It is undeniable that we are more than ever concerned for our privacy and all the related cyberspace threads. All kind of personal data are collected, stored, processed and used on an unprecedented scale, enabling individuals and organisations alike, to carry out their day-to-day functions more efficiently. This intangible information has become a key asset fueling “information economy”. The increasing amount of large-scale, well-publicised breaches suggests that not only are the number of security breaches going up but they’re increasing in severity, as well. As personal information becomes the currency by which society does business, organisations need to start making people’s data protection rights a priority.
Personal data reveals our lives to others and, as such, its use and abuse engage and impinge on the right to privacy. As information increases in value, the appropriateness of the legal regime protecting personal data and privacy becomes increasingly important in order to balance the needs of individuals, commerce and society as a whole.
Cyber-security features are listed high on leaders’ agendas and is a top priority in every boardroom around the world. Each business has its own network of connections, often stretching across the globe. A 2017 study of 254 companies across seven (7) countries mentions that the annual cost of responding to cyberattacks is £11.7 million per company, a year-on-year increase of 27.4%. The cost of cybercrime to businesses over the next five years is expected to be US$8 trillion. The list of companies that have already been hacked, attacked and breached is huge.
The six elements to a successful compliance programme
A good framework that guarantees data privacy for your clients and employees shall be consisting of the following elements:
1. Review the existing data protection laws and cyber security policies, and follow the Guidelines and opinions of the Commissioner for the Data Protection of Cyprus
The European Parliament voted on the General Data Protection Regulation (GDPR) in May 2016 which came into force in May 2018. This newly adopted legislation, not only approaches the protection of personal data as such, but moves a step forward and considers data privacy and security. GDPR is a regulation which should be followed rigidly across Europe to maintain the protection of personal data. It will improve data subjects' privacy protection and facilitate organisations' and companies' work through its stricter and more detailed provisions. All companies handling EU residents' personal data or monitoring data subjects' behaviour within the EU, regardless of where they are based are governed by the GDPR. This indicates that non-EU and international companies have to comply with both their national legislation and the GDPR. You may find the GDPR by clicking here.
In order to get a better insight on how the Regulation is being implemented in Cyprus you may also check the Commissioner’s website by clicking here.
Also, the EU's independent data protection authority periodically publishes Guidelines on the application of GDPR. Guidance is available here.
The Organisation for Economic Cooperation and Development (OECD) has developed Guidelines on the Protection of Privacy and Transborder Flows of Personal Data which you can find here. Cyprus is not a member of the OECD but the Guidelines are helpful when your business transfers data to Countries that are members of OECD.
2. Have an overall compliance strategy
Many organisations do not have a comprehensive, integrated, measurable, and centralised strategy for achieving data privacy compliance. However, this is extremely important and can be achieved by having a high-level set of principles/policies and documentation defining the measures the organisation shall take (as defined by applicable laws). All key stakeholders and departments of the organisation must be represented.
A privacy compliant organisation provides solid administrative, technical, and physical security safeguards to ensure confidentiality, integrity and availability of data. This includes the effective ability to detect and prevent unauthorised or inappropriate access to data. Information security must constantly be assessed, monitored and updated to meet new threats.
Data sharing must also be carried out under a strict set of controls and policies.
3. Evaluate your security procedures and appoint IT experts
Layering your security capabilities is the best approach because hackers will have to infiltrate multiple safeguards before accessing any sensitive data. Tools such as firewalls, encryption, secure file sharing and antivirus software all protect sensitive data from falling into the wrong hands. If your cloud-based data storage service offers security tools, you should still configure your own safety measures. Limit cloud access to employees and use an extra layer of protection, such as multi-factor authentication (MFA) or single sign-on (SSO).
Do not neglect to back up data frequently so that in case a violation occurs, your system restores quickly and easily with the most current data. Ensure that all virus scanning software is updated and delete any suspicious files immediately.
Also, conduct screening and background checks on new hires and mandate security training
Note that security can be ensured by enforcing restrictive data permissions. Some of your online folders, should be accessible only by those who need them and no-one else. This adds an additional layer of security to your important business information. Furthermore, it facilitates narrowing down a culprit in case your business is attacked from within the business.
4. Change the culture. Train your employees to follow security procedures and develop a response strategy plan.
One of the most common causes of data breaches or successful malware attacks is human error. Your data security depends on employees understanding the siginificance and following all the policies and procedures. The best practice is to train your employees regularly on how to encrypt data, how to generate strong passwords, how to properly file and store data and how to avoid malware.
Limiting employee access to websites outside the scope of their daily duties can as well be helpful. No system is perfect despite full adherence to compliance policies. Cyberattacks and data breaches continue to outsmart some of the best systems. The impact of an intrusion can be mitigated through an effective data breach response plan and escalation process. Employees responsible for breach response should be trained on these plans and how to use escalation channels. Educated workforce is your best defense.
The corrective actions in the response plan must be implemented and documented as proactive preventive measures so that an incident is not repeated. Run a drill of your response plan (and refine, if necessary) so that your staff can detect the breach quickly should an incident occur. Ultimately, the best thing you can do is to have a security-firstmentality.
5. Protect remotely used information
Poor data practices extend beyond password issues. Taking work home via a USB drive or by emailing it to a personal email can expose the data to security risks. An employee’s use of personal mobile phone or tablet can also expose your data. Start by conducting an audit of how everyone in your business accesses data and then develop policies to ensure that appropriate safeguards are in place. Install an enterprise-level firewall, anti-virus and malware programs on all devices that access company data.
6. Consider cyber security risks outside your business
Choose to co-operate with suppliers and third parties who adhere to specific cyber security standards, codes of good practice or appropriate international standards (i.e. depending on the circumstances, ISO 27001). In this way the possibility of a data breach is mitigated.
Cyber criminals are constantly devising new methods of attacking, exploiting and interfering with computer and communication technologies and are likely to threaten your business at some point.
Protections and challenges revolving around the use of private information shall only be increasing in the future. The practical steps briefly analysed here, will assist you to achieve high compliance with the GDPR provisions and to protect your client’s personal data.