COVID-19 pandemic catapults data protection controls

Read time 4min 20sec

Organisations need to observe data privacy regulations as they are now the law in over 140 jurisdictions around the world.

Furthermore, privacy protections have become critically important to customers, says Robert Waitman, director in Cisco’s data privacy security and trust office.

The Cisco executive made the comments in light of the company’s recently released 2021 Data Privacy Benchmark Study, which shows privacy has become an even more important priority during the pandemic.

The annual study explores the privacy practices and maturity levels at organisations around the world, their financial investments in privacy, business benefits from these investments, and the forces driving these behaviours.

In this year’s study, Cisco says it collected responses from over 4 400 security and privacy professionals in 25 geographies, including APAC, EMEAR and the Americas. It also included several questions related to the pandemic and its impact.

In an e-mail interview with ITWeb, Waitman said 90% of the survey respondents stated their customers would not buy from them if their data was not well protected.

“Privacy also provides very attractive financial returns for organisations, and over two-thirds of the security and privacy professionals who responded to our survey recognised privacy’s value in terms of reduced sales delays, lower losses from security breaches and greater operational efficiency.”

Surprising outcomes

While it may have been anticipated that data protection controls would take a back seat in the wake of the COVID-19 pandemic, Waitman says organisations upped the ante, turning to privacy principles for guidance.

The outcome, he points out, means privacy is strengthened and seems destined to play an even more critical role going forward.

“The rapid shift to remote working put strain on many organisations, and 59% of respondents said they were unprepared for the privacy and security requirements involved in this shift.

“In addition, our personal information − for example, health status, social contacts and location tracking − was needed to help control the spread of the virus.

“And despite the need, 62% of individuals said they wanted little or no changes to existing privacy protections. Faced with these challenges, 93% of organisations turned to their privacy teams to help them navigate the pandemic.”

When asked about the findings of this study, he points to two as being remarkable.

“The first is the overwhelmingly positive reaction to privacy laws around the world; 79% of respondents said these laws have had a positive impact on their organisations, compared with only 5% saying they have had a negative impact.

“The second surprise was how privacy skills have now become an integral part of the role of security professionals. Over a third of the security respondents in the study indicated that data privacy and governance was now one of the core components of their job.

Privacy first

Waitman notes that organisations are responsible for protecting all of their personal data, whether it pertains to customers, employees, partners, or even applicants.

“Under most privacy guidelines, this means the organisation must have a legitimate basis to process the data, use it only for its designated purposes, and delete it once it is no longer needed for this purpose.

“In many countries, people also have the right to find out what data an organisation has about them and, in some cases, to have that data erased.”

In terms of data privacy in SA, organisations are required to comply with the Protection of Personal Information Act (POPIA).

Last year saw the commencement of certain sections of the 2013 data privacy law, with the rest to commence on 30 June 2021.

Since 2013, the Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.

The purpose of POPIA is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information, by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don't comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Looking to the future, Waitman expects organisations to continue to strengthen their commitments and capabilities in data privacy.

This is mainly because privacy has become a critical business imperative over the past few years, he concludes.

“Privacy spending has increased, along with the business benefits associated with these investments. External privacy certifications (eg, ISO 27701) have become an important factor in the buying process. And over 90% of organisations are now rolling up one or more privacy metrics to their board of directors.”

See also