Madan Mohan, Director – Technology Risk Advisory, MBG Corporate Services on the growing need of organizations to integrate privacy laws and regulations into their structures
In our daily life in this digital world, we often value the convenience more than the security of our data. However, the threat to our personal data, which increasingly accompanies or even determines many of our important personal decisions, such as obtaining a loan or purchasing an insurance policy, is immense. The risks range from spam emails to the more serious problem of identity theft and other variations of organized cybercrime. Therefore, trust – that an individual can leave their data with a second third party without the latter sharing it with third parties – is too important a factor to no longer be regulated. And that’s where data protection and privacy laws come in.
Today, businesses face increasing pressure from regulators and the market to improve the way they collect, use, store and delete personal information, and how they manage data privacy. The frequent high-profile data breaches by some of the world’s largest companies in recent years have led to an increasing focus on privacy rights, leading to increasingly stringent data protection enforcement.
Data privacy is a combination of legal, compliance, technology and cybersecurity elements; cybersecurity being perhaps the most important, not only to protect data against external and internal threats, but also to determine how digitally stored data can be shared and with whom.
Recent data from Risk Based Security, a research firm, revealed that the number of records exposed to computer damage increased to 36 billion in 2020. There were 2,935 publicly reported breaches in the first three quarters of 2020, making it the ‘worst year on record’.
What is the data privacy law?
Data privacy laws protect the privacy of individuals by granting them proprietary rights over their personal data. According to UN statistics, 128 out of 194 countries have laws in place to ensure the confidentiality of personal data. Africa and Asia have a similar level of adoption with 55% of countries having adopted such legislation, of which 23 are least developed countries. Of these regulations, the European Union’s GDPR (General Data Protection Regulation), which requires businesses to protect the personal data and privacy of EU citizens, is perhaps the best known. Many other data protection regulations have been inspired and modeled on the GDPR, making it easier to interpret.
Data privacy laws deal with the control process regarding the sharing of data with third parties, how and where this data is stored and the specific regulations that apply to these processes.
Recently, the “Personal Information Protection Law 2021” in China and the “Data Protection Law 2021” in the United Arab Emirates respectively were enacted, further improving the country’s prospects for international trade and commerce. security of personal data.
Why is this important?
One of the main reasons businesses comply with data privacy regulations is to avoid fines and penalties. However, it goes way beyond that. You need to take data privacy seriously in this age of citizen-consumer activism and awareness with powerful considerations like ethics, corporate governance and brand value. Compliance does the following:
- Strengthens the perception of the company’s brand as an ethical and socially responsible company
- Improves the security structure of the organization
- Gives organizations better control over data that protects the rights of their consumers
Naresh Manchanda, CEO – Risk, Technology and Foreign Enterprise Group, MBG Corporate Services said: “Data, its governance and protection are essential to the sustainable growth of any organization. Entities should consider full governance and protection by design. They should assess multidimensional risks at regular intervals and continually improve their data privacy framework. Companies must work together in a public-private partnership in spirit and in letter. Therefore, governments and organizations as well as individuals must also be aware and vigilant about the use and protection of their data and remain vigilant in case of breach or misuse. “
Regulatory compliance begins with an understanding of the organization, its objectives, risks and opportunities.
Several data protection laws: Since laws exist in most countries and regions, businesses should consider not only local laws, but other applicable laws around the world as well. For example, the GDPR seeks to protect the personal data of EU citizens, not only within the EU but also outside. Likewise, Abu Dhabi Global Market Data Protection Law and DIFC Data Protection Law are not only limited to processing within ADGM and DIFC respectively, but also apply to data that goes outside these geographic areas and jurisdictions. The UAE has also enacted the Data Protection Act that will apply to everyone.
Documentation: Organizations should prepare data protection policies and procedures. Response plans for incident management and records of processing activities provide control over the management of personal data. This documentation, together with an effective content management system, can help the organization comply with data protection law.
Consciousness: Organizations should organize training programs and other awareness programs for all employees. Every employee must understand the importance of “secure” management of personal and organizational data. And every employee should feel responsible.
Sensitive / special category personal data: Data of a more sensitive nature or data whose exposure could put an individual at risk is considered sensitive personal data. It requires special attention. Companies must assess the purpose of collecting this information and analyze the level of security in the processing of this personal data.
Platforms for exercising privacy rights: All data privacy regulations give data subjects rights over their personal data, such as the right of access, the right to delete and the right to modify. The organization must be clear on how to protect the data of its customers / consumers. They should provide convenient platforms for raising the demands of those affected and answering their questions.
Data protection impact assessment: When launching new products, processes, or services, organizations should assess the impact of the launch on personal data. This assessment consists of identifying the risks and assessing to what extent they can be controlled. The residual risk after the controls are implemented will help management decide whether to proceed with the launch.
A question of culture
Privacy laws and regulations should be seen as part of organizational culture, not just regulatory compliance. A strong data culture protects businesses and organizations’ reputations by preventing data breaches and cybercrime.