation that Uber chose not to disclose a data breach that occurred in October 2016, as well as nefarious actions to conceal the breach has had devastating effects on their already fragile reputation. It has also left them under investigation by authorities in the UK, Australia and US.

As this company, and others who have suffered large scale data breaches, struggle to pick up the pieces, it would be a much grimmer scenario had this happened after GDPR regulations come into effect. From May 2018, the global firm would also be fined up to 4 per cent of worldwide turnover, resulting in further significant financial consequences.

Organisations are currently in a watershed period, where it is not a question of if, but when they will suffer a breach, whether by third-party negligence, targeting by cybercriminals, or insider attacks from disgruntled employees. The key to being able to respond within 72 hours of detection as stipulated in the regulation document, is to ensure that organisations have the right processes and procedures in place.

Moving Beyond Identification & Classification Of Personal Data

Most companies have completed the initial steps of reviewing the information they have and classifying it in order to capture, tag and secure personal data in accordance with GDPR regulations. The challenge now lies in implementing technology that maintains this process going forward, in order to ensure that it is sustained. In some ways, this is even more challenging than the initial steps, as it requires a long-term strategy that is specific and tailored to an organisation. Processes must be robust and repeatable, as well as auditable, should they come under scrutiny.

Auditing is important and there are two aspects which should be regularly examined: 1) what personal information does an organisation hold that needs to be protected and carries risk and 2) what behaviours and processes need to be changed in order to protect that information on an ongoing basis. If an organisation is to mitigate the repercussions of a breach within the short timeframe, then they must be able to act quickly to understand the extent of the breach to be able to notify stakeholders.

Embracing The Role Of Automation

Not only must there be a shift in the processes implemented, but at a cultural level too. Employees must understand and be aware of how personal data is handled and transported, both within the organisation’s internal environment (for example, between departments) and external businesses. However, even the savviest employees are not infallible and this is where the benefits of automation become apparent: The more effort you can take away from the end users using process automation and embedded management controls, the easier it is to have consistency in how things are protected, monitored and reported. If processes remain manual, there are a lot of operational costs and the information handling is subject to a lot of mistakes.

Processes Must Keep Up With Changing Demands

The workplace is in a constant state of evolution with regards to how employees prefer to work. Remote working, connected devices, and cloud applications mean that the boundaries of a company’s environment are constantly fluctuating, making the tracking of sensitive information challenging. Processes that seek to ensure that this content is handled in the correct way cannot disregard the current culture within an organisation, particularly as changes to this can be met with resistance, or worse, workarounds that undermine procedures. Companies must anticipate these changes and look to design a mechanism to sustain compliance organically. Any changes required must therefore be carefully managed.

In order to avoid falling foul of GDPR regulations and ensure compliance, a comprehensive content management system must firstly be in place to easily identify and protect any sensitive data that an organisation may hold. Concurrently employee education is crucial to the success of any implementation, especially in terms of user adoption. Employers can identify the areas that are most prone to errors and utilise automation to make the process smoother and repeatable. However, as the deadline approaches, it is not enough to simply tick boxes; organisations must take a view beyond attaining compliance to maintaining it consistently in the long term, and making it a part of their overall future strategy.

Share This Post

George is Director of Business Solutions Strategy, with over 25 years’ experience in Content, Process and Information Governance. He has delivered solutions and consultancy across multiple industries including banking, insurance, public sector, pharmaceuticals, and legal. He is a regular writer, speaker and social media contributor on Information Management, Compliance and Operational Improvement topics. George is a Certified Information Professional (CIP) by AIIM, and has been awarded the AIIM Fellowship for his contributions to the Information Management industry.