Data protection in an era of global change

RISHI MAHARAJ

As we enter 2021, the preceding 365 days has without a doubt forced may organisations all around the world to shift the way they do business and, in most instances, accelerated digital adoption. With this new push to digital, renewed attention has been drawn to questions around data protection. While consumers may be more accepting of the delayed delivery of an order or an extended service window considering the pandemic, if it is discovered that their personal data has been compromised then the consequences for organisations can be dire.

For organisations in the Caribbean, both large and small in an effort to survive and get back to business safely, many have begun to rapidly adopt services such as contactless payment, click-and-collect applications, e-commerce websites and enhanced customer relationship management as avenues to pivot their service delivery options.

With this new and rapid shift to operations online, they have also now begun to collect, utilise, share and store large amounts of personal and sensitive data across varied digitally transformative technologies like cloud, virtualization, big data, IoT, blockchain, etc. This use of new technology not only allows organisations to radically change and improve their operations and delivery of services to the customers, it also increases their exposure to data breaches, as safeguarding this new collection of personal data within these new technology environments becomes a complex task.

Within the last year several reports have indicated a significant increase in ransomware attacks when compared to previous years. With a growing number of security breaches and different cybercrimes, with data being mined, monetised and resold, not only would customers become more irritated and upset, but these incidents can also cause reputational, financial and legal damages to organisations that mishandle customers personal and sensitive data. Within the context of digital transformation, therefore, data security becomes a vital factor and a major challenge for every organisation, underlined by stricter regulations and severe consequences in the case of data loss.

It has been estimated in various industry publications that annually data breaches can cost US$2.1 trillion globally. The average cost of a single data breach will exceed US$150 million in that same period. If a breach does occur, being able to react quickly and appropriately can mitigate the damage.

Not collecting data is also not an option. Let’s face it, organisations can’t afford to not collect data about their customers. That data represents competitive advantage, too. Whether performing targeted marketing through mobile advertising, running a loyalty program, or simply using customer insights to drive product development, collecting data about customers is essential to future success.

Until recently organisations' data protection efforts have revolved around the specific regulations and requirements for their sector. However, that scattered, one-off approach to data protection may no longer be good enough.

As we enter 2021 however, data protection has now evolved from “nice to have” to a business imperative and critical boardroom issue. Regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have raised awareness and enforcement of privacy, and this is compelling organisations to better manage and protect personal data to avoid significant fines and penalties.

With the Caribbean this regulatory landscape is also changing. In 2019 Barbados passed its Data Protection Act and in May 2020 Jamaica passed in own legislation. Both pieces of legislation are based on the provisions of the GDPR. In December 2020, the Jamaican government began its recruitment exercise for the office of its Data Protection regulator indicating a rapid movement to implement the legislation as soon as possible.

Within Trinidad and Tobago, the government has also indicated plans to strengthen data protection legislation in 2021. Attorney General Faris Al-Rawi noted that the act was being reviewed in keeping with developments in other jurisdictions. He also stated that the position of information commissioner “is expected to be filled with immediacy.”

Driven by the rising importance and visibility of the data protection issues both globally and regionally, as well as by sweeping data regulations, organisations can benefit from a more comprehensive and coordinated approach to data/information governance. As organisations begin to expand their operations (both administrative and customer focused) onto digital platforms in 2021, data protection issues will continue to emerge and expand. It is often said that the devil is in the details. Without a comprehensive and effective program for managing data and information regulatory compliance would remain a challenge and a potential reputation time bomb.

Rishi Maharaj is the Executive Director of the Equigov Institute.