A message from Rebekah Allendevaux,
CIPP/E, CIPM, CIS LI, CIS LA | Senior Partner
A message from Rebekah Allendevaux,
CIPP/E, CIPM, CIS LI, CIS LA | Senior Partner
Dear Enterprise Community,
Data breach trends continue to rise. Hacking is becoming more sophisticated, and studies show the most valuable information pursued by criminals is personal information. Governments have responded to these threats by creating regulations enterprises must follow, fashioning a set of best practices to help organisations implement administrative, technical and physical measures intended to safeguard the information entrusted to them. When rightly implemented, these regulations (such as the GDPR and others) aim to lower the risk of threat of information loss, fostering accountability and restoring trust in today’s digital age.
Toward this, I write this letter to help your organisation comply with these new regulations, which when rightly implemented, aims to foster confidentiality, availability and integrity of information. Within the last few years, more than 100+ countries have implemented data protection laws, and most regulations come with penalties for non-compliance. To do nothing risks the threat of attack from bad actors and the threat of regulatory penalties from governments.
The ISO/ANSI credentialed team at Allendevaux & Company has invested substantial time building this repository of data protection guidance, and we want to make it freely available to the enterprise community. Within the pages of this site, you will find many tools and templates you can use. Please note this information is provided as helpful guidance and is not legal guidance.
Understanding the Problem
Your organisation, like many, collects and utilises data regulated by various laws around the world, information about individuals, including personal data regarding prospective customers, current customers, past customers, employees, contractors, and beyond. It’s no longer legal to collect this type of information (personal and sensitive information) without implementing administrative, technical, physical and organisational measures to ensure it is safeguarded.
You may ask why the urgency, and what brought about this recent trend?
Data breaches span the weekly headlines of our newspapers and newsroom reports: Yahoo, Equifax, NATO secrets, hospital medical records, Facebook activity, and so on. Most data breaches occur because organisations do little to protect the information entrusted to them to keep our information confidential. To curb the escalating trend of data loss, and in response to consumer complaints, governments have passed strict regulations mandating how personal and sensitive information must be protected. And to get the point across and ensure the message is not ignored, swift legal actions are unfolding the world over.
Personal Data and Sensitive Data Collected by Businesses
Many businesses have been collecting information for decades, so some of this will seem unreasonable and overreaching; but it’s the new world of data protection, and no business, organisation, or non-profit is exempt. (Actually, regarding the GDPR the Red Cross is exempt, and there are a few other interesting exemptions, but you get the point.)
Many businesses collect common types of data, such as:
information submitted by existing customers,
performance reports of employees,
names and contact details of colleagues from other companies,
personal financial disclosure,
identity data such as passport numbers,
gender and sexual orientation,
criminal record disclosure,
It’s not wrong to collect information necessary operate your business effectively, but you must have a lawful basis for doing so, and you must implement measures required by new regulations. I want to ensure you have awareness about what to do, understand the reasons behind these new international measures, and why “I personally believe” in these new practices on the international data protection scene.
Data Protection and Why It Matters
Because personal and sensitive information would be highly damaging to the data subject if it was unlawfully disclosed (i.e. found through a Google search due to theft or breach), it is regulated by governments around the world, and it is required to be protected. If a breach of records occurred, your organization could face lawsuits from employees and your customers; your organisation could also face administrative procedures from regulatory authorities, lawsuits from attorneys general, and undergo grave reputational damage. Even worse, the emotional damage it would inflict upon the individual could be grave, depending upon what you collected and lost.
For instance, a university recently gave our firm permission to conduct a vulnerability scan and penetration test. Within a day, we had quietly penetrated every database that stored student data, access sensitive student information. Using that information, it would be possible to digitally pose as the student, open bank accounts, apply for loans, seek medical coverage under someone else’s name, acquire a mobile phone account, and so on.
We must remember that the information collected about others does not belong to your organization; it belongs to each individual. We are entrusted to safeguard it, and we may only use it for the purpose for which we state it will be used (this is called purpose specification). It cannot be sold or shared with others, as some claim Facebook did, or it violates regulations. But in my view, it also violates ethics because information has become an asset, and the asset belongs to its rightful owner.
We must change our mindset of thinking. No longer are the largest companies the automotive manufacturers and the oil giants; the landscape has changed, and the world’s richest companies produce data: Microsoft, Amazon, Google, Facebook, Instagram, etc. Information is the single-largest commodity, especially our personal information, and it affords the protections given to tangible assets. So I challenge us to change our mindset of thinking, not only to practice these things, but to “want” to practice these protective measures. For how we treat and respect the personal information of our customers and employees is a reflection of how we treat and respect these individuals.
Implementing a Data Protection Programme
To quote a European regulation, organisations are required to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…” (Article 32 of the EU’s GDPR). Other regulations around the world require similar measures. But what does this mean and how is it done?
This site contains data protection guidance, templates, tools and helpful commentary to facilitate compliance with data protection regulations. You may use anything on this site free of charge. However, I realise some organisations may need help with data protection specificities. Just as we need doctors and lawyers and accountants for many specialized practices, do not be discouraged if you need specific data protection guidance from a data protection practitioner.
You may be perusing this site for specific reasons, such as needing help writing a privacy notice for your website, or to understand your obligations with website cookies by way of example. Depending on the need, there are many areas of guidance, and the website is growing with content for businesses everywhere.
Some of you may be interested in implementing an overarching data protection programme with a systematic approach. If that is the goal, then contact us for assistance. We often implement a number of ISO/IEC 27000 frameworks in order to apply best international practices.
Concluding Thoughts and Next Steps
It is my hope that this website and the resources herein foster awareness and facilitate helpfulness as your organisation works toward compliance. Use anything posted here as needed and check back for updated content. Post your questions, and we’ll aim to provide guidance.
Some practices are not practical to accomplish without competency in the area. If you need the assistance of our firm, we will be happy to help.
Very best regards,