Two Keys to a Modernised, Globally Relevant Data Privacy Programme

By Amanda Fennell, CIO & Chief Security Officer at Relativity.

For the last decade, data security has been a top priority for businesses and consumers alike as cyberattacks and data breaches have infiltrated life and business as we know it. Any company — no matter how large or small — is at risk of a data breach.

It’s truly a matter of when rather than if; what makes the difference is how prepared the organisation is ahead of the incident. Today, having strong security and data privacy programmes are paramount to a company’s success regardless of industry, and it’s most crucial for organisations that house personally identifiable information (PII), like law firms, financial institutions, healthcare and even consumer technology companies.

Where things have shifted in the 2020s, however, is in the need for an ironclad data privacy programme that adheres to the ever-changing global policies on the issue. For the sake of this article, let’s define data privacy as when an organisation or individual must determine what data in a computer system can be shared with third parties. How an organisation determines access controls and prevents unauthorised access within its processes are two critical aspects of a highly successful programme.

Conducting business and transferring data across borders has become seamless, largely due to advancements in technology and the remote working boom over the last two years. But with that seamlessness comes an increasingly complex and volatile global data privacy stage, particularly in the European Union (EU) and the United Kingdom (U.K.). With new regulations developing on an almost annual basis, enforcement action and punishments have grown alongside increasing regulations.

According to law firm Herbert Smith Freehills, ‘2021 saw significant enforcement action — including fines of €746 million, €225 million and €150 million. Interestingly, these fines did not result from big data security breaches but rather we have seen a regulatory focus on data protection principles — particularly transparency and cookies’. So, what happens next? It’s possible existing cookie consent rules may be rolled back, but it could also foreshadow an increasing influx of changes to best practices pertaining to cookies and privacy notices in the UK.

Furthermore, Schrems II has been a key focal point for data privacy in the last two years. Now, it seems that the global focus is shifting from Schrems II and is moving on to further sweeping regulations. In February 2022, the European Commission (EC) proposed a new Data Act. According to law firm Stephenson Harwood, this new Data Act ‘aims to improve trust in data sharing and facilitate the sharing of industrial data between connected devices and devices on the Internet of Things…The EC hopes that the Act will help unlock the growth potential of the data economy (estimated by the EC to be worth €270 billion by 2028)’. 

Privacy regulation can change at a moment’s notice based on the evolving risk and regulatory landscape in any given country, particularly within the EU, where privacy regulations like GDPR have paved the way for the rest of the world.

Determining Appropriate Access to Data

Investing time and money in Environmental, Social and Governance (ESG) is now a fundamental concept for corporations. As scrutiny within the global regulatory environment has increased, a focus on that governance pillar has become of the utmost importance for many organisations looking to evolve their data privacy programmes. Continued investment in an organisation’s governance can help connect critical processes within its security, data privacy and IT functions.

A factor of ESG that should be a priority for any data-heavy organisation is data encryption – both at rest and in transit. Not only does it create a barrier for unwanted parties to access existing data, but it’s something customers (and really, the general public) want. Today’s technology savvy citizens are often more trusting of organisations that offer data encryption. For example, look at the boom in encrypted messaging apps like WhatsApp, Signal and Telegram over the last few years. Everyone wants to ensure that what they have to say and information about them is secure and protected. It’s also become table stakes for large-scale government agency policies, including a recent memo from President Biden.

The digital world we live in is a breeding ground for cyberattacks and data breaches. Organisations need to be on guard and prepare for unapproved data access and data loss. They also need to look at everything through a global lens; having a simple U.S.-only approach or an EU-only approach won’t yield the best holistic outcome. The more an organisation considers the full spectrum of possibilities or problems on a global scale, the more success they will have. There’s a plethora of helpful data prevention tools companies can take advantage of, which offer a variety of solution features at different price points. Here’s the bottom line — determining who can access data and how that access is enabled can make or break a data protection programme.

Enabling Adaptability and Fostering Strong Data Privacy Habits in an Environment of Continuous Change

To be most successful in this arena, organisations need clear data privacy and ISRP functionalities in place. These functionalities need to be mature and can be built from the organisation’s security, IT or compliance teams, or a hybrid of a variety of functions. The most successful ISRP functions are those that are adaptable and work well for the organisation’s employees. The initial launch of many ISRP functions is to help protect the business against potential threats and vulnerabilities. Ensuring compliance with mandates, frameworks and relevant legislation is a necessary foundation to building with strength and purpose long term.

Organisations that want to be successful in this area must also prepare for the continued increase in international data transfers and data movement, which have three distinct areas. First, there is the EU, which issued new standard contractual clauses for international data transfers in 2021. Second, the U.K., which is expected to propose new legislations on international data transfers this year. And, finally, the EU-U.S. Privacy Shield could see enhancements in its framework in the near future.

These three notions should signal to any corporation transferring data across borders (or any corporation that may do so in the future), needs to stay up to date on international regulations and be ready to pivot an existing programme at any point. There are many concerns that this is an ever-changing landscape and there is no way to build for long-term sustainable alliance to future needs. While we cannot build for an unknown future, businesses should build for what they know is the right thing to do with securing the privacy of consumers and their employees. 

In short, data privacy programmes and policies cannot be a monolith; they cannot be stagnant. Organisations should continuously refresh their programmes and policies to reflect the current working realities of their teams and corporate structure in conjunction with any national and global regulations in place.

If you’re interested in learning more about strategising and building a bespoke security and data privacy programme at your organisation, register for Relativity Fest London, which will take place at etc. Venues at 133 Houndsditch on 17 May 2022. You can also tune into Relativity’s Security Sandbox podcast, which explores and explains the unique links between non-security topics and the security realm.

About The Author:

Amanda Fennell, CSO and CIO at Relativity – Amanda joined the Relativity team in 2018 as CSO and her responsibilities expanded to include the role of CIO in 2021. In her role, Amanda is responsible for championing and directing security strategy in risk management and compliance practices as well as building and supporting Relativity’s information technology. She also hosts Relativity’s Security Sandbox podcast, which looks to explore and explain the unique links between non-security topics and the security realm. Prior to joining Relativity, Amanda served as the global head of cyber response and digital forensics at Zurich Insurance Company.

[ Artificial Lawyer is proud to bring you this sponsored thought leadership article by Relativity. ]