As the first big fines start hitting businesses, data privacy and compliance legislation are back at the top of the board agenda. Here’s how you can be prepared and why a GRC strategy is the secret to sustainable compliance.
With GDPR a little over 12 months old, British Airways (BA) has become the first public recipient of a fine from the Information Commissioners Office (ICO) under the new legislation. The fine, a record £183m ($229m), which equates to 1.5% of BA’s annual turnover, comes after BA admitted that customer data had been stolen by hackers diverting more than 500,000 people to a fraudulent website in 2018.
Given GDPR’s recent first anniversary, and the very public fine, do organizations and GCs understand the legislation or do many still have their heads in the sand? While the furor and panic may have died down, the messaging coming from the ICO in the UK, and the equivalent organizations across Europe, is for businesses not to lose focus on securing their data.
According to the ICO, year, two of GDPR must be about more than just minimal compliance. “Organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated. Well-supported and resourced DPOs are central to effective accountability.”
While companies in the US who have international offices may have taken GDPR seriously, others believe they are safe from such stringent legislation. But they’d be wrong. It’s true that GDPR has come under fire for being too harsh, preventing growth and investment, but according to the ICO, it has already helped to prevent security breaches and data leaks. They have received over 40,000 data protection complaints and 14,000 personal data breaches reported to them since 2018. The ICO says GDPR has encouraged companies to upgrade, organize their processes and understand more about the personal information they are processing – all of which have a positive outcome for consumers.
These outcomes are just some of the reasons why other countries are now following suit. In the US, the California Consumer Privacy Act (CCPA), will undertake a similar role to GDPR and comes into force in 2020. In South Africa, the Protection of Personal Information (POPI) law replicates this legislation and comes into force later this year. The list goes on. Countries and regions around the world are waking up to the power and dangers of data.
Fundamentally, the Protection of Personal Information (PPI) has taken the world by storm and businesses who thought they could ignore it because it wasn’t relevant to them, will now face their own compliance challenges.
For organizations who didn’t prepare under GDPR, there is still time. One of the biggest challenges is that for many multinational or multi-jurisdictional organizations different legislation applies to them in different regions, so being compliant across them all takes time and investment. Not only that, but some laws refer to protecting both natural and juristic persons. A natural person is identified as an individual, and juristic is an entity, such as a company. To understand such complexities and ensure compliance across the board, a Governance, Risk Management and Compliance (GRC) strategy can help.
GRC helps to identify the first steps of a rounded approach in achieving compliance with relevant PPI legislation. GRC comprises three related disciplines that ensure that organizations achieve objectives reliably, address uncertainty, and act with integrity when it comes to personal data and information:
- Governance is the combination of processes established and administered by the executive, that are reflected in the organization’s structure and how it achieves its targets.
- Risk management is foreseeing and mitigating risks that could hamper the organization from reliably achieving its objectives under uncertainty.
- Compliance refers to adhering with the mandated boundaries (laws and regulations) and voluntary boundaries (a company’s policies, procedures, etc.)
By having an effective GRC strategy, companies can achieve what the ICO, and no doubt other legislative bodies will say – compliance is not a one-off. It must be a sustainable and ongoing strategy that can be monitored and is consistent in its approach. This is exactly why a GRC strategy should sit at the heart of all compliance projects. GRC ensures an organization’s compliance strategy evolves with the law – it provides a framework from which legal teams can operate methodically. Implementing a GRC strategy requires four elements:
- Learning – examine and analyze context, culture, and stakeholders to learn what the organization needs to know to define and support objectives and strategies.
- Aligning – align performance, risk and compliance objectives, strategies, decision-making criteria, actions and controls with the context, culture and stakeholder requirements.
- Performing – address threats, opportunities, and requirements by encouraging desired conduct and events and preventing what is undesired, through the application of proactive, detective, and responsive actions and controls.
- Reviewing – monitor and improve design and operating effectiveness of all actions and controls, including their continued alignment with objectives and strategies.
By integrating these four elements, organizations will achieve an overview for effectively importing the respective PPI laws and regulations from across the world. But, as we mentioned with GDPR, compliance is about more than just a one-off investment, tick box exercise.
Readying your business for data privacy laws, especially by using a GRC strategy, can herald other business benefits. Digitizing all of your contracts, for example, will give you a treasure trove of usable data that can help your business grow. By collating and curating your contract data you can use analytics to discover building occupancy rates that you could use to lower your real estate costs, locate unacceptable vendor auto-renew terms and even find areas of revenue leakage.
The operational benefits of a GRC strategy can also drive bottom-line benefits too. The basis for the strategy lies in having productive and effective processes – something that helps to reduce duplication of activity and resource. It establishes a more efficient way of accessing, processing and storing information and reduces access time allowing employees to achieve more in their day-to-day roles. A GRC strategy also improves the quality of information that is available, which can then be used as a basis to make better business decisions.
Compliance is only going to get more stringent and more complex. As an increasing number of countries implement new legislation, and as the existing laws morph to become more effective at protecting personal data from businesses, it’s no longer worth simply achieving minimal compliance. Now is the time to seize the opportunity and establish best practice through a GRC strategy that means your organization takes compliance in its stride while maximizing the other business benefits that GRC delivers.