Before answering this question we need to agree on what Data Protection and CyberSecurity are.
Data protection is a set of laws, regulations and best practices intended to secure digital information without limiting the use of the data for business purposes all the while not compromising the data in any way, thereby safeguarding the data from unstated or malicious use.
Cybersecurity is the measures and processes taken to protect a computer system or data against unauthorized access or attack.
Both set down minimum standards and reporting requirements for serious breaches.
There are essentially two reasons organisations should protect data, legislation and reputational damage.
In the European Union, the expectation that data is protected is a right. As such, the General Data Protection Regulation (GDPR), since coming into force in May 2018, has provided a robust framework for ensuring that right.
Data Protection laws vary from country to country, but the principle of the laws are similar. Many countries have derived their legislation from GDPR.
A fiduciary obligation is the legal obligation of one party (a fiduciary) to act in the best interest of another. The fiduciary is someone (a person or persons - not an organisation) entrusted with the care of assets or property. The fiduciary, in most cases C-Level Executives, have the same obligations for data since it is considered as an asset, failure of these obligations may lead to personal liability and legal consequence.
The greatest harm a breach can cause is the loss of the customer's trust. It can take years to build a company's reputation and one breach, in a matter of hours, can destroy that. The actual breach is the tip of the iceberg, in most cases, a breach is closely followed by customer or shareholder lawsuits.
It is for these reasons that adopting sound data protection procedures to avoid any sort of cybercrime is no longer optional.
In general, data protection legislation distinguishes ‘personal data’ and ‘sensitive personal data’ (data pertaining to, for example, ethnic background, religious beliefs, health, etc.). Data protection frameworks provide suggestions and rules on how data is to be stored and used in business activities (e.g. for marketing).
Organisations are to ensure data is:
Used in ways that are stated up-front with the owner of that data
Stored only for the period of time it is needed
Stored safely and securely
Recoverable for data forensic usage if ever required, in line with local legislation (for example financial transactional data must be stored for 7 years in many countries)
Organisations have two sets of data - that belonging to the customer and that of the employees - all of which need to be protected, to prevent misuse by unauthorized third parties for purposes of fraud.
This article will be followed by two more:
What should organizations do to protect data?
Most companies setting out to comply with data legislation will face challenges and will need to make difficult choices in terms of priorities and investment.
How can organizations protect data?
Report, Support, Monitor and Recover