What's lurking in the shadows?
Is your business continuity program prepared with a strategic and tactical response to ensure that your company’s most valuable asset is not affected by crisis or disruption?
Data, more importantly personal data, is the new world currency which will drive organizations, governments, and society moving forward. How your company leverages this asset and the associated “Digital Trust” it instills with consumers is not only table stakes, but absolutely paramount to any organization’s success. Without this data your organization cannot create the products, services, and experiences that are desirable for your customers and the barriers to your customers transitioning to a competitor get lower by the day.
The personal data being collected, enhanced, and used by your organization is just like any raw material, component, or process used in the creation and delivery of a product, and as such it can be impacted by events outside your control and should be included as part of your overall business continuity program. What’s of even greater importance is that in today’s brave new world the personal data your organization uses transcends not only your direct products, services, and personnel, but by default your partners, vendors, and entire third party interactions, or what is termed together as your “ecosystem”.
Where to focus your attention
Addressing the data privacy risks lurking in the shadows should become a major focus of your program in 2021. Many organizations are looking at hundreds, if not thousands, of ecosystem partners that are supporting their business efforts, and as your ecosystem grows in size and complexity so will the efforts required to support and maintain it from a business continuity perspective. Impacts to the personal data used in your opertations from the following key areas can severely hamper or cripple an organization and should be prioritized in your business impact analysis (BIA) and planning efforts including:
- Data localization – The laws that require data collected on a country’s citizens to be retained and/or processed in that country and potentially within regional jurisdictions. This can impact the flow of data from your internal divisions or ecosystem partners affecting innovation, product,s and services. As with other aspects of your program these laws are ever changing and accelerating.
- Infrastructure – Technical infrastructure, just like traditional infrastructure for moving materials, can impact your ability to leverage data from certain regions more than others and should be accounted for when reviewing your ecosystem. Aging telco networks, bandwidth impacts, and power are typical inhibitors.
- Quality and usability of data – Documented and controlled details of source, structure, and validity of partner data as well as having the authority to use it legally and ethically.
- Cyber-risk – A breach or misuse of your data by any of your ecosystem partners can expose not only your data but can open your organization up to liability, non-compliance/fines, and reputational damage.
- Intellectual Property – Your ecosystem’s use of your organizations data, processes, and designs can be leveraged directly or reverse engineered and sold to other organizations for use and competitive disadvantage.
The business continuity challenge of building engagement
Global business continuity efforts incorporating “ecosystems” have typically revolved around factors such as the impacts to logistics, due diligence, and time to market.
One of the biggest challenges BC programs face on this front is raising the awareness of personal data as a risk with potentially significant impacts to the business which need to be planned for. Many organizations look at the use of this personal data only through a compliance lens and feel there is little effect outside audits and minor fines. What they are missing is its far greater importance to how personal data is used to research, design, build, and deliver new products and services to market - all of which is critically tied to your “ecosystem”.
We frequently see similar barriers in building engagement and buy-in within organizations and which should be taken into account as you begin conversations with your leadership team.
- Data Privacy is viewed as a point compliance issue with limited oversight by government agencies.
- Difficult for many companies to define the quantitative and qualitative impacts to the organization in using this type of data for product and service development.
- Organizational ownership and responsibility for data privacy cuts cross functionally through a web of IT, legal, marketing, and product.
- Stakeholder hesitation to lead the initiatives due to the complexity of the issues and the potential impact to personal success and reputation.
- Limited publicized enforcement has lulled organization into a wait and see mentality and only greater enforcement will bring additional light to the subject.
Incorporating data privacy into your business continuity program
There are key considerations to take into account regarding how personal data is being collected and used by your organization and it’s ecosystem, and how it should be supported by your business continuity program. Ensuring business continuity plans are in place to address events surrounding personal data, privacy rights, and the free flow of data and innovation across your organization and ecosystem to meet your go-to-market strategy is critical.
Key program considerations and best practices include:
- Establish a key understanding of your organization’s and ecosystem’s data landscape and compliance requirements.
- Incorporate data privacy in your cadenced and ongoing BIA initiatives. Depending upon the maturity of your program you may want to spin-up a fully focused data privacy assessment in coordination with your IT and governance teams who may already be leading initiatives around data discovery, classification, and mapping.
- Ownership and executive sponsorship are critical including the formation of a committee to support the cross functional nature of the subject.
- Identify and document the overarching data privacy and security frameworks in scope (NIST, ISO, etc.) as well as the regulatory requirements you need to track against globally. For most organizations a matrixed approach will be required to ensure greatest level of compliance.
- Develop the supporting policies, standards, procedures, and controls to support the program.
- Include an operationalized PbD (Privacy By Design) methodology to address all aspects of data privacy initiatives including the creation of any new product, service, IT solution, ecosystem partner, as well as merger & aquisition activities.
- Leverage a technology platform with fully integrated systems to proactively manage your program and ecosystem partners.
- Identify target maturity state both internally and externally with your ecosystem. Build and track against the timelines that match your mission and strategy.
- Measure, monitor, and report against program and areas of on-going improvement.
- As you program matures create and conduct incident response exercises across your ecosystem partners on data events including breaches, loss of data access due to technology failures and regulatory changes.
Organizations rely on effective business continuity programs to ensure resilience at time of crisis or disruption. As practitioners we know those programs have to run deeper and broader than “at time of crisis” to ensure not only success but to bring true value to the organization on a business level. Take your program to the next level by incorporating data governance and data privacy into your business continuity program and turn it into an operationalized center of excellence to help the business thrive.
No matter what industry you serve, data privacy and digital trust are now competitive advantages for your organization and your personal professional success.
About the author
Director of Sales / Strategic Solutions
Chris is a recognized sales executive who assists global organizations in driving value through privacy, risk, and data governance programs enabled through SaaS solutions.
Extensive experience working with global clients in evaluating systems, tools, and process to ensure Business Continuity/Disaster Recovery and Risk Programs are aligned with the identified requirments in the key functional araes: Risk, Organizational Strategy, Business Impact Analysis, Planning, Testing, and Emergency Communications.