In the last ten years, digitalization efforts have made data a fundamental part of business operations across all industries. As companies began collecting more and more data, the number of data breaches that exposed the personal information of individuals also rose alarmingly, prompting new legal initiatives aimed at safeguarding sensitive information and giving consumers a say in what happens to their data.
With the EU’s General Data Protection Regulation (GDPR) leading the way, new laws such as the California Consumer Privacy Act (CCPA) and Brazil’s Lei Geral de Proteção de Dados (LGPD) have emerged to reshape the data privacy field, making compliance – until their appearance often restricted to areas processing especially sensitive categories of data such as health and financial information – a universal concern.
The enactment of extensive new data protection legislation led to the rising importance of positions such as Chief Privacy Officers (CPOs) and the appearance of new compliance-mandated positions like Data Protection Officers (DPOs). But while not all companies need to have a DPO, their legal requirement often depending on the size of a company, CPOs are becoming an indispensable part of any data protection strategy. Here are the reasons why:
Compliance with Data Protection Legislation
Data protection regulations are complex laws with extensive requirements. It is essential for all companies to have a person on board who understands their complexities and how compliance can be achieved from a practical point of view. It is worth noting that these regulations do not refer simply to protecting data against breaches, but also give consumers new privacy rights that companies must be ready to meet.
It is important to have a person dedicated to these compliance efforts, rather than it being attached to the already long list of duties of existing positions like Chief Information Security Officers (CISO) or Chief Information Officer (CIO). CISO and CIO positions often deal with the more technical aspects of data protection rather than its legal implications.
Issues such as how long data is stored on company servers, whether requests for deletion or data portability from customers can be met or if consumers have available to them the legally-required methods of opting out of the sale of their information, fall outside the scope of CISOs and CIOs that are primarily concerned with ensuring data cannot be tampered with or stolen.
Noncompliance in the age of the GDPR comes with a hefty price. In Europe, Data Protection Agencies can issue fines of up to €20 million, or 4% of a company’s worldwide annual revenue from the preceding financial year, whichever amount is higher, for noncompliance with the GDPR and they have shown they are not reluctant to exercise the full extent of their powers. Meanwhile, the California Attorney General can issue civil penalties up to $2500/unintentional CCPA violation or up to $7500/intentional CCPA violation assessed on a per consumer basis. The CCPA also grants California consumers a private right of action and statutory damages against businesses that have lost their personal information in a data breach.
Despite rising data protection efforts, the number of data breaches continues to climb each year vertiginously, with a staggering 5,183 reported in the first nine months of 2019 exposing 7.9 billion records according to Risk Based Security. This marks a 33.3% increase in the number of data breaches from 2018 while the number of records breached more than doubled.
CPOs can help companies identify vulnerable, sensitive information within the massive amounts of data they collect and help establish and implement cybersecurity frameworks that aim to protect it both from malicious attackers and the carelessness of insiders. Training staff, applying data protection policies within and outside the company network on work computers, and making sure critical cybersecurity requirements are met can help businesses avoid data breaches and their disastrous consequences.
Data Breach Response Plans
While a solid cybersecurity framework based on best practices such as the CIS Controls can guard against as much as 97% of data breaches that still leaves a 3% chance of companies falling victim to a data breach. Reasons for them can be varied: persistent attackers, a newly revealed vulnerability that’s exploited before it can be fixed, or employees bypassing security policies while performing their duties.
Because there is no guarantee a company will not fall victim to a data breach, it is essential that they have a data breach response plan in place. This is another core responsibility of CPOs. They do not only develop these plans but also test them out to ensure that, in the event of a data breach, every individual knows their role and can react quickly and efficiently to identify the reason for the breach, remedy it and take the appropriate steps to alert both consumers and Data Protection Agencies of the incident.
A big part of data breach response plans also deal with how companies react publically in the aftermath of a breach. CPOs work together with PR teams to inform and minimize the reputational damage caused by data breaches.
Another big consequence of data breaches is the damage they can inflict on companies’ reputation. It brings with it heavy financial losses due to missed opportunities and customers losing trust in a company’s services and changing to competitors. According to the 2019 Cost of a Data Breach Report, the lost business was the biggest contributor to data breach costs, with customer turnover increasing to as much as 3.9% in the wake of security incidents.
By hiring a CPO, businesses show that they take data protection seriously, which can increase their reputation. A CPO’s responsibilities are not only to protect sensitive information from data breaches but also to make sure that organizations are ready to efficiently answer any requests from consumers exercising their privacy rights under the new data protection regulations. By prioritizing the privacy needs of customers, CPOs help build trust in the company brand.
A Better Informed Workforce
Ultimately, CPOs also serve as a constant reminder of the importance of privacy. They ensure that adequate attention is paid to privacy at the leadership level and develop a set of best practices that can be followed company-wide.
They also support the training of employees that process personal information on a regular basis, informing them of the seriousness of data protection policies, the legal obligations a company has in regards to data protection regulations and the consequences of data breaches.
The CPO thus encourages ethical behavior across the company, raising awareness of the importance of data protection from the highest circles down to the employees actually dealing with sensitive information on a daily basis.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.