Data Protection is a form of Governance, Risk Management and Compliance (GRC)

Business Environment Forces

 Our current business environment is driven by growing forces such as data sharing, digital transformation and mobile devices. According to SeedScientific, the data sharing economy has grown to 44 zettabytes in 2020, and by 2025, it is expected to grow by 463 exabytes daily. The four top tech firms of Microsoft, Google, Facebook and Amazon already hold 1,200 petabytes of personal information, and e-commerce is now processing a whopping $1B worth of transactions per minute.

Meanwhile, the rise of the mobile phone continues: We Are Social and HootSuite research suggests there are now more than 5.19B people using mobile phones. On average, people spend about 6 hours and 43 minutes connected to the internet each day. Mobile’s share of internet time is more than 50%.

These business forces and a regulatory regime of data privacy and protection affect every organisation. The main issues for companies are regulatory exposure, business losses, partner trust and, most definitely, customer trust.

From a regulatory standpoint, getting these issues wrong means that companies can be exposed to suspension of critical business applications that handle personal data (e.g. e-commerce portals), fines and, in some jurisdictions, even jail terms.  At the same time, they will lose the trust from consumers who look to the government and regulators for a secure and trustworthy environment to do their transactions in the daily-life.

According to recent IBM/Ponemon research, small to medium sized businesses who suffered data breaches incur an average of $3.9M losses , on top of which it will also cost the company about $156 per personal data to recover from the breach. Many organisations are therefore moving to ensure that vendors they engage in connection with personal data processing provide reasonable levels of information security. They increasingly understand that vendor relationships bring significant risks to the company’s reputation. 

Once again customer trust in the digital economy is pivotal to increasing customer reach and growing businesses.

Principled Performance in Data Protection

Let’s take the case of an advertising firm in Singapore which was fined S$10,000 by the regulator. The firm kept customer information after the conclusion of its marketing services for another company. Even worse, it held the customer information in an unsecured database. The advertising company failed to recognise the risks involved, had no data protection programme and did not even have a person in charge of data protection compliance.

This advertising firm showed a clear failure to put together a Governance, Risk Management and Compliance (GRC) structure that includes a Data Protection Management Program (DPMP). If the company had a GRC program it would have identified that a DPMP was required. With a DPMP in place, It would have been able to identify the risks not only in its unsecured storage of customer information, but the risk in not having a processing contract. More so, in designating an individual with ownership to lead its data protection activities.

In the accelerating digital transformation of the business environment, data is now the currency commanded by mobile devices. Consequently, organisations also need to keep an eye on having a holistic approach to governance, risk management and compliance with the aim of pursuing ethical business practices.

Short term goals are only useful if they supplement long-term objectives. Thus, the company needs to adopt a reliable way to achieve its objectives while addressing uncertainties and continuing to act with integrity. The GRC concept developed by the Open Compliance and Ethics Group (OCEG) does exactly that and rings more true than ever amid the pandemic and great economic uncertainty.

Embedding GRC in Business Process

Personal data is a big commodity that must be governed through a “Data Protection Management Programme” that takes account of all stages of the data governance management lifecycle. For each part of the lifecycle, risks need to be identified and their impact to business calibrated. These risks should be protected from the business process level and risk management activities should be communicated to all stakeholders so that everyone is aware of corporate level risk. The company also needs to be ready to respond to security and breach incidents to ensure uncertainties are addressed and mitigated, with clear plans and responsibilities.

In sustaining the company’s DPMP as part of its GRC strategy, the organisation should also look beyond the requirements of the law and work towards optimising its efforts with regular reviews and adopt accordingly to the forces in the business environment. Even if the law does not require something, your customer might.

Similar to the concept of Privacy by Design, GRC activities need to be embedded in the business line process of the organisation and become part of the business fabric itself. Embedding a DPMP as part of an overall GRC game plan will reduce the burden of compliance on the organisation and translate the company’s GRC programme into a powerful business enabler.

Upskilling to manage Governance, Risk and Compliance management

It is important for an organisation to identify and mitigate risks. This is where awareness and training can help the DPO and the organisation.

• There are also webinars to participate for learning and discussing on what constitutes an effective Governance, Risk Management and Compliance (GRC) framework to reduce the risks associated with business operations and compliance.
• Upskill your knowledge through courses on GRC. 
• Join the DPEXNetwork community and be active in exchange of ideas, best-practices and network with fellow GRC professionals.  

Leveraging GRC framework in a company is to be taken as a business enabler and not a barrier. The following attest how practical GRC training is:

"Coming from the compliance angle, the key takeaway is:- Those managing GRC in a company have to be taken as a business partner and an enabler in the business and not a barrier. None of us are not in silo. This GRC course (especially Principled Performance) ties all the departments together to reliably meet company’s objectives whilst addressing uncertainties and acting with integrity." 

      - Senior Executive in Compliance Dept of an Insurance Company

Article contributed by: Edwin Concepcion, FIP, CIPM, CIPT, CIPP/E

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.

Sources: 

1. ScientificSeed: https://seedscientific.com/how-much-data-is-created-every-day/
2. We Are Social: https://wearesocial.com/blog/2020/01/digital-2020-3-8-billion-people-use-social-media