On behalf of Risk Xtra, 3M’s Peter Barker recently interviewed Enza Iannopollo of Forrester Research to discuss the security measures, policies and privacy compliance programmes that many organisations are presently establishing in order to comply with legislation such as the EU’s new General Data Protection Regulation (GDPR). Iannopollo duly provided a fascinating insight on workplace readiness and emphasised the need for physical safeguards to protect against data privacy threats.
Peter Barker: Are workforces ready for compliance with the GDPR?
Enza Iannopollo: Specifically, we’re seeing firms struggle to meet the requirement to implement and document privacy training and awareness programmes for their employees. EU regulators have indicated that these programmes are essential for GDPR compliance. Meanwhile, we’ve also found that organisations meeting this requirement have improved their corporate privacy culture and established Best Practice that sometimes goes beyond regulatory requirements.
Peter Barker: Are companies in specific regions more prepared than others?
Enza Iannopollo: 34% of US firms say they’re ready compared to 26% of firms in Europe. Companies that are not GDPR compliant, whether they realise it or not, are taking a big business risk on to their shoulders. Companies who think they’re ready, but are not, are taking an even greater risk.
The GDPR applies to all companies, regardless of their location, that process or hold the personal data of European Union residents. This means that not only European companies, but also many US-headquartered businesses will be required to comply with these stringent privacy rules.
Peter Barker: What physical security and privacy safeguards are required by the GDPR?
Enza Iannopollo: The GDPR is a principle-based regulation. This means regulators don’t provide organisations with a set of definitive actions to follow. Instead, organisations should think about GDPR requirements as a sort of ‘desired state’ for their data-handling practices.
It also means that organisations must identify and assess specific risks they need to mitigate in order to comply with the GDPR’s requirements. When identifying risks, firms must consider those that are presented by data processing in particular, mainly due to accidental or unlawful loss, unauthorised disclosure of, or access to personal data that’s transmitted, stored or otherwise processed.
It doesn’t matter whether an unauthorised data disclosure happens because a hacker launches a sophisticated cyber attack on a company’s website or due to a stranger taking a picture of highly sensitive data displayed on an employee’s laptop screen. It takes only a quick look at an unprotected screen for an unauthorised individual to ‘procure’those keys and gain access. The risk grows with the increasing sophistication of social engineering.
Peter Barker: What are the benefits of implementing low-tech physical safeguards?
Enza Iannopollo: With non-stop news stories about large-scale data breaches, it’s easy to forget that today’s digital businesses still have to contend with physical security challenges. There are multiple benefits in implementing physical safeguards, such as video cameras for surveillance, locks for laptop cases and privacy filters for monitors, laptops, tablets and smart phones. All it takes is some sensitive customer or employee data being exposed to the wrong set of eyes to result in a potentially highly detrimental – and and highly publicised – data breach. Such measures can also support compliance for regulations other than the GDPR.
As is always the case with visual privacy, it’s not just about meeting compliance requirements. It’s also about protecting a firm’s most valuable assets.
Peter Barker: How can companies use privacy strategies to drive superior customer experience
Enza Iannopollo: Firms that are executing robust GDPR and privacy programmes are experiencing a number of business benefits beyond compliance. Delivering a superior customer experience is one of them. The way in which your organisation protects its customers’ data can have a direct impact in building – or indeed destroying – the underlying feeling of trust that your customers have in you. We know, for example, that customers do switch to competitors as a result of a privacy breach.
Furthermore, our research of consumer privacy attitudes highlights that 30% of individuals refuse to complete an online transaction if they read something that they don’t like in the company’s privacy notice.
If you’re committed to protecting your customers’ data and your employees recognise and reflect this commitment in their customer interactions, then this can set you apart from the competition.
Peter Barker: Are more regulations like the EU’s GDPR in the pipeline?
Enza Iannopollo: There’s no doubt that the GDPR signals a trend. We recently completed a new piece of research that analyses the privacy regulations and practices of 54 countries. It’s clear that regions such as Asia Pacific are looking at the GDPR as the possible evolution of local privacy rules.
Elements of the GDPR, such as data residency, are also being embedded in data privacy rules in Latin America and Russia. Also, the European Parliament is now working to update the requirements of the current ePrivacy Directive. Details still need to be hammered out, but the plan is to align ePrivacy requirements to the GDPR.
Peter Barker is Market Development Manager (EMEA) at 3M. Enza Iannopollo is an Analyst on the Security and Risk Team at Forrester Research