Dealing with data breaches should be business as usual
In the run up to GDPR, we started to see companies treating customers differently. We began to see emails warning us about data breaches, with specific news about what the breach was, what was being done about it and what, if anything, we should do ourselves.
And with Dixons Carphone now admitting that its breach last year actually involved 10 million customers, many times more than was first believed, the subject remains very much in the public eye.
This is only going to accelerate – and if you have set things up properly, managing and communicating data breaches will become business as usual. However, for most companies, this is an entirely new area of communications. They don’t always know what to do about it or how to handle it effectively.
Transparency is a cultural issue
Companies are not always used to being transparent in business today. Sharing any information above what is absolutely necessary is seen as breaking commercial confidentiality and might even make them feel vulnerable and weak.
But in light of GDPR’s requirements, and the growth of privacy by design and individuals’ data rights, this attitude is quickly becoming outdated.
The successful companies of tomorrow will not just communicate with transparency, but embed it into their corporate DNA. They will understand that good news has more credibility when it is in a more realistic context, so communicating the ‘bad news’ of data breaches quickly and effectively actually has a long-term value.
Understanding the processes
Communicating data breaches confidently and with real transparency requires a number of processes to be in place.
You must notify any personal data breach to the relevant supervisory authority (in the UK, the ICO) within 72 hours of becoming aware of it – and also communicate the personal data breach to the data subject without undue delay.
The notification to the authority needs to describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and personal data records concerned.
It also has to communicate the name and contact details of the data protection officer or other contact point where more information can be obtained, describe the likely consequences of the breach and describe the measures taken or proposed to be taken by the business to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
All this means you need effective processes for becoming aware of breaches quickly, creating notifications and issuing them promptly.
Breaches can actually help generate trust
As communicating data breaches becomes the new normal, they will actually become an opportunity. Companies who pass on that information quickly, efficiently and thoroughly, through a transparent approach to business, will be trusted more readily by customers.
To find out more about trust-hub’s approach and platforms, which can help you develop a structured and transparent approach to handling data breaches, please contact us at +44 (0)20 3582 5055 or get a demo here.
You’re in business with your customers, not the regulators
Thanks to GDPR and the rise of increased data regulation, many companies have become paranoid about staying on the right side of regulating authorities such as the ICO.
Of course, you shouldn’t attract their attention with harmful breaches or poor data management practices that contravene the rules but, at the same time, it is important to remember that they’re not actually the people paying the bills and keeping a roof over your business’s head.
Customers will drive best practice
The way that organisations approach and handle personal data and privacy is a core trust indicator — and trust will increasingly be the foundation of customer relationships in our digital society. If we then factor in the increasing international focus on privacy, and restrictions over the geographic transfer of such data, this makes personal data governance an essential capability for today's enterprises.
That is why, in the end, customers will drive the standards of data protection that they require and expect. Marketing departments often cite the research that appears regularly on the world’s most trusted, most reputable and most powerful brands, but over the coming years expect the criteria to shift in line with the changing world of customer expectations.
In fact, it would be no surprise if the public’s trust in areas such as companies’ data security processes and GDPR best practice start to rank right up there alongside customer service and social responsibility when it comes to which brands come out on top.
A different customer relationship
Businesses will have to take a different approach to how they manage their customer relationships in this brave new world. Only when they have proved themselves to be reliable and trustworthy data guardians will individuals be willing to provide them with the personal data that they now know (or at least, are beginning to grasp) has such value.
Whereas previously companies might have looked to delight their customers and exceed their expectations through clever pricing structures, great marketing communications or exceptional service delivered by their employees, now they will also have to earn that delight with robust data management protocols and swift responses to requests for data access.
Ultimately, customers will also define what privacy is and what it means to them. Enterprises will have to do more than just ‘update their privacy policy’, as noted ad nauseam in the emails we’ve all been receiving in recent weeks – they will have to understand that we now live in a world where accessibility, privacy and trust are the new normal.
We’ve created a white paper that looks in detail at what GDPR means for data privacy and personal data governance and what businesses should be thinking about in this area. To learn more, please contact us +44 (0)20 3582 5055 or get a demo here.
What happens when consumers drive data privacy standards?
Dixons Carphone has just admitted a huge data breach involving 1.2 million personal data records. Yahoo UK was fined £250,000 by the ICO for a 2014 breach. In recent years we’ve seen other major data hacks – and in some cases, major fines from the regulators – involving household names such as TalkTalk, Equifax and Uber.
All this, remember, was before GDPR came into force. The fines for a data breach now could easily reach into the millions of pounds. And perhaps more importantly, each new news story about these breaches thrusts the issue further into the spotlight, and means more people become aware of the potential for disaster.
Awareness is going to rise
As a result, there is no doubt that in a post-GDPR world the general public are going to be more privacy-savvy than ever before. Under the regulations, consumers have the right to access the personal data that companies hold on them and can make those subject access requests either verbally or in writing. And, of course, they also have the right to have that data amended if it is incorrect, or even erased entirely.
Currently, as with a lot of GDPR rules, public awareness and understanding of what they are entitled to is fairly low. But, thanks to the increasing noise around data security, that will not always be the case.
Businesses are going to have to brace themselves for a rapidly growing volume of access requests. In the event of a data breach, they have 72 hours to report it to the ICO and it will become known to the general populace shortly afterwards. Once people are more aware of their rights, just imagine the tsunami of requests for access – and requests for erasure – that a major telecoms or banking company would receive in the hours and days following a breach.
Cater for privacy-savvy consumers
What is likely to happen is that the market will start driving standards of data security and privacy. Businesses will need rigorous processes in place not just to handle the occasional access request, but the flood of enquiries they’ll receive after a data breach.
If they don’t, they will simply compound the appalling publicity of the breach with equally awful publicity about how they handled their customers afterwards. Trust is going to be one of the foremost currencies of businesses in the 21st Century, and those that fail this test will not be long for the world.
The company-customer relationship is going to transform in the wake of these new regulations. How organisations manage access and other rights is an opportunity to strengthen employee and customer lifecycle management, rather than just a compliance obligation.
In fact, privacy should be viewed as an opportunity to build trust and successfully compete for personal data rather than simply avoiding a fine. The regulation in this area represents nothing more than the minimum standard to operate.
What’s increasingly evident is that GDPR is more than compliance – it is a real opportunity to drive ROI, but only when managed correctly. To find out more, please contact us at +44 (0)20 3582 5055 or get a demo here.
What is ‘personal data’ today, and what will it look like tomorrow?
Now that GDPR has arrived, businesses are either feeling secure or nervous about what they have done to protect their customers’ and prospects’ personal data.
According to the regulation, ‘personal data’ is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The definition is lengthy but it is also vague. Experts agree that this approach is quite deliberate: it has been left open so that the coming months and years will see court cases that debate the nature of personal data and create legal precedents that narrow the definition more precisely.
A changing definition of data
As we’ve mentioned before, GDPR isn’t a deadline but a low-water mark for what the future holds when it comes to trust and privacy. The same is quite possibly true for how we define personal data.
With the growth of artificial intelligence and data mining, more data will emerge on individuals that could be defined as personal data. A dynamic IP address might not currently qualify, given that multiple individuals may share it, but perhaps it will if a company holds personally identifying data tied to that address.
And that is only going to be the beginning. Analytics is currently used to pick out behaviours and habits so that advertisers can use that data to personalise their online targeting. If you order a lot of fast food, you won’t be surprised to see ads for fast food appearing when you visit websites.
But is data on your eating habits considered personal data? Or how about data on your voting habits? The recent Cambridge Analytica-Facebook scandal highlighted that the latter can be both immensely powerful and used in ways that the individuals involved might not approve of or desire.
More to manage
And of course, under GDPR, that means even more data that individuals will have the right to access, or the right to have deleted. Simply meeting the basic regulatory requirements to ensure these rights in a secure and timely manner already presents significant challenges for businesses. Just imagine what it will be like if the definition of personal data expands.
As the definitions shift, it will become even more vital for companies to understand and manage their personal data ecosystem. An effective solution must be capable of processing and analysing huge volumes of data and metadata, and granular enough to be able to switch, dynamically, between the atomic, or individual, data level and various levels of summary above this.
Only then can the often complex interrelationships between the different systems, processes, jurisdictions and so on be mapped out, visualised and interrogated.
What’s increasingly evident is that GDPR is more than compliance – it is a real opportunity to drive ROI, but only when managed correctly. To find out more, please contact us at +44 (0)20 3582 5055 or get a demo here.
What’s the weakest link in the supply chain?
Pan out and think about how your business really works for a moment. It’s not operating in a silo. It’s connected to a vast network of partners and suppliers that work together to help you deliver the products and services you offer.
Payroll suppliers, company insurance suppliers, private health companies and even cleaning and maintenance services are just a few of the suppliers that most businesses have ongoing relationships with, and in the new era of GDPR it’s your job to know how all of these companies handle any personal data you entrust to them.
Managing the privacy weak spots in the supply chain will become one of the biggest challenges any business encounters under the GDPR. Companies need to know exactly what their supply chain looks like. They need to know what personal data suppliers store on their behalf, where that data is, and why it is needed. Most importantly, they need to know all of this in a dynamic business environment where change is routine.
Data privacy in the supply chain: The what, where and why rules
Keeping on top of the personal data flowing across your supply chain is easier said than done. To be compliant, you must understand how your suppliers use the personal data you’ve entrusted to them.
This means creating a “what, where and why” data map that proves your suppliers only have access to information they need to do the job you’ve asked them to do.
In today’s dynamic business environment this quickly becomes challenging. Requirements change routinely, as do suppliers. The data map you produce today will be inadequate in a matter of weeks or even days as suppliers and the services you procure from them change.
Data breaches across the supply chain
GDPR has also introduced the idea of “data breach logs”. Every business is required to log data breaches whether the breach is suspected or real.
In the new privacy ecosystem, the relationships you form with suppliers need to be robust and transparent to ensure that any breach across the supply chain, suspected or real, is communicated to you quickly.
Dynamic data needs dynamic management
It’s the dynamic nature of the new privacy ecosystem that is powering the concept of personal data governance.
Personal data governance is not just about identifying personal data, but also about focusing on the underlying business processes that are being supported. Everything in the organisation, from a personal data perspective, revolves around the business processes.
This level of comprehension is only possible if you are able to discover, and document, all of your processes and the associated data flows - internal and external, as appropriate. This means not just within the enterprise, but throughout the supply chain too.
An effective solution must be capable of processing and analyzing huge volumes of data and metadata, and granular enough to able to switch, dynamically, between the atomic, or individual, data level and various levels of summary above this. This allows comprehensive views of the organisation to be created for a wide range of stakeholders and for the, sometimes, complex interrelationships between the different systems, processes, jurisdictions etc. to be mapped out, visualised, and interrogated.
What’s increasingly evident is that GDPR is more than compliance – it is a real opportunity to drive ROI, but only when managed correctly. To find out more, please contact us at +44 (0)20 3582 5055 or get a demo here.
How Do You Get ROI From GDPR?
The waiting is over and GDPR is upon us. Hopefully, organisations will have spent recent months developing a personal data governance programme and ensuring their compliance with the new regulations.
But it’s not just about compliance. A company that has spent thousands on its GDPR strategy will want to look for a return on that considerable investment. That means looking beyond the regulatory standards and discovering how a business that understands and complies with GDPR – and ideally, even goes further than the processes the regulations demand – can use its newfound expertise to create a genuine competitive advantage.
The ROI of digital transformation
As organisations become increasingly digitally driven – with the implementation of new IT systems, connected devices etc. – there is a clear need to get to grips with personal data governance. Failing to do so will harm the business through a combination of data leaks and attacks, unnecessary data storage and management costs, poor data compliance, and potentially even large fines and reputational damage.
But by the same token, organisations that have developed appropriate data management and governance processes are placed ahead of the game when it comes to digital transformation and will be able to leverage that expertise.
The ROI of the consumer’s rights
Under GDPR, EU individuals have a number of rights over their personal data that are now enshrined in law, including the right of access, the right to be informed and the right of erasure.
Having rights is one thing, but individuals also need means by which they can actively pursue them. They must be able to invoke their rights and have access to a mechanism to track and trace progress in the fulfilment of their requests. Simply meeting the basic regulatory requirements in a secure and timely manner presents significant challenges.
However, this is about much more than just satisfying a regulatory obligation. Successful implementation requires proper integration with customer/employee lifecycle management processes and systems. Organisations must acknowledge that they are competing for personal data and, if they want to keep it, they need to keep individual data subjects happy.
Those that do will be more attractive to an increasingly GDPR-savvy populace, showing that they are a trustworthy data guardian.
The ROI of going beyond GDPR
As time moves on post-GDPR, consumers will increasingly recognise the value of their personal data to organisations. They may even monetise that data by ‘selling’ it to trusted brands – either directly or through information exchanges.
The current ‘surveillance by design’ culture – with value derived from behavioural tracking – will move towards the inverse ‘privacy by design’ approach. We might see more personal data exchanges, where organisations share individuals’ data with their willing consent. And again, only those businesses capable of providing that level of trust and service will thrive.
What’s increasingly evident is that GDPR is more than compliance – it is a real opportunity to drive ROI, but only when managed correctly. To find out more, please contact us at +44 (0)20 3582 5055 or get a demo here.
Personal Data Governance – what is it and why does it matter
GDPR has put ‘personal data’ at the top of the corporate agenda. Add it to the other privacy laws now appearing worldwide, such as Australia’s APP and Canada’s PIPEDA, and it’s no wonder that organisations are paying close attention.
However, unlike most of their enterprise data, organisations are only custodians rather than owners of personal data – the personal, identifying information they store on customers, prospects and other individuals actually belongs to those people.
A better approach to personal data
This has profound implications on the transparency requirements involved in that data and the ways in which it can be harvested, processed and monetised. Together with the risk of reputational damage involved in GDPR non-compliance (as well as fines of up to €20 million or four percent of annual turnover, whichever is higher), this will fundamentally change the commercial dynamics for processing and sharing personal data.
It is why organisations need personal data governance: a dynamic, transparent and secure operational system for the management of that personal data and the entire personal data ecosystem. It then supports not only their organisational and regulatory requirements, but also provides transparency for the rights of data subjects and visibility across the entire supply chain.
Identifying and understanding the personal data ecosystem
From a personal data governance perspective, everything revolves around business processes. The required level of comprehension is only possible if businesses are able to discover and document all their processes and the associated data flows — internal and external, as appropriate, and not just within the enterprise but throughout its supply chain too.
A successful approach therefore requires, among other functions: management and insight from one comprehensive system; a dynamic ability to respond to changes; risk measurement and management; full governance and management of the personal data lifecycle; and transparency, effectiveness and efficiency with respect to the rights of data subjects.
Why does it matter?
At a broader strategic level, corporate governance is a system for understanding the rights and responsibilities of business leaders and monitoring the actions, policies, practices and decisions of organisations, their agents and affected stakeholders. Where it fails, business scandals like Enron follow.
Personal data governance is required to create similar rules and accountability around the use – and potential misuse – of personal data. In the end, governance is how businesses create trust.
And in the new, post-GDPR world, trust is more than a nice-to-have. In fact, it is a source of competitive advantage. Companies that fail the personal data governance test will have those failures publicly revealed and face potentially crippling reputational damage to their brand that even outweighs the fines. And remember that the likes of GDPR are only the beginning: where personal data is such a valued commodity, consumers will begin to understand that value and employ it accordingly.
For more information about personal data governance, and how trust-hub is helping businesses to develop their strategies, please contact us at +44 (0)20 3582 5055, request a demo of our Privacy Lens.
Please sign up above to be first in line when the IDC’s executive briefing “Privacy is Strategic - we call it personal data governance” is released.
Article 30 compliance solved in just one click
The latest release of trust-hub’s Privacy Lens personal data governance application puts at your fingertips the information you’ll need if a data regulator ever appears at your door.
Thanks to the built-in Records of Processing Activity report, information required under Article 30 of the GDPR is available with just a single mouse click. This covers everything from what items of personal data are being used, what they are used for and how long they need to be retained. The report even provides specific summary views for where the organisation is acting as data controller and where it is acting as data processor.
As trust-hub Chief Technical Architect, Will Parton, notes, “This report contains an overview summary of the uses of personal data within an organisation. Essentially everything a GDPR or other data governance regulator would ask to see upfront in the event of an audit.”
And with Privacy Lens’ new Quick View Visualisation Buttons, users can now rapidly select, switch between and customise different visualisations, including an ‘org chart’ view of the organisation and a geographic representation of its key data assets and their physical location.
It also features enhanced Privacy Risk Scores for external organisations, basing its scoring around the model constructed for them within the tool.
For further information on Privacy Lens or to discuss how trust-hub might be able to support your privacy program, go to www.trust-hub.com or e-mail the trust-hub team at info@trust-hub.com.
Navigating a post-GDPR world
The General Data Protection Regulation, which comes into effect on 25 May, has thrown the issue of trust into sharp relief.
As Ian Bryant, COO of trust-hub, highlights, “Do I trust the organisations who hold personal information on me to be honourable and transparent custodians? If not, I’m unlikely to use that organisation’s products
or services – either as an individual or professionally.”
But the May deadline is not the end of the story when it comes to how we trust companies to hold and use our personal data. In fact, it’s only the beginning.
Privacy as competitive advantage
“Moving forward, we’ll see GDPR as the low watermark in managing privacy,” predicts Simon Loopuit, trust-hub’s CEO. “In fact, we’ll see businesses using privacy as a point of differentiation, even competitive advantage.
“Subject access rights, and the right to be forgotten, are hugely empowering for individuals. If you experience poor levels of service or have a reason to be frustrated with a particular organisation, leveraging these rights places pressure on the organisation to respond.”
As time moves on post-GDPR, it will become even more of a customer experience issue. Organisations will have to be able to identify an individual’s personal data, extract it and then securely share everything with the data subject in a format that is easy to understand – showing what consents were given and how the data is/was used.
If a business is able to do this quickly and accurately, it will clearly demonstrate its credentials as a capable custodian of personal data. That, in turn, may be enough to address any concerns and perhaps even lead to improved customer retention.
Consumers monetising their personal data
It could go still further. As consumers increasingly recognise the value of their data to organisations, they have an opportunity to monetise that data – essentially selling their private information to trusted brands – either directly (perhaps in exchange for higher levels of service) or through information exchanges.
“We’re already seeing individuals starting to take ownership of their personal data,” says Simon. “The days of people posting their lives on social media in ignorance of the fact it’s all being collected and used are coming to an end. Instead, we’re self-selecting what networks and brands know about us and have more awareness of risk.”
As individuals become more privacy-savvy, the ‘surveillance by design’ culture – where metrics and behavioural tracking are a central part of how digital platforms extract value from users – will move towards ‘privacy by design’, where they don’t. Personal data exchanges might begin to flourish, where businesses share customer’s data with the consent and oversight of the individual.
And as the market evolves, the need for a platform that manages all that data in an evolving way will become increasingly important.
Learn more
To help businesses learn more about GDPR and what the future holds, trust-hub has written an insight guide that goes into more detail.
