Protecting privacy is as much a corporate social responsibility as protecting the environment. IT leaders need to understand the role of IT security in corporate data privacy, and go beyond regulatory compliance to make security and privacy a competitive differentiator.
Information is the lifeblood of any company. It’s also the key ingredient in the modern, digital economy. The challenge is often that businesses hold large sums of information on customers, partners and employees that should be rigorously defended from a myriad of cyber-attackers.
As enterprise CEOs are learning, their data is ever-harder to protect and their customers and partners and are increasingly concerned about the information they share. To make matters more serious, new regulations levy hefty fines for data breaches. As a result of these escalating trends, ensuring corporate data privacy has become both a legal obligation and a social responsibility.
Moreover, privacy is good business. Organizations that respond effectively to data protection requirements can make privacy a competitive differentiator by building trusted relationships with their customers. To fulfill this responsibility, business leaders need to understand the role of data security in corporate data privacy.
To realize the value of data, it must be shared with employees, partners and contractors across a variety of platforms. This data can be stored on local servers, in data centers or in the cloud. Complicating the task of securing this data while making it available to those who need it is the variety of information it can represent. This includes not only personally identifiable information, but also intellectual property, financial or health-related information, or proprietary business data, all of which could result in personal and business losses if compromised.
Company leaders need to execute an effective corporate data privacy strategy based on three key elements:
1. Integrity ensures that IT security controls and internal processes are aligned with customer and client privacy requirements and expectations.
2. Competence is the ability of the organization to execute security controls and procedures to provide the level of privacy established in corporate policy. This includes the ability to document and prove that the organization is doing what it promises from a privacy and security perspective.
Avoid Pitfalls with Privacy and the Three Key Elements
Implementing corporate data privacy as a component of an IT security program can help make security a competitive differentiator for a business. Compliance with privacy laws and regulations is unavoidable for a business, and getting tougher.
With GDPR, the European Union, for example, will levy penalties of up to 4 percent of a business’s annual revenue or €20 million, whichever is greater, on companies doing business on the continent that fail to protect personal information of their customers. In the United States, a settlement with the Federal Trade Commission could involve decades of audits costing companies millions of dollars in legal fees.
But privacy and security are about more than avoiding penalties. They also are about maintaining the reputation and customer trust that adds value to the business. An effective information security program that ensures corporate data privacy requires the support of investors, board members and C-level officers who recognize the importance of protecting personal data as well as proprietary information. Such an approach also requires a strategic direction predicated from the top around integrity, competence and transparency.
By getting buy-in from all stakeholders, including executives, data owner and IT systems operators, organizations can move past regulatory compliance and build a business case for robust security and privacy that highlighting the full value of data to the organization’s mission. This can allow the business to build the trusted relationships and thrive in today’s data-driven marketplace.
Organizations can go a long way to maturing their cybersecurity and IT security posture by incorporating corporate data privacy into their enterprise’s process, people and tools. Adding privacy, however, means asking and answering some tough questions about the organization’s current state as it pertains to integrity, competence and transparency.
- How do we communicate our privacy policies to our clients and customers today?
- How do we approach privacy protection and privacy violations within our current risk mitigation management strategy?
- How much does the company stand to lose if privacy violations occur?
- How do we communicate internally, and then externally to stakeholders, in the advent of a privacy violation so that we ensure our competence, integrity and transparency?
By asking and answering these questions, organizations can gain a strong perspective of their current state of integrity, competence and transparency, and work towards an improved future state. All of that can be accomplished while also improving the overall security posture.