Creating a baseline for data privacy

One of the biggest risks that any organization faces today is a data breach and if they handle personal user information then strong data management becomes an even critical practice. In the event of a breach, a quick and effective incident response can help mitigate negative consequences. However, this calls for stringent regulations to be in place that can ensure this personal data is protected and the individual has the authority over the use of data.

In an age when breaches have become an everyday story and digital platforms are utilising user data to provide personalised products and services, Anoop Ravindra, IT GRC Practice Head at ProVise GRC Lab discusses the significance of having a privacy regulation like GDPR and how it is beneficial not only for individuals but also organizations.

Ravindra says that first and foremost, it is important to understand that GDPR is nothing new and different privacy laws have prevailed in Europe for a long time. What GDPR has done is to consolidate them to have a unified regulation for the entire region.

He goes on to add that GDPR will benefit organizations in terms of data minimization and improving the overall security posture of organizations. “Organizations store massive amounts of data and almost 80% of this data is unstructured. GDPR will force these organizations to look through their data and understand what data they have collected, where it will be used and who has access to this data.”

Provise works with regional organizations to make them understand where the stored data is being collected from, who has access to it, how it will be shared and the risks associated with the same. “We have a phased approach to work with organizations that need to comply with GDPR. This approach helps identify readiness, assess the impact, discovery of data, protection impact analysis and implementation plan, identification of roles and institutionalization of practices to ensure on-going compliance.”

We also guide them in identifying who will be responsible for GDPR implementation to avoid huge fines that non-compliance can impose. Ravindra emphasizes that for successful implementation, the drive needs to come from senior management who then need to appoint a CISO or data protection officer that can lead the team.

The general awareness about GDPR and applicability of GDPR saw a slight rise last year, however the acceptance and implementation trends have been rather slow. While the 25th May deadline looms not far away, the region still remains far behind in understanding whether GDPR applies to them or not especially when there is no local law that compels businesses to abide by it.

Here Ravindra stresses that organizations must not view GDPR as a privacy law that protects European citizens’ personal information. It must be viewed as a process that will help them streamline stored data, refine cyber security practices and bring proper incident management processes into place. “In an age when huge volume of data is being generated, sifting through the yet-unstructured data will improve any organizations processes, enabling them to utilize important data and throw away that which is not required. Considering how data breaches have become commonplace, in the end, one can hope that this regulation will create a much needed baseline for privacy laws and push other countries to follow suite,” he concludes.