Technological advancement and adoption have been growing at an accelerated rate since the dawn of the 21st century. The convenience and ease of access of going digital is simply too tantalising an offer to pass up in this day and age. To ignore digitalisation is to put yourself and your company in a vulnerable position and risk getting left behind by competitors.
However, digitalisation does not come without risks. Malicious parties are always on the prowl, and they have evolved just as fast as our technology. Without the proper security systems in place, a company’s data is at risk. And it is not just customer data that needs to be protected. Employees put their trust in their employers to ensure that their own personal data does not get stolen. This trust in data security is part of the employee experience, and a breach in this trust could lead to severe consequences.
Kevin Shepherdson, CEO and founder of Straits Interactive, shares some of his insights on the matter. According to Shepherdson, there are two aspects to keeping employee data secure.
Firstly, if the data is in an IT system, companies must ensure that there are adequate security controls in place to protect that data. If the company hires a vendor to process their payroll, for example, companies must ensure that they have conducted due diligence on the vendor to satisfy themselves that their chosen vendor is credible from a data management perspective. Companies also need to sign a proper agreement with their vendor that clearly sets out the vendor’s and the company’s rights and obligations.
Secondly, to the extent that data is in paper files or is printed out from an IT system, companies must make sure that these files and printed documents are kept confidential – not left around on counters or desks, for example, and that print-outs are not left uncollected in printer output trays. If files are kept in locked cabinets, it is important not to leave the keys in the locks or for the place where the keys are kept not to be an open secret.
To reassure their employees that their data remains safe and secure, the company needs to ensure that the security measures that the company has taken to protect their personal data are communicated to staff. And that relevant staff implement these security measures diligently. If there are any updates, such as a switch of vendors, companies should notify their employees so that their confidence can be retained.
Another frequently asked question regarding data protection is whether companies should hire a Data Protection Officer (DPO). Shepherdson says that for some countries, such as Singapore of the Philippines, all organisations are required to appoint a DPO. However, it might not be compulsory in other nations. Regardless, Shepherdson believes that it is still highly recommended for organisations to appoint an individual or team to be responsible for the organisation’s data protection and ensure compliance with local data protection laws; especially with how aggressive malicious parties have grown to be today.
Unfortunately, data breaches are far more common than organisations would like. As such, it is a good idea for all organisations to have a data breach management plan in place, regardless of their level of data security.
According to Shepherdson, the data breach management plan should detail the breach response team and the roles that they play, explain the breach, how to do reporting internally and externally and how to respond to the situation. Team members should practice, by doing ‘tabletop exercises’ so that they understand their roles. In addition, the data breach management plan can be improved by practicing it, including where gaps are identified unexpectedly. A crisis communication plan should also accompany the data breach management plan.
He also outlined a framework to describe a data breach management plan – CARE
Contain – When a data breach occurs, the organisation should contain the situation and prevent any further compromise of personal data. At this stage, other important steps include convening an emergency meeting with the breach response team, isolating the damage by activating the IT forensics team (internal or outsourced), releasing a holding statement to the media and the public, and gathering the facts of the breach.
Assess – With the facts of the breach, the organisation must assess the risks and impact on the affected individuals, organisation, and the crisis communications landscape. There should also be continued efforts to prevent more harm.
Respond – Simultaneously, the organisation must determine whether the data breach is a ‘notifiable’ data breach – that is, whether it must be notified to the local regulator and to affected individuals. (This must be done within strict time limits.).
Evaluate – After the incident has been handled, the organisation should evaluate the plan and their response and consider the actions that they should take to prevent future breaches. At this stage, the organisation should also refine its data breach response and crisis management plan.