The problem with Data Security is that it is usually not the reason the organisation was set up. Along with other such peripheral requirements, it can end up being left on a “do-as-little-as-possible” basis. This cannot last.
This area covers, among others, the GDPR and PECR legislation.
With the recent legislation, let alone increasing attacks from cyber criminals, this “little-as-possible” approach will no longer involve the minimal change that might previously have been envisioned!
2. Moral Driver
There is also another feature that overlays the legal requirements.
Where data you hold, also relates to, or belongs to, others, then you face a far more serious situation if you lose control of it. Organisations have a moral requirement to ensure this does not happen.
Imagine how you, yourself, would feel if your personal details were released to the world by an organisation with which you worked? You would justifiably be angry and wanting that organisation to not only sort it out, but to compensate you for the time, money, effort and awkwardness that this may have caused.
So why do you expect any different if your organisation lost the data of others?
If you don’t agree, just imagine standing in front of a news conference trying to explain why the loss of your clients’ personal data is not a problem, not your responsibility or not something you are going to do anything about?
3. Reputational Driver
This is a driver that goes way beyond a legal requirement. The law can punish with fines or jail time – but none of them will matter. Why?
Because your business, your life’s work and most importantly, your reputation, will already have suffered, potentially irreversibly, well before any fine or jail term kicks in.
As soon as the news is out that you have had a data breach, your customers will start to desert you (especially if it is their data you lost). As the customers leave, your suppliers will hear about this and start to question your viability and will want payment promptly. Your bankers will start to raise concerns. Your marketing will either try to ignore the problem – which implies you don’t care to the world – or it will try to address it and play it down – which admits it was a problem to those that did not know about it. At every step, your business suffers, your reputation declines and so your business suffers further. And all this well before any fine or court sentence can be considered, let alone passed.
4. Practical Driver
Since you and your organisations have to have such systems to meet legal, moral and reputational drivers, you can ensure that the systems you have are as efficient and effective as you can. This ensures that these systems utilise as little of your fee-earning time as possible.
At the same time, you can use the data, derived through the system, to enhance your marketing, your product placement and your better understanding the markets at large – including your most important market – that of your existing customers.
(Why your existing customers? Because they are your ambassadors to the rest of the market (if you treat them right – so you need to really know what they want). They are also the ones to whom you can re-sell the same products and/or supportive packages and/or extensions – but without the expense and hassle of finding them and persuading them that you are capable of do this this well (if you have treated them right).)
So, the practical driver is to have the systems to ensure that your data security matches your need to optimise the use of your data so that you maximise the benefit from something you are obliged to do anyway!
5. The Reassurance Driver
You can cobble together a patchwork of spreadsheets, policies and working practices that covers all that you need to meet legal, moral and (to a lesser degree) practical drivers. But you may miss something.
You might have an instance when others want to look at what you have – whether to check whether to do business with you (ie a client check), or to check that you have managed well in the past (ie an audit), or as a defence that you did what you should in the event you are accused of negligence (ie a legal review). If they find this home-made approach, unlike anything they have ever seen before, however much appropriate and accurate coverage it may have, the reviewers are likely to have to work harder (as a minimum) to understand what has been done – and even more to work out whether this is sufficient.
If you have a well-structured system, successfully used by many others, it will record historic actions and thought processes so that past decisions can be easily reviewed. This will give great credence that you and your organisation really know what you are doing in the data security area. Again – clients will be happy to commit data to you, assessors will be happy to certify your work and legal reviews will support your actions that you have done what you should in ways that are accepted both in law and in practice.
All this means that you may rest assured that the data security aspects of your organisation will cause minimum adverse problems when put to the test – and, indeed, will strengthen your position with any reviewer that runs through the systems you use.
Please contact me if you can think of another driver towards gaining a data security ISMS!