The advent of global data privacy legislation and workplace dislocation brought on by coronavirus have created new privacy dangers for Australian organisations, and will continue to do so post-pandemic.
Organisations of all sizes in Australia and globally had to almost instantaneously move their knowledge workers from the office to their homes – and some will no doubt have cut corners, perhaps unwittingly, around data privacy regulations during the process.
Now that privacy legislation at a global level has finally caught up with digital products and services, and the rapid and massive economic damage of COVID-19 has taken hold, the implications for major brand damage are clear.
The big social media platforms had mostly free rein with respect to their users’ digital privacy from 2005 until 2016, when the European Union’s General Data Protection Regulation (GDPR) was adopted and later enforced in May 2018.
GDPR became the model for many nations’ central data privacy regulations which often have extra territorial ramifications for Australian organisations that touch customers in other markets.
The US followed suit, with the GDPR-like California Consumer Privacy Act enacted in June 2018 and enforced from January 2020. New York then proclaimed the Stop Hacks and Improve Electronic Data Security Act (NY SHIELD) that took effect in March 2020, which applies to any medium to enterprise size company – anywhere in the world – with even one New York customer. Under the Act, the New York State attorney general can seek up to US$250,000 for violations.
Australia introduced its own mandatory data breach reporting in early 2018.
The EU GDPR legislation and its derivatives have forced executives of data holding organisations to quickly wake up to the privacy implications of their products and services or face potentially large fines and resulting reputational damage.
If you had asked a company official prior to the Global Financial Crisis where email archiving sat as a priority, it would probably be at or near the bottom of the list. However, following the GFC and again now as a result of the health trauma and misery already caused by the coronavirus crisis, compliance professionals are mandating company officials have access to thorough record sets.
Data breaches and cyberattacks happen – and the risks of poor data handling are amplified in an era of far reaching privacy legislation and the ongoing pandemic.
What prevents a business from being exposed to ongoing loss of respectability from these incidents, is how it prepares and responds.
Organisations can boost their privacy resilience by getting better at the e-discovery practices they already have in place. Data security use cases including GDPR share some similarities with e-discovery, such as being able to swiftly identify content relevant to an individual or transaction.
Exploiting an enterprise archive that can contain, deduplicate, protect and preserve mission critical data is the foundation of privacy governance efforts.
The next layer is a case review application that can conduct intensive searches, apply legal holds and perform extracts and exports.
Good information governance requires operational consistency. Your people and processes (such as enforcing retention policies) need to be successful over the long run, not just case-by-case.
Plan for data minimisation. Keeping everything forever is a strategy, but not necessarily a good one. Global data privacy laws make organisations question why they retain information, and for what purpose.
The larger the surface area, the greater risk of a breach and the larger the opportunity for discoverable data during litigation and other governance events.
Organisations should be clear on why they are keeping business data over long periods. “In case I might need it” is not a good enough answer considering the potential financial, reputational and legal risk.
Be systematic with retention policies, make sure they are consistently applied, and choose the right archive technology to enforce them.
Nick Lennon is ANZ Country Manager for cybersecurity and resilience company Mimecast, which takes on cyber disruption globally.