A certain level of company control is required to protect commercially confidential and sensitive information from falling into the wrong hands. With an average of one-third of shared files available to third parties and personal email accounts, data leak protection policies and procedures are more relevant than ever.
The benefits of protecting your own company files are clear, but it is equally important to protect anything containing other people’s personal information. With fines of up to 4% of revenues or €20 million, whichever amount is greater, it is imperative that companies adopt a 360 degrees approach to data protection.
On average, organisations share documents with 826 external domains, including personal email addresses such as Gmail, Yahoo and Hotmail, according to Computer World.
It only takes the actions of one employee to make your organisation non-compliant. Extending and enforcing a compliance policy to every employee in your organisation can be a complex and time consuming task. This is where compliance automation comes into the picture. But let’s first look at the wider context.
Protecting your assets
Designating someone in your organisation who is responsible for compliance is good practice. This person should be empowered to evaluate and implement data protection policies. In some instances, organisations are required to appoint a Data Protection Officer.
For example, if:
- you process data as a public authority
- you require regular and systematic monitoring of data subjects on a large scale
- you process personal data revealing ethnic origin, political opinions or religious beliefs, or personal data relating to criminal convictions and offences.
A reasonable starting point for safeguarding your company’s data is a risk assessment, also called a Data Protection Impact Assessment. Carrying out a risk assessment allows you to understand your company’s level of data protection and plan accordingly.
Next, a data protection policy has to be developed which should address the findings of your risk assessment. It is less of a security risk if all of your company’s documents online are shared internally but measures must still be taken to protect people’s personal data, as stipulated in the General Data Protection Regulation (GDPR).
If documents are shared externally, your data protection policy should detail how shared files are managed. Employees should be able to refer to the company policy for guidelines on external sharing and procedures for unsharing.
With a clear and specific data protection strategy in place, compliance automation tools can be configured to reflect and enforce policies. In compliance automation, user-defined criteria determine the system triggers for notifications and unsharing, ensuring that employees’ who share documents adhere to company policies.
Web-based solutions such as Tricent combine an easy-to-use interface with advanced compliance controls, allowing employers to apply workflows to individual employees, departments or on an organisational level. This level of control helps companies safeguard their business interests by controlling unauthorised sharing, monitoring user storage and auditing user activity.
Having the appropriate infrastructure in place to deal with data protection is key for companies of all sizes. In a study, IBM found that investment in privacy resulted in a high return on investment.
Organisations without security automation experienced data breach costs that were 95% higher than breaches at organisations with full security automation.
Based on statements from the European Commission, it is evident that data protection regulation will continue to expand and toughen. Speaking at the IAPP Data Protection Congress in Brussels, November 2019, Executive Vice President of the European Commission Margrethe Vestager underlined the European Commission’s determination to ensure that shared data is compliant with data protection rules. ‘To tackle the challenges of a data-driven economy, we need both competition and privacy regulation, and we need strong enforcement in both’, the commissioner said.
As compliance continues to grow with government legislation and industry regulation, companies will be required to keep up and will be held accountable by data protection authorities if they fail to comply. Appointing someone in your company who’s responsible for compliance is imperative to stay up to date with the latest in the world of privacy protection.
Your appointed compliance representative will be able to develop and update your organisation’s data protection strategy, including the implementation of compliance automation that can assist employees in managing their shared documents and minimise the risk of a security breach.