Credit: Shutterstock photo
Data privacy continues to make headlines and be a concern for many organizations. Breaches at Equifax, Yahoo, eBay, among others leave consumers and customers alike wondering whether their personal information is protected well. Some facts [1] : the average total cost of a data breach is $3.62 million, the global average cost per record is $141, the average data breach size is 24,089 records, and the odds of experiencing a data breach are as high as 1 in 4.
Concerns over the confidentiality of data have led regulators to respond in earnest. Global legislation and litigation continue. Examples include the General Data Protection Regulation (GDPR) in the EU, Information Privacy Act in Australia, the Act on the Protection of Personal Information in Japan, Data Protection Law in the UAE, and the Health Insurance Portability and Accountability Act (HIPAA) in the US.
How are companies currently getting organized?
Organizations haven't sat idly by. Regardless whether an organization has experienced a cyber-attack, and whether that attack was made public, company constituents (e.g., the Board, regulators, audit) are seeking confidence that company and customer data is safe. Efforts to manage the threats surrounding data isn't purely an IT responsibility, even though much of the focus has been directed to the proliferation of cyber-attacks. Potentially sensitive data exists in a myriad of places - employees' minds, written documentation, systems, applications, and with third parties. Given the disparity of where data exists, risk management must be diligent on many fronts.
A cooperative, GRC Response
BWise Governance, Risk, and Compliance (GRC) software solutions enables an organization to manage its data privacy concerns from both a functional (e.g., information security, compliance, operations) and organizational perspective. Functionally, the GRC software offers the principles and activities necessary to understand, assess, and mitigate data privacy exposures. Moreover it incorporates globally accepted frameworks, like NIST for information technology, that provides IT and InfoSec teams the tools it needs to manage data privacy risk well. Additionally, functions like compliance can translate legislation to business activities to ensure conformance with applicable laws. Internal controls can be evaluated to their effectiveness by risk management and audit to ensure that as data is prioritized, it is managed within the organization's appetite and tolerance levels.
Organizationally, a GRC software solution, like BWise Information Security, can support the governance structure and reporting mechanisms necessary to opine on data privacy risks. This includes defining and maintaining a set of policies and procedures that indicate the expectations necessary to manage data privacy. The software is also malleable enough to allow end users to create configurable (vs. customizable) screens, portlets, and reports that are relevant to the individual's role or to produce information for various stakeholders.
23.1% of the 39 CFOs see cyber-attacks as the number one external risk to their company [2]
Efforts for organizations to keep data private are likely not going to abate. It will continue to garner executive attention. For example, according to a recent study by CNBC, 23.1% of the 39 CFOs see cyber-attacks as the number 1 external risk to their company. Regardless of an organization's response, whether that be the use of encryption, employee training, or participation in threat sharing, the GRC software offers the possibility to substantiate the control environment and provide evidence of sustainable risk management practices.
How is your organization managing data privacy? Does your board, executive team, and regulators have the confidence that the risk is being adequately addressed across your value chain? Go to BWise.com or contact us to learn more about how Nasdaq can help your organization gain insight into this ever-evolving risk topic.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
