Published on May 14, 2021
The law is clear on the responsibilities of organisations that collect and process personal data. You must have policies and procedures in place and ensure that all personnel are aware of and trained on the General Data Protection Regulation. Failure to comply may result in data breach fines adding up to millions of pounds - and this is not counting the associated legal costs and reputational damage.
Despite this, in 2019, 88% of UK businesses suffered a data breach. More recently, research conducted by the Ponemon Institute revealed the average cost of a data breach for UK businesses in 2020 was $3.9m (£2.75m). That's marginally higher than the global average of $3.86m, which was slightly down from $3.92m in 2019. Now in its 15th year, the IBM sponsored study analysed 524 breached organisations across 17 countries to arrive at these conclusive findings. These reports confirm that the reality your organisation needs to accept isn't if it will suffer a major data breach, but when. The only question to ask is, what are the best practices to protect the personal data that you collect and process?
Notwithstanding these statistics, which clearly illustrate the risk of a data breach occurring, only a third of UK organisations have completed a cyber risk assessment in the past 12 months. A risk assessment, along with other policies and procedures should be part of an effective privacy framework laid down in all organisations that process personal data.
To meet data protection compliance, organisations need to understand the following:
You will also need to undertake a data mapping exercise, so you understand:
A robust privacy programme considers all these factors and provides a solid foundation that allows your organisation to manage data processing operations effectively, with an aim to developing a business-wide culture of privacy and data protection compliance.
Developing and implementing a privacy programme takes commitment and investment, in time and money. Once the above questions have been answered, you need to conduct a risk assessment. This involves looking at the personal data you collect, process, and hold and analysing the following:
Once the risk assessment is completed and agreed on, the next step is to choose a privacy framework.
A privacy framework will provide the basic structure and offer guidance about how to integrate any compliance requirements applicable to your organisation. It will ensure you have the right compliance policies and procedures in place whilst providing flexibility to adapt processes to suit your commercial requirements.
A good privacy framework will assist you with:
The right privacy framework depends on your business's unique requirements, structure, and organisational culture. The following are a selection of popular frameworks:
The ISO/BSI frameworks are typically the most popular choice when it comes to privacy frameworks as they include certification. Acquiring certification shows that your organisation has invested in privacy compliance and training, which provides a strong selling point when approaching investors or applying for tenders, contracts, and/or joint ventures. However, if you feel you only require a foundation to build your privacy compliance on, the AICPA or NIST frameworks are an excellent starting point.
Establishing, implementing, and running a privacy programme requires specialist skills. You may wish to consider appointing a Data Protection Officer (DPO) to ensure the process runs smoothly and the result is effective. The advantages of appointing a DPO and investing in the required training to ensure they can meet their set objectives include:
Competition for an experienced DPO is fierce, and even if you manage to recruit someone suitable, they will command a premium salary and bonus package. For all but the largest organisations, providing such a package, no matter how well-deserved, often proves impossible. Therefore, it is usually more realistic to appoint someone from within the business as the DPO and then invest in developing their skills and knowledge so that they can head up your privacy programme.
Of all the training programmes available for DPO's, few courses address the specialist knowledge required to implement and manage privacy operations. This is why the IAPP Certified Information Privacy Manager (CIPM) is a unique qualification.
IAPP CIPM addresses how to translate knowledge of data protection law into policies and procedures. It enables holders to develop effective practices, including implementing a privacy programme framework, measuring performance, and understanding the operational lifecycle of privacy programmes. CIPM is the perfect companion to the Certified Information Privacy Professional Europe (CIPP/E) or the BCS Practitioner Certificate in Data Protection, which, when combined, cover all the key areas required to become a DPO or equivalent Head of Privacy in the UK and Europe.
Investing in training an internal resource also means you guarantee your DPO will be familiar with your business, its customers, and the wider industry in which you operate.
This article is part one of a two-part series. In the next article, we will examine the privacy technology landscape and how investing in the right software can help cement a robust privacy and data protection culture within your organisation.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS