Introduction
Over the past few decades of information technology advancement, much emphasis has been placed on the physical and logical security of information systems, but with little focus on the protection of users’ data. However, with data becoming the new gold, increasing attacks on users’ data, and the fear of regulatory sanctions, individuals and governments are becoming more aware of the need for data privacy regulation and compliance.
There are several regulations published such as the General Data Protection Regulation (GDPR) in Europe, the China's Personal Information Protection Law (PIPL) in China, etc. Africa is not left out. At the 2014 Malabo Conference on Cybersecurity and Personal Data Protection, the African Union member countries showed interest in developing a common framework to guide data privacy across the continent. Although much may not have been accomplished; at the individual member level, countries like Nigeria, Egypt, Kenya, Togo and Uganda have enacted data privacy regulations (Daigle, 2021).
Why Implement?
Data breach accounts for a large portion of cyber incident globally. Major companies such as Microsoft, Twitter, Facebook, Instagram, etc. have experienced one form of a data breach in the past 18 months. In fact, in the first-half of 2021 alone, about 1,767 breaches affecting a total of 18.8 Billion records have been reported (Risk Based Security, 2021).
Every breach comes with a consequence both for the data subject and the organization. From a business point of view, some of the consequences may include financial loss (investigation of the breach, regulatory sanctions, compensation of
customers, legal fee), reputational damages, legal action, customer dissatisfaction, etc. Thus, ensuring adequate data privacy and protection through the implementation of applicable regulations such as the NDPR and GDPR has become a business priority.
As an Information Security professional, what challenges could you or your organization face in implementing a data privacy regulation and what are the likely solutions? The remaining part of this article will answer that question.
Challenges and Recommendations
Challenge 1: Where to start from, and who should own the implementation?
The first few questions that will crop up are “where do we start from” and “who should take ownership”? I could remember when my organization was about to implement NDPR, these were the exact questions raised by the CEO.
Recommendations
In addressing the questions, my organization organized key stakeholder meetings mainly for top-management to discuss and brainstorm on the requirements. This activity ensured management buy-in and involvement right from the beginning. Consider a similar approach.
An external consultant could be engaged to carry out a Gap Assessment if the skill is not available in-house.
Other key activities at the initiation stage include:
- Assess in-house competencies and resources as part of the gap assessment.
- Prepare a data inventory, documenting all data processed by the organization, the purpose/legal basis for the collection, source of data, channel(s) of collection, who it is disclosed to amongst other things. This will help when the business is required to provide its Record of Processing Activities (ROPA).
- Draft an Implementation Plan showing parties per the RACI (Responsibility, Accountability, Consulted, and Informed) matrix.
- Fill the key role, the Data Protection Officer (DPO). Companies should consider deploying employees with experience implementing standards like Certified Data Protection Solution Engineer (CDPSE), International Organization for Standardization (ISO) standards, Payment Card Industry Data Security Standard (PCI-DSS), or those with a legal background, as they are more experienced in interpreting laws, standards and regulations.