Three board members walk into a bar

Why privacy and cyber security concerns are no joke in 2022

3 board members walk into a bar – the bartender asks – what is your top governance priority for 2022? They each furrow their boardly-brows in contemplation.

One leans forward conspiratorially and – in almost a whisper – says “privacy”. The second board member sidles up to the bar more confidently, with a loud clear voice says “growth”. The third, chewing nervously at a breadstick and appearing to be sweating says “risk. We need to mitigate risk!”

The bartender responds with “it sounds like you three have a lot in common” – he is then called away to serve his other customers. But the board members are left wondering – what do those three answers have in common?

The answer is data.

Spoiler alert – there isn’t a punchline hidden in here somewhere – this is not a joke and neither is the digital health, security and privacy compliance of your organisation. 2022 commenced with privacy, growth and risk all top of mind for boards and management. We’re now a quarter of the way through the year and it’s a good time to reflect to see if concerns are being addressed.

Organisations all want data-driven digitisation (even if they don’t realise it or call it that) and must ensure that privacy is part of the very foundations of their systems and processes. Managing growth and risks means having a robust approach with a “when” not an “if” approach to privacy related incidents or regulatory actions.

Perhaps you identify with one of our three friends from the bar, and want to understand what you could be doing to build for data related growth. Here are some ideas:

  1. Implement privacy by design – privacy shouldn’t be an after-thought. Ensure that good privacy practices are built into your organisation’s decision-making, as well as the design and structure of your information systems, business processes, products and services. A good first step is to introduce privacy impact assessments into your organisation and use them.
  1. Maintain good infotech hygiene – As we have learned from cases like Marriot and British Airways, simple ‘good practice’ measures like effective security and threat-detection software  and multifactor authentication can be critical in preventing catastrophic security breaches.
  1. Be aware of current regulatory actions – the Office of the Australian Information Commissioner is the regulator for privacy law in Australia and is actively enforcing privacy law compliance. Understanding the Regulator’s focus and concerns can help shape and prioritise your efforts.
  1. Review your supply chain contracts to ensure that you have data and privacy protections in them – and if you do – consider refreshing the language to meet the challenges of data and privacy now.
  1. Continuously improve and update your controls and processes – There is no one thing that can be implemented or purchased that will ensure the cybersecurity or privacy compliance of your organisation. Internal compliance needs to be regularly updated and systems need to be re-evaluated periodically for their effectiveness as well as for how well members understand and are able to contribute to them. Your systems are only as good as the way in which they are used day-to-day.

Published by Brett

Brett is an experienced lawyer and business executive who focuses on commercial outcomes. He has worked across three sectors in England & Australia advising and leading initiatives in digital, media and technology

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s