Blog

Data Privacy as an Enabler

Data Privacy had taken the banner headline in 2018 with the implementation of new GDPR last May 2018 and the adoption of Data Privacy Act in Asia specially in the Philippines that penalizes an offender to imprisonment and some penalties. But eventhough GDPR has no imprisonment attached to it the penalty can be up to 20M Euros or 4% of the Profit of the Company violating it.

But most the people or the enterprise see just the penalty but the the law actually acts as an enabler for the enterpise to be more trust-worthy with regards to their data and its integrity. The Data Privacy Act enables us as companies to be trustworthy with our clients and our customers in fact are the owner of the data not us as companies we only process and has limited control to it on a certain period(not infinity).

It also challenges our culture to not be a willing victim to our privacy. I was talking to a CEO of blockchain company and she mentioned that this is all just hype because all our data are already out there in Facebook, Twitter, SnapChat, WeChat, Viber etc… maybe she has a point but as a company we need to know the integrity of data we process may it be employee data, business partner data or customer information. As professionals and leaders of our enterprise we need to challenge ourselves on how we do business and ask the question on why are we collecting this datapoint. We need to include privacy on the projects we embark on and in our operations (BAU). It encourages us to have a risk based approach on doing our business / projects.

I invite you to look at etisphere.com

A portfolio of the world’s most ethical companies consistently outperforms the market during the period analysed by eithsphere both in times of growth and during market decline…

In the end it is not just about compliance its a trust issue. Maybe it may sound ambitious and IT leaders would say that innovation can never be a compliance game and we need to be fast and agile otherwise our competitor will crush us but the law gives us the opportunity to build privacy and security by design on our initiatives. And by doing security and privacy by design we will have that confidence and integrity that the data we process are in fact true and correct and I quote Patricia Aburdene (MegaTrends 2010)…

Transcendent values like trust and integrity literally translate into revenue, profits and prosperity.

Data Privacy Day – BREATHE

We celebrated Data Privacy Day in January 28, 2020! And some sectors are now proposing for an amendment of the special law which we call nowadays as the “Data Privacy Act”.  In 2012 the law was passed thru the efforts of the late Senator Angara and the IRR was published in 2016 and the newly formed commission started its campaign in 2017 and fast forward we are now in 2020.

Some of the suggestions based on the proposal of the good Congressman of Tarlac are stiffer penalties including administrative fines not exceeding to 5M PhP, additional classification of personal information and sensitive personal information on the different sector that is deemed sensitive on that sector, organizational structure of the commission, introduction of personal data on minors, some additional clause on offense by a public officer and the commission can launch conferences in the advancement of the general public etc…

There are good points and not so good points but my suggestion is to let the law breathe first.  The implementation of RA10173 is barely two years old and let the commission flex its muscle before amending the law.  Laws should be universal and the incidentals can be done on circulars that has been done in the past.  

Personally, I think the most pressing matter is the development of the ecosystem, compliance and registration of the 2M companies (NPC has 35k companies registered to date only)  and the education of the current pool of Data Privacy Officers and making the country as a center of excellence on Data Privacy and Protection in the region.

We need to understand that RA10173 is a special law on data that targets personal information and classifying personal data as asset both on civil law and commercial law.

CIVIL LAW because of the  8 rights of our citizen – Right to INFORMED, OBJECT, ACCESS, CORRECT / RECTIFY, BLOCK / REMOVE, DATA PORTABILITY, COMPLAINT and IMDENIFIED.

Commercial Law because we need to understand the basics and DATA is considered as an ASSET and personal information or customer information may it be intangible is one of the most important asset nowadays as the business model of each enterprise changes our classification of asset also changes.

Corporation / Juridical Entities must understand that their organization is dependent on the productivity of four assets: 

  • People
  • Information / Data 
  • Technology 
  • Facilities 

As I mentioned, as we creatively change our business model canvass our strategy changes and our data becomes bigger and bigger.  We have to relate personal information to be an asset because as we collect more the data becomes more valuable and as we collect less it becomes smaller in value. 

No alt text provided for this image

And in order to be resilient in this day we need to realize two things in corporate we need to sustain our asset and protect it 

We have discussed earlier that this law is due to the change in times and due to the actions being done creatively by companies in this age.  We need to understand that this is a special law and it be anchored on the bill or rights in article 3 section 2 which is was also patterned on the fourth amendment on the US constitution.

Below are a series of events on Privacy Law including the Philippine implementation.

No alt text provided for this image

Privacy has been in there for so long and Justice Brandeis in 1928 case mentioned:

“The right to be let alone is the most comprehensive of rights and the right most valued by civilized men”

*We can discuss the 1928 case but it will take a day of discussion…

As I mentioned law must be universal and implementation must be inputted inside the implementing rules and regulation or either as circulars and consultation can be done on giving advisories.

Data Breach is a story of OLD (Three Little Pigs and the BIG BAD WOLF)

The Data Privacy Act and the GDPR of EU was born due to monetization of data by companies. Time Magazine has dubbed data as the new OIL so the law is mandating us to protect the rights of our consumers.  

But the data breaches is a story of OLD. We can compare the attackers as the BIG BAD WOLF that will blow our house down. And we as the three little pigs. The story goes like this…. one takeslittle time in building the home out of straw and spends the rest of his time playing and relaxing. A second pig builds a home out of sticks, which takes slightly longer, but he too values relaxation time. A third pig chooses to build a home out of bricks, which requires a great deal of time and effort. He values taking the time to build a home properly over relaxation and recreation. When the Big Bad Wolf comes to the homes, only the third pig’s house of bricks stands up to the pressure applied by the wolf.

Moral of the story… hard work and dedication pays off. Companies nowadays are not like companies in the 1980s we need to adapt or else we will die and building our roadmap to protect the personal information of our stakeholders is vital to our survival because as the former deputy commissioner of the National Privacy Commission has said “Privacy is now a proxy of TRUST if I don’t TRUST you I will not do business with you and on the other hand if I TRUST you I will do business with you”. We need to up our skill in privacy and security since these are intangible assets of the enterprise and respect the rights of our stakeholders.

No alt text provided for this image

Our Business is evolving… why do you need a board member that has a security and a privacy mindset

Our business environment is evolving and regulation are now part of our everyday life on the enterprise not only on BIG companies that operates in a highly regulated nature but also on small and medium businesses. Through the introduction of the data privacy act and GDPR of EU people are now more conscious of privacy on data processors and their subscribers.

Our management committee and members of the board of directors are more involved than ever in discussions and strategy around their PIIs and cybersecurity and the solutions needed to prevent being the next BIG breach.

The questions we are asking are no longer as simple as “are we secure?” but more to the tune of “are we doing all we can to minimize or transfer the risk, and what do we do in the case of a breach?”

Because of regulation such as the Data Privacy Act (DPA) and EU’s General Data Protection Regulation (GDPR) our management or the board of the directors need to understand more about this regulations and INFOSEC more. Most of the time our CIOs / CTOs and if you have a CISO cannot articulate what the board needs on security and its impact to the business. As IT Executives we need to relay to the board:

  1. The assets and service that they cannot go without – this means their crown jewels
  2. The security drivers and risks.
  3. Risk Assessment and the enterprise response to the risk to ensure survival, continuity and organization’s safety

Our board should ask the questions such as:

  1. Are we demonstrating the appropriate level of due diligence, ownership, and effective management of cyber security risk that we owe to our organization and to our shareholders?
  2. What is our risk appetite if ever a breach happens to us? To what degree are we discussing cyber security risk management in relations to business continuity and the threats to our organization over the past years?
  3. Is our prioritization and level of engagement on the topic of cyber security consistent with our perceived level of overall risk to the organization?
  4. Does our Board need to play a more active role in determining our organizations cyber security strategy? If so, in what way?
  5. Have any of our board members attended formal governance training specific to cyber security risk management? Should this be a requirement/option for some or all board members?

Start your long-term search for this board member now, as it may take a long time to find the candidate with the right qualifications, cultural fit, and of course the availability to take the spot.

BCP and DPA / GDPR

Today will talk about the 4th pillar in DPA which is to be accountable and implement a privacy and data protection measures and exercise that in a regular basis.

In both GDPR and DPA it is mentioned that an entity has to have:

  1. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  2. A process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

In most organization since the Data Privacy Officer is a lawyer his mind is raising how the heck will I do that and since there are so many ISO that is being thrown into me. The answer is to incorporate your Business Continuity Programs to Data Privacy / GDPR

We need to look at two main metrics which are RPO and RTO. RPO – recovery point objective is our effectiveness to do go back in time to up our backups and RTO is your response to that incident

In order for us to be have a normal operation again. We need to have a maximum targeted period in which data might be lost from an IT service due to a major incident. Simply put how much data can you afford to lose? What data would be very costly and difficult to recreate? What it will tell you is how often you need to backup. Again, do not be tempted to say everything is vital and you need everything back. All data is not equal and put a value so you can prioritise it.

No alt text provided for this image

Your Disaster Recovery must be able to recover your data every time and on time. When a disaster like Ransomware hits, you want to be 100% confident that you can recover your data and get on with the job!

Some questions you should ask when doing a Disaster Recovery solution:

  1. Will this Solution deliver my RTO / RPO?
  2. Will this Solution work every time?
  3. If my physical server fails, can I recover this to a virtual environment? Or vice versa?
  4. Do I need to restore to the same hardware?
No alt text provided for this image

You MUST be able to test your Disaster Recovery plan. Do not let a disaster be your first test!