2017 is over and it was certainly a year where data breaches were front and center for organizations and the public in general. There is a renewed interest around what personal data protection should entail, and in multiple cases, organizations are not there yet. This interest stems from a clear concern from consumers about how their data is being managed and protected. It has also become a top priority for regulators, as we can attest from the implementation of GDPR in Europe.
Therefore, what can we expect in 2018? In my opinion, more of the same… but on steroids. Cybersecurity, privacy, personal data protection will become buzzwords across industries with the focus and scrutiny that this entails.
So, these are some of the events I see shaping the future of 2018 in the realm of privacy management and IT security.
Threats from cyberattacks will continue, since they seem to work and achieve the objectives they set out for in the first place. This study from Carbon Black is quite fascinating. The emergence of a ransomware economy is something that everyone hears about but I don’t think the implications are fully understood yet.
From 2016 to 2017 the market for ransomware grew 2,500% from $250K to $6.25MM. And ransom payments totalled about $1B in 2016, up from $24MM in 2015.
These stats lead me to believe that ransomware attacks will continue throughout 2018 and beyond. Organizations need to be aware of the impacts to their bottom line, their reputation and their relationships with customers. There are clear financial, reputational and legal implications not to pay attention to it.
Without a clear data protection and privacy management strategy in place businesses are facing big risks. This data protection strategy must define training requirements for employees to recognize ransomware traps and also establishes a specific attack response strategy. Without it, it will be very difficult for these companies to be proactive instead of reactive. Businesses need to be very clear in advance about how to minimize the risk of a ransomware attack but also, if it takes place, how to respond to it with minimum repercussions.
GDPR – an invigorated focus on personal data protection
It seems like GDPR is a term that is finally starting to trend and yet, some people and businesses are not aware as to what it entails.
Perhaps this is because this new regulation comes from Europe, but in this global and interconnected world, GDPR has far reaching implications. Even businesses that are not physically established in the EU, if they provide products or services to EU residents or if they monitor these individuals online behaviour, they will have to comply with the regulation.
This means that the way that companies manage personal data and approach data protection may have to change and improve due to the more stringent requirements of GDPR.
For GDPR, the rights of individuals (or data subjects) are at the front and centre of the regulation. For example, a Subject Access Request (SAR) will have to be responded to within 30 days and businesses are not expected to charge any fees to individuals to satisfy the requests regarding their personal data (unless the business can prove the request is too complex or time-consuming).
This example shows that companies will have to do some work beforehand to be ready: ensure they know where personal data is stored, optimize processes to satisfy subject requests, review their data collection and retention policies, among other things.
I encourage all organizations to ensure they understand whether they have any responsibilities under GDPR or not and if this is the case, work towards compliance. The regulation is effective on May 25 therefore time is of the essence.
PIPEDA mandatory breach notification
Another major development in the privacy management world is the requirement to notify individuals and the Privacy authorities in Canada when a data breach occurs.
The new requirement is expected to come into effect this year and organizations that need to comply with PIPEDA will have to ensure that they have a clear data breach incident response protocol that dictates who needs to be notified and under what timelines, by whom and what kind of details need to be disclosed.
As with GDPR, organizations will need to review their policies, processes and protocols to ensure readiness in compliance.
Data protection and privacy management are no longer optional
Whether it is cyberattacks, regulators or consumers themselves, data protection and privacy have taken centre stage in the collective consciousness. It is no longer an optional requirement but a serious one that can equally elevate or harm companies.
Consumers and organizations need to remember that information is power, and personal information is even more powerful. The moral of this story is, with great power, comes great responsibility.