In today's information-focussed society, data is one of the most valuable resources – and this certainly also applies to your company. But do you manage your data and information as strategically as you manage your other assets? Against the backdrop of compliance obligations and increasingly sophisticated cyber attacks, data protection is moving to the forefront. In this article, we will teach you the 10 most important aspects of a data protection strategy!
Companies store, process and exchange a wide variety of data, such as customer information, patient data, population data and employee data. This data is subject to a variety of laws. At the same time, customers are becoming increasingly aware that their personal data is valuable and that they also have a right to digital privacy. This is consistent with the legal framework, for example, the European Union's General Data Protection Regulation (GDPR) and the draft of the new Swiss Data Protection Act. This gives data subjects more rights and imposes more obligations on data processors.
Data protection is also becoming an increasingly important factor in deciding whether customers do business with you or not. We refer to this aspect as "data trust", meaning customers' perceptions of the extent to which they can rely on their information/data being properly managed and protected.
Data protection as a competitive advantage
A company develops data trust by demonstrating integrity, transparency and commitment to the collection and processing of personal data. It is based on a strategic commitment to protect the customers' privacy. Forward-thinking, proactive organisations have recognized this and have integrated data protection as a core part of their business strategy. Let's cut to the chase – data protection is complex, but it also creates a competitive advantage.
Ensuring data protection is a particularly difficult challenge for businesses today. 2018 was a difficult year in terms of data protection, and in some cases, it had a massive impact on certain companies' reputation and finances. To give just a few examples: at Facebook, a data breach affected 50 million records, at Google+ half a million and at Marriott International 500 million.
10 points for a successful data protection strategy
In Q1 2019, ITRC (Identity Theft Resource Center) again collected more than 100 breaches, with more than 2 million records exposed. In most of the cases (but unfortunately not all) the data protection breaches were unintentional.
In view of cyber crime's accelerated development and the more stringent data protection laws worldwide, companies should establish clear rules for protecting private data. In most cases, however, this requires significant modifications to processes and the corporate culture, something that is difficult unless there is a sound strategy in place. We have compiled the 10 most important elements for you:
- Management support: data protection is a management task. Without the active support of managers, it is highly likely that efforts will fail.
- Appointing a data protection officer (DPO): Depending on the size of the company or the type of data collected/stored in the company, a DPO must be appointed (either an internal workload or externally, as applicable). Some regulations such as the GDPR even require a formal DPO or a representative in the EU for non-EU companies. We have compiled the tasks that a DPO has to carry out in a graphic. Click here for the free download:
- Identifying and classifying data: To be able to protect something, you need to know "something" about it first. What do we mean by this? For all information stored and processed by your company, suppliers or partners – both in electronic and printed form – you need to understand what kind of data is being collected, where and how it is stored, what it is used for, whether it is shared with another organisation or group (even in third countries) and how long it is being kept for.
- Understanding the requirements: This refers to the way in which the data protection requirements are applied to the identified data and processes. The requirements depend on various factors such as the type of data (stored/processed), the industry, the country, etc.
- Analyzing the data protection risks: An analysis of vulnerability and sources of threats and their impact on data protection and security, is also important, especially for active business processes.
- Drawing up data protection guidelines: You need to document and communicate general privacy policies including strategic aspects, goals, processes, company plans, etc.
- Establishing data protection procedures: It is necessary to document procedures and processes for day-to-day work. These include steps to be taken for customer consent, record retention, secure data disposal, international data transfer and complaint handling.
- Establishing data protection monitoring: Depending on the company's data protection requirements and its willingness to take risks, a number of (technical and organisational) controls are required. The aim here is to reduce, avoid, transfer or accept risks.
- Training and awareness-raising concerning data protection:
All employees must be trained and be made aware of the issue of data protection. All of them are subject to basic requirements for handling personal data. But don't forget to include more advanced measures for specialist functions such as IT staff, the security team, the legal department, auditors and even the privacy officer.
- Monitoring and compliance: Ensuring that data is protected is a never-ending process. It includes compliance with guidelines, identification of new risks and the ensuing improvements – time and time again.
Where are you when it comes to implementing data protection requirements?
You might be thinking, "It's easier said than done". If so, then you are like many other companies, and that includes our customers. Numerous national and international guidelines and the data protection act demand a wide range of security measures that affect not only your organisation and processes but also your infrastructure. Where do you stand at present in terms of implementing the data protection strategy?
- Are you still right at the beginning, you would like to implement effective data protection in your company and need information on what you need to consider?
- Are you in the process of adapting processes in your company and don't know what you need to take into account when implementing in accordance with data protection regulations?
- Or have you already defined a suitable strategy and you have a data protection officer (DPO) who is responsible for data protection? But you would like to know what tools can be used to most efficiently monitor the compliance of data with legal and regulatory requirements.
…then we should definitely have a conversation!
Data protection should be in the hands of experts
We assist you with analyzing and defining an effective data protection strategy and implementing appropriate measures to ensure that legal requirements are consistently complied with. This is why you should rely on the cooperation of our experienced data protection experts. They can support you not only strategically, but also within the framework of a mandate.