Four Reasons to Increase Privacy Awareness in a Corporate Environment
Privacy is increasing in popularity in the last decade, along with increasing demand for personal data; both for corporations as an asset, and for people as a thing to protect.
To keep this increasingly valuable asset protected and stored properly, one of the most important things a company must conduct is, without a doubt, proper internal training to increase general awareness. Keeping people updated on various applications or current tech is also nice and necessary, but general privacy awareness is very valuable for companies for many reasons. I’ll just pull four of them (in random order) for now.
1. Regulatory compliance
In the last decade, the importance of privacy is increasing rapidly. One of the results of this is regulators’ interference to step in for the problems that appeared. Companies’ tendency to sell personal data and advertising being increasingly aggressive towards the use of personal data makes this a necessity, so laws and regulations for privacy are increasing internationally.
Everybody knows the GDPR by now. There are still some countries without regulation, but we can easily say that they’ll also do something about that.
According to the GDPR Art. 39/1/b, one of the tasks (minimum tasks, these are not limited) of the DPO is as follows;
…to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
It can be easily seen that to monitor compliance in general, awareness-raising and training are counted as tasks of the DPO.
Also, if your company has ISO 27001 and wants to keep it that way, regular awareness training is a must.
2. Protection against cyber attacks
First things first, this won’t 100% protect you against cyber attacks. But it helps in this endeavor since human is the weakest link in cyber attacks. Most phishing attacks can easily be avoided with simple, regular training. Most attackers target people to penetrate a company’s defenses.
Having defenses is necessary, but they require input from people and if people are not aware, these defenses can not fulfill their potential and become a huge waste of money for companies. There’s also the additional cost after the attack, where the company will have to harden its defenses either through additional purchasing of tools or consulting (and also, potential fines).
3. Reputation and trust
Most companies run on data input through their customers and employees. To provide any kind of data into a company, everyone’s priority is (and should be) trust. Do we trust this company to put our name, our primary e-mail address, our home address, or our phone number?
This trust may be based on simply instinct, some educated guess, or expert knowledge. Your reputation as a company will mostly affect people who have no idea about you, apart from external sources or stuff they hear in the news or social media.
To build trust and strengthen the reputation, there are a variety of measures that can be taken by a company. Training is one of them.
4. Building a security culture
This is a notoriously difficult achievement, but also a marathon. Keeping awareness training active, using good practices and strong sponsorship from senior management may result in incredible progress in building a security culture in a company.
What happens when you have a security culture?
- Security is in your people’s minds, always. Easier privacy impact assessments, because ideas are always progressed with security in mind also. When someone comes with an idea of a mobile app, they will also come up with possible solutions to potential privacy threats, for example.
- Increased situational awareness. If someone starts to get weird e-mails, IT will be informed immediately. They’ll ask around. Found external drives will be brought to IT before being tried, and IT will use a sandbox to try them. Increased situational awareness will decrease risk in return.
- Awareness training will continue towards advanced training, where you will monitor your people’s status and further develop your security culture.
With regular awareness training, your people (who are normally the weakest link) will become your first line of defense.
Follow us, and keep updated!
