What the pending data security laws mean for business leaders

In today’s security landscape with ever-increasing threats, business leaders need to take their security conversation beyond simply fixing systemic data security and compliance gaps, to addressing how they build trust within their organisations and with customers.

From a legislative standpoint, the introduction of the Notifiable Data Breaches Scheme (NDB) and Europe’s General Data Protection Regulation (GDPR) next year puts data security firmly on the agenda of business leaders across the globe. What is notable about both NDB and GDPR are the far-reaching consequences and levels of accountability imposed. Organisations that fail to comply with the GDPR could be fined up to €20 million or up to four percent of the total worldwide annual turnover of the preceding financial year - whichever is higher. The NDB, on the other hand makes individuals (not just organisations) personally liable for up to $360,000 if they mismanage breaches.

The new laws require organisations that hold data belonging to individuals to provide an unprecedented level of protection and to explicitly know where every piece of data is stored. This includes understanding the full lifecycle of users’ data - where it lives, how and when it is stored and processed, how it flows between processors, and ultimately how it gets destroyed. The impact is far-reaching and elevates data security from an isolated IT issue to a company-wide priority - keeping business leaders alert and accountable. 

In light of this, building a formidable culture of trust, which permeates every part of an organisation should be a critically important priority for business leaders. For example at Dropbox, our most important company value is to ‘be worthy of trust’ - this is premised on the idea that the trust of our customers must be earned. 

Building a resilient and security conscious organisation that is worthy of trust means that everyone within the organisation, from the top down, takes the responsibility of protecting their customers’ information seriously.  They are not afraid to ask questions like these to uncover risks and inadequacies: Do we take a data-centric vs a device-centric approach to security? Do we truly understand the lifecycle of our data? What kind of data is being stored and where? Who is sharing the data and who has access to it?  If the data is being shared externally with partners and vendors, how safe are their systems? Do we have measures to assess the security of our suppliers and vendors who may store or process our data?

A company-wide culture of trust that is supported by intuitive, user-centric cloud technology, can assist with reducing human error - the main cause of data breaches. Often the result of unintentional and well-meaning actions of employees, it has been widely researched that security threats which result from insiders come from honest and simple mistakes, rather than the abuse of privileges.

If leveraged effectively, cloud can provide objective visibility and control with features such as audit trails, remote wiping, admin control, single sign-on, data loss prevention and version history. These capabilities provide full transparency into where a company’s data is, who is accessing it and how lost data can be restored. If detected in time, cloud systems can potentially reverse a human error before it is too late. 

The benefit of cloud is it can be used to build permission frameworks around data, centralise control and standardise on a single platform, so that security is built into the system and the right people have the appropriate level of access to it at the right time. This removes guesswork on the employee’s part and effectively limits the potential for accidents and unintentional sharing of sensitive information to occur. 

By elevating the importance of data security and making it a company-wide priority, the new data security laws will hopefully inspire business leaders to drive a cultural shift towards making trust an organisational value and compass; and to invest in technology that aids employees’ ability to uphold and maintain that trust. 

This article was originally published in The Australian.

Want to know more about the new legislation? Join us for a webinar with Michael Park from Allens, a leading international commercial law firm, to discuss what the new legislation means for Australian businesses.