Businesses should not take a ‘wait and see’ attitude to data privacy management
Why don’t some organisations allocate a moderate budget to insure against heavy data breach fines, to guard against reputational damage, and to be able to promote its best-practice approach to data privacy?
In the video data privacy sphere, Facit works with progressive organisations around the world that embrace technology and expert advice as a means to empower compliance professionals, to protect staff, and to guarantee the data privacy of customers.
We also encounter Security and Compliance Managers who take a ‘wait and see’ attitude to potential data breaches. That is, they are prepared to wait until a crisis arises before they take action to mitigate very real risks.
They even wait until the pressure of data subject access requests (DSARs) mounts to a level when they are forced to take action, rather than change processes, increase privacy accuracy and reduce the effort to fulfil DSARs.
How quickly does a data breach impact a company?
Part 3 of the Data Protection Act 2018 introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner within 72 hours of becoming aware of the breach.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, those individuals must also be informed without undue delay. Therefore, the ICO recommends that you ensure that you have robust breach detection, investigation and internal reporting procedures in place.
So, the answer to the question about how long it takes for a breach to impact a business is, instantly. The very word ‘breach’ means that it is too late to implement effective preventative measures. Plus, the press, interest groups and customers will be quick to spread and amplify the bad news.
Why doesn’t everyone in a position of responsibility take advantage of cost-effective technology to guard against potential video data breaches that can lead to losses and damage?
The largest GDPR fines should provide a warning to all
The largest GDPR fine up to 2023 was imposed on Amazon (€746 Million). Other well-known brands to incur the 20 largest GDPR fines include Google, Meta, H&M, British Airways and Marriot.
The Amazon fine followed an investigation into how Amazon processes the personal data of its customers that found infringements regarding Amazon’s advertising targeting system that was carried out without proper consent.
While the largest fines have been imposed on some of the world’s largest businesses, smaller companies have not escaped attention and sanctions. The number of fines increased seven-fold year-on-year in 2022 and there was an average of 356 notifications a day according to Digital Guardian.
UK managers’ attitude to risk
A manager's natural disposition towards risk - their response to it and their capacity to manage it - will distinguish them from their peers and influence their managerial or leadership style. A study by Dundee University on the Attitude of UK Managers to Risk has been published online.
The research authors found that managers’ personal attitudes to risk were often more important than risk management systems.
The study suggests that businesses should recognise that managers may view the same situation very differently depending on their personal and organisational backgrounds and on the way that they perceive risk.
The study concludes that “managers tend to ignore probabilities.” Which is why we believe, at Facit, that some security and compliance professionals adopt a ‘wait and see’ attitude that is highly likely to lead to a strain on resources and processes.
Building a robust privacy risk management strategy
One solid approach to privacy risk management is to partner with an expert or supplier whose technical expertise complements the strengths of the client organisation. This is an accurate description of the way in which Facit works consultatively with customers to identify privacy risks and implement cost-effective preventative solutions.
Internally, organisations should be wary of managers with biases that might affect their attitude to risk. Establishing multi-disciplinary forums or committees to consider risks helps to ensure that different aspects of the inherent risks and biases will be recognised when making risk management decisions. Managers from different disciplines (e.g., finance, production, marketing) can provide their own insights about the riskiness of a problem, and anticipate risks before they arise.
Choose the right data privacy management partner
At Facit we have a comprehensive understanding of the challenges and potential pitfalls faced by compliance teams around the world. We offer organisation-specific and region-specific advice on data privacy management. If you are unsure about your team’s risk biases or the reliability of your risk management systems, draw on our experience and get in touch for a no-obligation review.
