Data Protection & Privacy
Although Australia is handling the health impacts of COVID-19 relatively well, there is no question that the world and the operating environment for businesses large and small is now much more volatile, uncertain, complex and ambiguous. Compared with global shocks experienced in the 20th Century, we need to tackle the COVID-19 pandemic in an age when the systems that we rely on to keep our businesses, governments and society in motion are primarily digital, interconnected and interdependent.
Businesses need to consider what happens in the event of a large-scale disruption and, especially in such uncertain times, how they can build organisations that are digitally resilient to disruptive shocks. Digital technology, on which we are ever-more reliant, is susceptible to failure, especially if the assumptions at the time of its implementation no longer reflect reality (as has happened during the pandemic).
The concept of digital resilience is the convergence of: (i) cyber security and protection against threats to digital assets; (ii) business continuity planning – companies’ preparedness to maintain critical business functions in the event of a disruption; and (iii) digital governance, risk and compliance (GRC), which enables companies to keep the digital machinery on and aligned with corporate objectives. It is no longer appropriate in 2021 to treat these areas as separate functions. Current (and future) business environments demand an integrated approach.
To start the DRF discussion at your organisation, we suggest seven key steps essential to your business’ digital resilience journey:
Step 1: Gather information and take stock of your ‘current state’, even if you already think you have visibility of this. This means conducting an internal audit, we recommend with external assistance, of all areas of digital risk. As businesses become more reliant on data (including personal information), this is very likely to involve a privacy and cyber security review. This involves data flow mapping for your entire organisation and an assessment of current practices against applicable privacy and cyber security laws.
Step 2: Strategise. Your organisation must identify: (i) your most important digital and physical assets‘’; (ii) who your ‘enemies’ are (malicious actors, disasters, pandemics or the like); and (iii) how these ‘enemies’ are likely to attack (any threat vectors). This involves a process of prioritisation so that your expenditure and effort can be focused on the most important areas. This step is also forward‑looking involving the high‑level consideration of likely future directions, anticipating possible future digital risks.
Step 3: Embed knowledge and awareness of digital resilience at every level of the organisation. This means:
Also, don’t forget to plan for what recovery looks like – what services will you bring online, when and how. This step also requires embedding digital resilience in the ‘corporate culture’. From a systems perspective, it means choosing technology solutions that are agile and can be integrated with other solutions as and when they hit the market with minimal configuration. In the COVID-19 context, it means using enterprise platforms that can be used remotely from any device. This is one of the most important steps and usually requires specialist expertise.
Step 4: Insure your risk. Since the introduction of the EU General Data Protection Regulation (GDPR) penalties for breaches of privacy laws around the world (including Australia) are on the rise and regulators are getting very serious about protecting individuals’ rights and interests in data that identifies them. Cyber attacks can have disastrous implications for a business and the impacts can run to millions of dollars. Data breaches and breaches of privacy laws and regulations, whether they are directly ‘your fault’ or not, also have adverse reputational consequences. In 2021 it is advisable (and possibly part of the duties your directors owe to the company) to obtain appropriate cyber and privacy insurance to reduce organisational risk.
Step 5: Train personnel for digital resilience. You might have all the right policies (even a DRF) in place but often in practice, for too many organisations, these do not translate into staff awareness. Run annual training to help all staff build ‘muscle memory’ as to how they should contribute to digital resilience day-to-day and respond to incidents, such as data breaches, in line with documented procedures.
Step 6: Test your organisation’s responses to disruptions. In previous decades most organisations understood the need to test organisational responses to physical threats to safety, such as fire or equipment failure. However, in the digital age, most organisations neglect putting their digital resilience to the test. Testing may be done in a targeted way, such as penetration testing. In 2021, however, a more comprehensive and holistic testing approach is needed to see how people, technology and processes stand up in a crisis (i.e. a digital ‘fire drill’). We recommend drills and simulations in which personnel with roles under the DRF are put through their paces in relation to a bespoke simulation of a likely scenario for your business in a ‘live’ environment.
Step 7: Continually review, revise and adapt. Even without COVID‑19 the world is changing at such a pace that best practice, in some areas, changes by the month. This does not mean a wholesale rewrite of your Digital Resilience Framework every quarter. It simply means applying an agile mindset to the way you manage digital resilience. Start with a comprehensive DRF that focuses on key strategic risks and constantly make minor tweaks, as required, to respond to the ever-evolving landscape. That is, the agile methodology works not only for digital transformation but also for digital resilience.
It is easy to think digital resilience only relates to risk. However, its role can be much bigger than that. Digital resilience also acts as a foundation or ‘launchpad’ for digital innovation. Maintaining a real-time high-definition picture of the status of core digital infrastructure enables an organisation to innovate with confidence – a ‘risk dividend’ that can be reinvested in the company. Digital resilience is also a strategic imperative which can (i) help your directors comply with their director’s duties and (ii) underpin a competitive advantage for your business in an uncertain world.