Organisations collect personal data at a prodigious rate – sometimes on purpose, but often just as a side effect of doing business.

At the same time, regulations around private data are becoming stricter and more numerous. So, how can you be sure you're doing everything required to protect your data?

Clearly, many organisations struggle. An ISACA study found that fewer than half (42%) of IT and business professionals are confident in their privacy team's ability to ensure data privacy and comply with new privacy laws and regulations.

Meanwhile, fines for GDPR breaches are mounting – totalling more than €1.5bn in the first half of 2023, according to the GDPR Enforcement Tracker.

Gold standard
Although by no means the only relevant regulation, the EU's General Data Protection Regulation (GDPR) is in many ways the gold standard of protection laws and a useful yardstick for judging how well organisations as a whole deal with their data obligations.

"While there has been a lot of publicity and awareness around GDPR there is still a lot of misunderstanding among some organisations as to how it applies to them," says Brian Honan, CEO of BH Consulting. “Some organisations get confused; they don’t realise GPDR is a regulation to protect people's human rights and not a cyber security or IT issue."

Honan adds: "While there is a strong GDPR focus on security, that is only one part of its directive. Managing and respecting the rights of data subjects is core to GDPR and these mandate covers areas that are not specific to IT."

Not just the CISO’s problem
Put simply, the issue of data protection is one for the entire business.

"Most privacy roles are composed of legal professionals, not technical IT staff, even though the most reported privacy failures stem from data breaches and a lack of technical training," says Chris Dimitriadis, global chief strategy officer at ISACA.

And teams are mostly understaffed, he adds. "Building strong teams with a robust skillset is a challenge – one in five businesses said it takes them more than six months to fill a technical privacy position, and 41% said their privacy budgets are underfunded."

Focus in on privacy
With responsibilities spread across the organisation, it helps to bring some focus to your privacy efforts.

"Organisations will achieve better outcomes and economies of scale if they combine both their security and compliance teams under a single person, such as the CIO," argues Mark Guntrip, senior director of cyber security strategy at Menlo Security.

And don't hesitate to look outside your own organisation. According to Dr Johannes Ullrich, dean of research at SANS Technology Institute: "A CISO is not able to track the wide range of regulations alone. Retaining a law firm specialising in this problem is almost inevitable to assist you in creating a program to monitor compliance with these regulations."

And don't take your eye off the ball. Keeping private data secure and the company compliant is a permanent process. "I recommend that organisations regularly review the effectiveness of their privacy programme and should look to regularly audit those programs or to align them with privacy certifications such as EuroPrivacy or with the ISO 27701 Privacy Extension to the ISO 27001 Information Security Standard," says Honan.

Taking the issue by the roots
As with many areas relating to security, the root of the problem is connected with the degree to which awareness and skills are built into your corporate culture and processes.

"There are a number of root causes to this problem," says Dimitriadis. "Some have to do with data management, others relate to the fact that privacy is not embedded in digital transformation projects and the pace of the technology updates is faster than privacy implementation.

“Other problems can stem from the organisational structure and whether the Data Protection Officer (if they even have one) has the right authority in the company. But, most importantly, it's about people skills."

You need to have the right processes in place – and people with the right skills to support them. Get that right, and you could see real business benefits.

Dimitriadis concludes: "It is about speaking the business language and interfacing with business management in a way that will let investments in privacy occur, where the business benefits are explained in a way beyond compliance and towards customer trust, in a financially sustainable way."

TEXT BY: STEVE MANSFIELD-DEVINE