On the one side legislation is becoming tougher and tougher, with greater fines being issued to offending companies; and on the other hand technology is moving at such a pace that the data protection laws are finding it hard to keep abreast in the UK, the EU and beyond. The current news cycle is awash with data protection stories, such as the latest ruling on Google ensuring that individuals have a right to ask search engines to remove links containing personal data about them.
Many companies expect new European Union (EU) data protection law to be enacted in 2017 at the earliest so there is a feeling that data protection can wait as a corporate priority. But recently David Smith, deputy commissioner at the Information Commissioner’s Office, commented that companies should be getting ready: “Get your house in order now under the current law, to ensure you are ready for the coming changes, because the principles are not very different,” Smith told attendees of Infosecurity Europe 2014 in London.
Data protection is being taken more seriously now even in the boardroom, and no better example of what can happen exists than that of US company Target. Last month, Target’s CEO and Chairman Gregg Steinhafel was forced out of his position in the wake of the late 2013 data breach of the company. Coming two months after the resignation of the company’s CIO, Steinhafel’s dismissal represents the first sacking of a Fortune 100 company head in response to a major cyber incident. Other CEOs should take note.
So as legislation changes with multiple consultations, and as the voracity and versatility of the Internet, mobile messaging and social media explode, how can companies ensure they better manage their reputational risks associated with data protection? Here are two key steps that can be taken:
1. Be transparent – Companies such as Google have been very successful at detailing their view and policies on data protection and data privacy, and have dedicated whole areas of their website to explain, blog and answer any consumer concerns. Hiding behind the data is not an option, transparency with data protection is welcomed by consumers, and unsurprisingly consumers will always be more sensitive and forgiving to those companies that provide transparency.
2. Act quickly – When a data protection incident happens, experience dictates that acting quickly, and ensuring rapid communications is available goes a long way. In the UK for example, the Information Commissioner’s Office has reduced the penalty fines to those offending companies that have acted quickly. Apart from a reputational benefit there is a financial one too. If unsure on what to do they also offer good advice: create a recovery plan, including damage limitation; assess the risks associated with the breach; informing the appropriate people and organisations that the breach has occurred; and review your response and update your information security. Data breach notification is likely to become compulsory for all companies in the EU.