Preview: Cylynt data protection officer Lanre Oluwatona will be speaking at the Cylynt Software Anti-Piracy and License Compliance Summit on the topic of "Data Privacy and Your Rights." In this blog he discusses issues companies have when implementing a data privacy and protection strategy and shares his experiences guiding Cylynt itself through the process.
Data Privacy and Protection
As data breaches become more and more common, data privacy and protection of personal information is becoming a global issue. As a world leader in software anti-piracy and license compliance, we at Cylynt take responsibility for leading the way in ensuring the protection of our own customers’ data, as well as providing reliable measures for our customers to protect the data they are gathering.
In pursuit of providing the highest standard of customer service and an example for compliance with the European General Data Protection Regulation (GDPR) and the upcoming California Consumer Protection Act (CCPA), Cylynt has appointed Lanre Oluwatona as our data protection officer (DPO) to implement a compliance readiness program. Lanre has over 25 years of experience in information technology compliance, change, and project management and has worked with companies such as HP, Dell, the Irish Cancer Society, and the Irish Computer Society. In this blog he discusses the need for organizations to put in place a data breach plan.
The Pain of Preparing for Data Privacy Regulation Compliance
During the run up to the implementation of a GDPR initiative for one organization in Dublin, Ireland 2018, I was invited to carry out a preparedness audit of the company with the objective of assessing the organization's level of preparedness for GDPR. I had the privilege of meeting with the chief executive who, unfortunately, was not particularly enthused about data privacy. To him, implementing GDPR was an onerous and unwarranted necessity he could do without.
As I was ushered into his tastefully furnished and palatial office, I entertained the thought of being thrown out if I made a comment he didn't agree with, but thankfully, that didn't happen. However, he did see our meeting as an opportunity to voice his displeasure at the effort it took to implement a data protection program in his organization, which by the way, is a successful monopoly. After listening patiently to his diatribe for about ten minutes, I asked him, “Sir, can you quantify reputational damage both monetarily and in terms of lost value in the face of a data breach?” Not knowing how to respond, after a long pause, he said, “I haven’t thought of it that way. You have given me food for thought.”
When Data Protection Goes Wrong, It Can Go Horribly Wrong
This story is typical of organizations who are less prepared for the implementation of a compliance initiative, especially in situations where the law deems it necessary. It is at times difficult to put the blame on leadership because compliance can be perceived as less important in the face of more pressing needs. Management resistance to change will always leave such organizations exposed to compliance challenges and possible data breach incidents. In my time as a privacy enthusiast, I have come to realize that not all issues are data protection related until something goes wrong. Data protection, when it goes wrong, can at times go horribly wrong, and it has a knack for pushing everything else out of relevance, thus dominating the center stage.
Data Breaches: It’s Not a Question of If but When
The CCPA imposes specific obligations on certain categories of organizations to guarantee strong protection for individuals regarding the processing of personal data obtained from individuals, whether online or offline. Some of the requirements, though prescriptive, mirror requirements of the European GDPR. Organizations that process personally identifiable information (PII), like it or not, cannot ignore these requirements. Notable among the provisions is the notification obligation in the event of a data breach. Given the endless data breach incidents that have made the headlines in recent times, I’d be insulting readers’ intelligence if, as I sit behind my keyboard, I attempt to define what a data breach is or isn’t, so I won’t go there.
One thing is certain—data breaches happen every day (for instance, U.S. Customs and Border Protection, American Medical Collection Agency, First American, and Capital One have all been victims in 2019) and are now a dominant topic of discussion. In certain respects, the prospect of a data breach is a source of angst for customers and management alike. It is interesting to note that even the best of organizations can fall victim to a personal data breach and no organization can claim immunity from such. As the saying goes, it’s not a question of if, but when.
Is Your Organization Equipped for a Data Breach?
What would you do if you suddenly found your organization in a data breach situation? Are you well equipped to respond effectively to a data breach occurrence in line with regulatory requirements?
Cylynt provides a good case study, as implementing a privacy program in readiness for GDPR at the Dublin office served as a preparatory ground for the adoption and implementation of regulatory provisions under CCPA for the Los Angeles headquarters. It also provided a platform where we gained insight into our data processing activities, thereby enabling us to effect corrective action where needed. Based on experience, it’s easier the second time around to adopt regulatory requirements facilitated and cultivated by a risk-based approach in the management of data breaches. Implementing a data protection compliance readiness program for Cylynt quickly uncovered the following points:
Data privacy and the protection of personal data is a cultural issue and not IT related
Data breach management is a strategic and not IT based
Data breach management is everybody’s responsibility, not just management’s
The power of data (including personal data) and its value as an organizational asset can neither be ignored nor over emphasized
Privacy by design and data protection is central to SmartFlow’s ethos and value proposition
Unequivocal and unwavering stakeholder buy-in from the highest level of management to the front line is a critical success factor
Organizational accountability and compliance are strategic, tactical, and operational in nature. Everyone is accountable.
Ignorance of the law is no excuse
It is profitable to be proactive rather than reactive
Proactive and ongoing training for all, without exception, is key to maintaining and sustaining data breach awareness as a risk mitigation tool
Here at Cylynt, we value our customers and recognize the need to protect and guarantee that their fundamental rights and freedoms are not threatened in any way. As a result, effective measures have been proactively put in place, both technically and organizationally, to first, mitigate the likelihood of a data breach incident, and second, effectively respond to a data breach in the event of one. Remember, it’s not the 98% that you catch but the 2% that you miss.
CCPA Is Coming
With just under 16 weeks to go before the CCPA takes effect, not all organizations will be ready when it takes effect on January 1, 2020. Not having the right data breach response measures in place will most definitely have its consequences for such organizations. The effect of a data breach incident, if not adequately mitigated, can have an untold impact on an organization’s reputation, goals, and operations, as well as its bottom line. A single data breach instance can leave such an organization exposed to fines, sanctions, and both individual and class action lawsuits. As the saying goes, “a data breach doesn’t just happen, it’s planned for.”
Join us at the Cylynt Software Piracy and License Compliance Summit to learn more about how to implement an effective data privacy and security program at your company from Lanre Oluwatona and a host of business leaders and cybersecurity and legal experts.