Data Privacy & Security - The critical role of effective Policy Management
Security pundits state that it’s not a case of IF a company will be the victim of a cyber attack, but WHEN! And with increasingly sophisticated attacks that target the weakest link, which is invariably people because we’re all human after all, many organisations are still trying to work out exactly what is the best defence.
If it really is a case of when not if your organisation suffers a serious cyber attack, then it is more a question of damage limitation. If you can prove that you did everything in your power to avoid a data breach, your corporate brand reputation will survive, and you may well avoid the worst of the industry fines. A case in point is the recent high profile attack on British Airways, where it is estimated that details of around 380,000 booking transactions were stolen which included bank card number, expiry dates and CVV codes. This is likely to prove a test case for the new GDPR regulations, where the maximum fine, 4% of global turnover, could be £500 million, plus any additional compensation to customers. However, commentators are already saying that if BA can prove they followed basic security controls the fine could and should be much lower, and it certainly makes no sense to force a company into insolvency.
How DO you prove data compliance?
So, the million dollar question (or in this case, the £500m question!), how do you prove that you had procedures in place, and that your staff understood and followed them? In short, the burden of proof!
Having a central solution that manages all policies and procedures is a huge step forward in gaining staff buy-in. A central repository for all procedures and policies ensures there is only one version of the truth, and it is easy for staff to find. Not only that, a system that informs staff when policies change or are amended, and tests them on their understanding, goes a long way to improving staff engagement. It also provides a safety valve, because it provides alerts where staff do not understand a policy, so that additional training may be arranged.
All of this is auditable, providing the proof that you really did do everything possible to meet regulations and comply with GDPR, and the myriad of legislation required for running almost any size of business.
By Jenny Ritson-Smith at 29 Oct 2018, 10:00 AM