According to several cybersecurity reports, a significant amount of data breaches and security incidents are caused by employee negligence or error. Although most of these data breaches are unintentional, it is critical that your organisation put in place forward-thinking privacy and security programmes to mitigate risk and protect your business.
Privacy became a critical point of focus for many global organisations when the European Union enacted the General Data Protection Regulation, a law that seeks to better protect the personal data of individuals in the EU. While many individuals across the world were already skeptical about how organisations used their personal data, the GDPR spurred further concerns over data ownership and secondary data usage – and put the onus on businesses to comply and ensure personal data is properly processed. Moreover, it drove many of those same organisations and others to consider adopting the GDPR’s privacy principles and security measures across all personal data processing activities.
The future of privacy and security remains somewhat unclear and situationally dependent for every organisation, but what we do know is that personnel must be educated, trained, and held accountable on privacy and security compliance measures.
Furthering the critical notion of employee-wide training is the fact that regulatory penalties and data breaches impact companies across the globe. Recently, companies like Google, British Airways, Equifax, and Marriott faced significant regulatory penalties for data breaches that exposed individuals’ personal data. Many of these breaches can be attributed to criminal hacking, but also stem from unaddressed internal vulnerabilities and security culture failures.
Privacy and security continue to evolve as global concerns. The GDPR has certainly catapulted other jurisdictions to consider and pass data protection and privacy legislation. However, the United States’ failure to do so has incited some states to create their own patchwork of privacy legislation. California was the first state to do this with the California Consumer Privacy Act. The Act is currently set to go into effect on January 1, 2020, and a multitude of other state privacy laws loom behind it. Without critical and timely preparation efforts now, many organisations will arguably be unable to sustain and comply with the forthcoming plethora of data protection and privacy laws.
Every U.S. organisation needs to ensure its personnel, regardless of role, understand the key tenants of privacy and security. While many default to thinking a topic like data protection and privacy compliance falls under the purview of legal professionals, experts from the International Association of Privacy Professionals agree that a joint committee of legal, practical, and operational expertise provides stronger privacy and security risk mitigation, and ensures the best approach towards compliance.
IAPP points to Facebook’s recent challenges, with the organisation becoming the source of one of the largest breaches of personal data to date, as a strong example. The organisation had support of a full, competent legal team, security team, and data protection management programme at the time of this breach, but still exposed itself to risk when business teams, engineers, and operational leaders were not regularly involved.
Legal expertise is certainly required to thoroughly understand legislation and accurately craft policies and contracts; however, it can’t fully protect your organisation without operational compliance and widespread knowledge to carry out preventative policies and procedures.
While everyone in the organisation is ultimately responsible, your legal and IT departments are typically the first touchpoints to initiate and maintain privacy and security programmes, policies, and procedures.
Your legal department (often alongside your CEO and board) is likely to determine the strategic approach your organisation will take to address data-related risks. This includes how both current and upcoming legislation are expected to impact the policies and programmes that govern how your organisation operates.
Likewise, your security and IT departments should closely collaborate with the legal department to develop and operationalize privacy and security programmes, policies, and procedures. Selecting and adhering to a framework, such as ISO 27001, will ensure alignment with industry best practices. That not only better positions your organisation to address privacy and security risk like vendor alignment, but also manage partner privacy and security requirements on your own.
To confirm information about applicable laws and regulations is disseminated to all personnel, you may also consider identifying a cross-functional leadership team to work with your legal department. Lastly, never forget that continuous training is critical as both your organisation and the data protection and privacy legal landscape evolve.
HR and talent acquisition departments are responsible to safeguard all personal data received from personnel and job candidates. This includes typical job application fields such as age, address, and marital status as well as salary details and information collected during the interview and screening process.
When thinking about overarching privacy and security issues, HR and talent acquisition stakeholders need a regular outlet to bring forward transparency on current information collection processes and their use of technology. This way, they are prepared to navigate this evolving landscape and are aligned with your organisational objectives to proactively seek out risk mitigation.
To quickly comply with current and pending legislation, HR can likely repurpose their GDPR remediation plans to comply with the California Consumer Privacy Act and future privacy laws. As a reminder, another critical aspect of data protection and privacy compliance for HR and talent acquisition teams is the appropriate vetting and oversight of third-party suppliers. As such, organisations must initially and continually assess all third-party suppliers for activities such as background checks, CV parsing, and other activities that are involved in processing personal data.
Compliance burdens and responsibilities to secure personal will increase as your organisation gains more access to it. At the same time, publicized data breaches continue to have mounting repercussions, like tarnishing brand reputations and heightening concerns among personnel, consumers, and suppliers alike. Therefore, your organisation’s current and future success hinges upon the steps you take now to ensure compliance and mitigate privacy and security risks.
By Josh Torres
Josh Torres serves as corporate regulatory & privacy counsel at iCIMS, Inc. Torres brings more than 10 years of corporate law experience to iCIMS, including a highly regarded specialisation in privacy law. Torres is one of a select few members to be named a Privacy Law Specialist (PLS) by the International Association of Privacy Professionals (IAPP), an exclusive designation that recognises a select group of leaders that successfully demonstrate a knowledge of relevant privacy laws, regulation and technology; a commitment to staying ahead of new developments in the field; and substantial time devoted to practicing law related to safeguarding personal information.