Implementing Data Privacy Regulation: Challenges and Recommendation

Abunsango, Oluseye CISA, CIA, FCCA.

Head, Internal Audit, Leadway Assurance Co. Ltd.

Introduction

Over the past few decades of information technology advancement, much emphasis has been placed on the physical and logical security of information systems, but with little focus on the protection of users’ data. However, with data becoming the new gold, increasing attacks on users’ data, and the fear of regulatory sanctions, individuals and governments are becoming more aware of the need for data privacy regulation and compliance.  

There are several regulations published such as the General Data Protection Regulation (GDPR) in Europe, the China's Personal Information Protection Law (PIPL) in China, etc. Africa is not left out. At the 2014 Malabo Conference on Cybersecurity and Personal Data Protection, the African Union member countries showed interest in developing a common framework to guide data privacy across the continent. Although much may not have been accomplished; at the individual member level, countries like Nigeria, Egypt, Kenya, Togo and Uganda have enacted data privacy regulations (Daigle, 2021).

Why Implement?

Data breach accounts for a large portion of cyber incident globally. Major companies such as Microsoft, Twitter, Facebook, Instagram, etc. have experienced one form of a data breach in the past 18 months. In fact, in the first-half of 2021 alone, about 1,767 breaches affecting a total of 18.8 Billion records have been reported (Risk Based Security, 2021).

customers, legal fee), reputational damages, legal action, customer dissatisfaction, etc. Thus, ensuring adequate data privacy and protection through the implementation of applicable regulations such as the NDPR and GDPR has become a business priority.

As an Information Security professional, what challenges could you or your organization face in implementing a data privacy regulation and what are the likely solutions? The remaining part of this article will answer that question.

Challenges and Recommendations

Challenge 1: Where to start from, and who should own the implementation?

The first few questions that will crop up are “where do we start from” and “who should take ownership”? I could remember when my organization was about to implement NDPR, these were the exact questions raised by the CEO.

Recommendations

In addressing the questions, my organization organized key stakeholder meetings mainly for top-management to discuss and brainstorm on the requirements. This activity ensured management buy-in and involvement right from the beginning. Consider a similar approach.

An external consultant could be engaged to carry out a Gap Assessment if the skill is not available in-house.

Other key activities at the initiation stage include:

1. Assess in-house competencies and resources as part of the gap assessment.
2. Prepare a data inventory, documenting all data processed by the organization, the purpose/legal basis for the collection, source of data, channel(s) of collection, who it is disclosed to amongst other things. This will help when the business is required to provide its Record of Processing Activities (ROPA).
3. Draft an Implementation Plan showing parties per the RACI (Responsibility, Accountability, Consulted, and Informed) matrix.
4. Fill the key role, the Data Protection Officer (DPO). Companies should consider deploying employees with experience implementing standards like Certified Data Protection Solution Engineer (CDPSE), International Organization for Standardization (ISO) standards, Payment Card Industry Data Security Standard (PCI-DSS), or those with a legal background, as they are more experienced in interpreting laws, standards and regulations.

Fig. 1: Data protection considerations

Challenge 2: The cost of implementation

The implementation of a data privacy regulation is by no means an inexpensive endeavour. From planning, engaging a consultant, training, re-designing systems with required automated controls, redesigning forms (system/manual), updating disclosures on your website, to auditing by Data Protection Compliance Organisations (DPCOs), to name just a few, significant costs are involved, and some SMEs may be unable to accommodate such costs in a year’s budget. The following recommendations may help reduce the cost of compliance.

Recommendations

1. Use internal resources as much as possible. It will be cheaper to use your staff to prepare the data inventory than employing a consultant to do that.
2. Use internal software programmers, where possible, to update your applications and websites.
3. Some organizations have a Learning and Development department as well as online portals used for staff training. These resources can be deployed to satisfy NDPR or GDPR training requirements for staff and other stakeholders.

Challenge 3: How do we institutionalize data privacy?

As daunting as the implementation can be, it is not as difficult as ensuring that data privacy and protection becomes the norm in an organization. How do we ensure that the policies and other documentation do not become artifacts gathering dust on the shelves? This is the purpose of privacy by design (Serres, 2019). In addition to that, there is a need for cultural change. How do we promote a culture that cares for individuals’ privacy?

 Recommendations

1. Management must demonstrate leadership and make data privacy a priority.
2. Conduct regular training and awareness sessions.
3. Use stickers, wallpapers and screen savers to impress on staff members consciousness their responsibilities and implications of failing them.
4. Perform continuous internal audits of the organization and vendors’ facility
5. Engage customers and vendors through sales forms, recorded phone calls, social media chats, SLAs, etc. Educate these parties and emphasize the benefits of compliance.

Conclusion

This article has highlighted three (3) of the challenges that businesses experience in implementing data privacy and protection regulations. The list is not exhaustive, however.

Whether you have implemented a data privacy regulation or are in the process of doing so, you will no doubt have or be experiencing the challenges highlighted. It is hoped that the recommendations made in this article will help you to make a success of your implementation, improve business trust and credibility and save you and your organisation from the potential headaches of a data breach incident.