Workplace Readiness for Mitigating Data Privacy Threats

Peter Barker of 3M

Peter Barker of 3M

On behalf of Risk Xtra, 3M’s Peter Barker recently interviewed Enza Iannopollo of Forrester Research to discuss the security measures, policies and privacy compliance programmes that many organisations are presently establishing in order to comply with legislation such as the EU’s new General Data Protection Regulation (GDPR). Iannopollo duly provided a fascinating insight on workplace readiness and emphasised the need for physical safeguards to protect against data privacy threats.

Peter Barker: Are workforces ready for compliance with the GDPR?

Enza Iannopollo: Specifically, we’re seeing firms struggle to meet the requirement to implement and document privacy training and awareness programmes for their employees. EU regulators have indicated that these programmes are essential for GDPR compliance. Meanwhile, we’ve also found that organisations meeting this requirement have improved their corporate privacy culture and established Best Practice that sometimes goes beyond regulatory requirements.

Peter Barker: Are companies in specific regions more prepared than others?

Enza Iannopollo: 34% of US firms say they’re ready compared to 26% of firms in Europe. Companies that are not GDPR compliant, whether they realise it or not, are taking a big business risk on to their shoulders. Companies who think they’re ready, but are not, are taking an even greater risk.

The GDPR applies to all companies, regardless of their location, that process or hold the personal data of European Union residents. This means that not only European companies, but also many US-headquartered businesses will be required to comply with these stringent privacy rules.

Peter Barker: What physical security and privacy safeguards are required by the GDPR?

Enza Iannopollo of Forrester Research

Enza Iannopollo of Forrester Research

Enza Iannopollo: The GDPR is a principle-based regulation. This means regulators don’t provide organisations with a set of definitive actions to follow. Instead, organisations should think about GDPR requirements as a sort of ‘desired state’ for their data-handling practices.

It also means that organisations must identify and assess specific risks they need to mitigate in order to comply with the GDPR’s requirements. When identifying risks, firms must consider those that are presented by data processing in particular, mainly due to accidental or unlawful loss, unauthorised disclosure of, or access to personal data that’s transmitted, stored or otherwise processed.

It doesn’t matter whether an unauthorised data disclosure happens because a hacker launches a sophisticated cyber attack on a company’s website or due to a stranger taking a picture of highly sensitive data displayed on an employee’s laptop screen. It takes only a quick look at an unprotected screen for an unauthorised individual to ‘procure’those keys and gain access. The risk grows with the increasing sophistication of social engineering.

Peter Barker: What are the benefits of implementing low-tech physical safeguards?

Enza Iannopollo: With non-stop news stories about large-scale data breaches, it’s easy to forget that today’s digital businesses still have to contend with physical security challenges. There are multiple benefits in implementing physical safeguards, such as video cameras for surveillance, locks for laptop cases and privacy filters for monitors, laptops, tablets and smart phones. All it takes is some sensitive customer or employee data being exposed to the wrong set of eyes to result in a potentially highly detrimental – and and highly publicised – data breach. Such measures can also support compliance for regulations other than the GDPR.

As is always the case with visual privacy, it’s not just about meeting compliance requirements. It’s also about protecting a firm’s most valuable assets.

Peter Barker: How can companies use privacy strategies to drive superior customer experience

Enza Iannopollo: Firms that are executing robust GDPR and privacy programmes are experiencing a number of business benefits beyond compliance. Delivering a superior customer experience is one of them. The way in which your organisation protects its customers’ data can have a direct impact in building – or indeed destroying – the underlying feeling of trust that your customers have in you. We know, for example, that customers do switch to competitors as a result of a privacy breach.

Furthermore, our research of consumer privacy attitudes highlights that 30% of individuals refuse to complete an online transaction if they read something that they don’t like in the company’s privacy notice.

If you’re committed to protecting your customers’ data and your employees recognise and reflect this commitment in their customer interactions, then this can set you apart from the competition.

Peter Barker: Are more regulations like the EU’s GDPR in the pipeline?

Enza Iannopollo: There’s no doubt that the GDPR signals a trend. We recently completed a new piece of research that analyses the privacy regulations and practices of 54 countries. It’s clear that regions such as Asia Pacific are looking at the GDPR as the possible evolution of local privacy rules.

Elements of the GDPR, such as data residency, are also being embedded in data privacy rules in Latin America and Russia. Also, the European Parliament is now working to update the requirements of the current ePrivacy Directive. Details still need to be hammered out, but the plan is to align ePrivacy requirements to the GDPR.

Peter Barker is Market Development Manager (EMEA) at 3M. Enza Iannopollo is an Analyst on the Security and Risk Team at Forrester Research

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts