every inch of a fence covered in multi-colored locks
PHOTO: Alexander Schimmeck

Digital transformation is gathering speed, and the global business community’s demand for data is growing.

As industry legislation tightens around the world, data will only be available so long as consumers trust companies to keep our private details safe, and we’re facing an uphill struggle.

A recent PwC report found that just a quarter of consumers believe companies “handle their sensitive data responsibly.” Much of this can be attributed to the threat of “hacks and cyber-attacks,” to which 69% of consumers feel companies are vulnerable.

The World Economic Forum identifies cyber-attacks as the second-highest business risk, with 61% of businesses reporting cyber incidents this year in comparison to 45% in 2018. Not only trust is at stake. In Security Intelligence’s annual Cost of a Data Breach Report, the global average price of a data breach was calculated at $3.92 million, a 1.5% increase from 2018’s study.

This has played out emphatically on the corporate stage, where Marriott International faces a $126 million data breach charge, and the FTC has approved a $5 billion fine to settle an investigation into Facebook’s data handling failures in the wake of the Cambridge Analytica scandal.

In short, if any CEOs are not concerned about data privacy, cyber resilience and increasing security regulation, they won’t be in a job much longer to worry. So, what needs to be done?

Related Article: Digital Privacy vs. Security Is a False Dichotomy

Less Calculation, More Commitment

Fines might incentivize action, but they risk putting bosses in a cynical, cost-focused mindset: spend enough on data governance solutions and compliance will be satisfied. But that’s simply not enough. Real success in data protection requires integrity — we’re dealing with consumer trust, after all. Real success comes through understanding that compliance is an ongoing journey, not a destination reached through ticking boxes.

CEOs need to look to the example set by the EU’s General Data Protection Regulation (GDPR), which is driving better data governance around the world.

Built upon accountability, transparency and control, the GDPR advocates an ethical approach to data privacy programs, and it is influencing change at the highest levels.

During Mark Zuckerberg’s Congressional hearings post-Cambridge Analytica, a Republican lawyer asked the Facebook chief to discuss the merits of the GDPR. David Carroll, the New York professor and star of The Great Hack, whose data subject access request (DSAR) lit the fuse wire that eventually blew the scandal wide open, comments:

“Before Cambridge Analytica, that would have been impossible to even imagine — a conservative Republican asking a Silicon Valley tech giant what he thought about the good aspects of European law .... That very conservative Republicans are open to regulating the tech industry in the US is a sea change.”

That sea change is taking place as we speak on the US west coast, where the California Consumer Protection Act (CCPA) is pioneering data law in a country that is still without blanket legislation. Presently, states such as Maine, Nevada, Louisiana, New Jersey, Texas, Vermont, New York and Washington are in varying stages of discussion and amendment.

It’s safe to consider this the thin end of the legislative wedge, as more countries and states within them realize the power and value of ethically-driven data privacy initiatives.

Related Article: Feeling the CCPA Heat?

CEOs' Charge: Create a Culture of Privacy

CEOs need to be considering the extent to which the CCPA and the EU’s GDPR will apply to them. Proactive bosses will undoubtedly have the edge, as Teresa Troester-Falk, chief global privacy strategist at Nymity, articulated, “Companies that are now broadly compliant with GDPR will have taken several key steps during this process that can also be used to ensure compliance with the CCPA as well as several of the other state laws undergoing proposal in the US.”

On the shop floor, the CCPA will demand more efficient processes and protocols, such as putting an end to silo culture so that privacy and security teams are empowered to work more collaboratively and coherently.

Remember accountability, transparency and control: IT practitioners will need to know where data resides in a company, where it is coming from, where it is going, with whom it is being shared and whether or not the data subject knows what’s going on.

Embraced as a boardroom concern, privacy should be nourished by programs of awareness, education and engagement for all employees. The best CEOs will adopt a "when" not an "if" mindset, preparing a response plan and back-up procedures for when that data incident strikes.

New laws such as the CCPA are spearheading the US's drive to get up to speed with what’s going on in Europe and the realities that are pushing the evolution of the digital world.

While heavy fines are to be avoided, only the ethical approach can inform the building of a culture of privacy that fosters trust and real value, creating an environment in which data protection works for the company and those it represents, not against them.