Explore the synergy between personal data protection and cybersecurity. Genie Sugene Gan, Head of Government Affairs & Public Policy in APJ and META at Kaspersky, sheds light on emerging regulations and outlines essential steps for businesses to safeguard sensitive information effectively.
Everything we do online generates data, and each year, the degree of our immersion in the online space keeps skyrocketing. With the growing amount of information generated, the amount of personal data, e.g. information that can lead to identifying a particular individual, rises too. Thus, it’s no surprise that an increasing number of personal data protection frameworks are emerging worldwide.
For instance, the Middle East has adopted several relevant regulations in the past few years. Egypt passed its finalised version of the Personal Data Protection Law (PDPL) in 2020. And regulations aimed at safeguarding personal information were adopted by Bahrain before that.
Most recently, more countries in the Middle East followed suit: Oman enacted a data protection law in 2022, while Saudi Arabia issued its PDPL earlier in 2023. Aimed at protecting the privacy of personal data and helping organisations ensure such information is gathered, processed and stored properly, the law is expected to take effect in September 2023.
Data privacy should be complemented by data security
As a result of the upcoming regulation, companies operating in META will have to grapple with personal data protection regimes and adapt their business approaches and processes to the new demands. This process could bring unforeseen challenges. Some examples of the requirements stipulated by these new laws include:
- Employment of a Data Protection Officer in KSA as part of the forthcoming PDPL;
- Training the staff responsible for ensuring compliance with the new laws so they are qualified according to the new demands;
- Adopting technical and regulatory procedures for the storage of personal data;
- Implementing privacy policies and enforcing them;
- Applying adequate measures to ensure the accuracy and integrity of the data;
- Ensuring the appropriate procedures and means of communicating with personal data subjects and providing them with the necessary information, etc.
These are just some obligations imposed on organisations that can act as personal data controllers — whether in large or small enterprises. While fulfilling all these demands can be challenging for businesses of any size just in terms of scope, even greater difficulties may arise for SMEs due to resource constraints.
In these circumstances, some organisations might opt for focusing on compliance first and looking at security later, revamping corporate systems and processes just to ensure compliance with minimum regulations in fear of possible sanctions and hefty fines or of being “named and shamed” by the public and in media reports. However, this approach might backfire.
Legal requirements are the beginning of the journey, not the destination
When companies take a formalistic approach to data protection legislation observation and overlook the security of processes and mechanisms put in place, ironically, they risk undermining the goal of the entire legislative effort. They jeopardise the data entrusted to them and inflict dire consequences on their business due to possible cyberattacks and subsequent data breaches.
While data protection frameworks provide a basic foundation for cybersecurity practice, companies must further build on those to achieve a continuous state of protection and ensure a well-rounded and effective security program. When organisations try to build the security of their data based on compliance without ongoing monitoring and testing, attempted and successful attacks can go unnoticed and unaddressed.
According to Kaspersky’s recent research, the most significant cybersecurity issue for SMBs is data breaches (41%), potentially exposing corporate and customer data and leading to financial and reputational losses. At the same time, for enterprises, 2022 ended up being the year in which the highest percentage of operational technology computers attacked by malware (40.6%) occurred. To prevent these threats, organisations should choose a reliable cybersecurity vendor to support them with scalable security solutions. These possible security measures vary from regular security testing and scanning, staying current on new vulnerabilities and developing threats, to ongoing education and staff awareness, which will pay back and support business by creating a safe environment for further growth. All this helps to prevent cybercriminal attacks and data breaches that can significantly affect a company’s reputation and efficiency.
Even more than in the past, cybersecurity is a business issue today – and it is no longer just the responsibility of the organisation’s CISO but a concern for several departments. This includes all areas engaged in adapting new frameworks, from application development, infrastructure, and product development to finance, human resources, and risk. Even company boards, for instance, are now responsible for organisations’ cybersecurity frameworks and risks as part of their fiduciary and oversight responsibilities.
Adopting data protection frameworks is primarily an incentive for companies to pay special attention to implementing and strengthening cybersecurity strategies in their organisation. Only by accomplishing these aspects together can they prevent the possible risks, continue developing their business securely and comply with regulations, achieving the most significant goal for companies – data protection.
