19.1 C
Wednesday, May 29, 2024

Beyond Compliance: Why Data Protection Needs Strong Cybersecurity

Must read

Genie Sugene Gan
Genie Sugene Gan
Director for Government Affairs & Public Policy, Asia-Pacific, Japan, Middle-East, Türkiye and Africa at Kaspersky

Data privacy regulations are rising globally, but focusing solely on compliance can backfire. Strong cybersecurity practices are crucial to protect data and prevent breaches. Learn why data security is essential alongside data protection.

Everything we do online generates data, and each year, the degree of our immersion in the online space keeps skyrocketing. With the growing amount of information generated, the amount of personal data, e.g., information that can lead to identifying a particular individual, rises too. Thus, it’s no surprise that an increasing number of personal data protection frameworks are emerging worldwide.

For instance, the Middle East has adopted several relevant regulations in the past few years. Egypt passed its finalized version of the Personal Data Protection Law (PDPL) in 2020, and Bahrain adopted regulations to safeguard personal information before that.

Most recently, more countries in the Middle East followed suit: Oman enacted a data protection law in 2022, while Saudi Arabia issued its PDPL earlier in 2023. The law, which aims to protect the privacy of personal data and help organizations ensure such information is gathered, processed, and stored properly, is expected to take effect in September 2023.

Data privacy should be complemented by data security

As a result of the upcoming regulation, companies operating in META will have to grapple with personal data protection regimes and adapt their business approaches and processes to the new demands. This process could bring unforeseen challenges. Some examples of the requirements stipulated by these new laws include:

  • Employment of a Data Protection Officer in KSA as part of the forthcoming PDPL;
  • Training the staff responsible for ensuring compliance with the new laws so they are qualified according to the new demands;
  • Adopting technical and regulatory procedures for the storage of personal data;
  • Implementing privacy policies and enforcing them;
  • Applying adequate measures to ensure the accuracy and integrity of the data;
  • Ensuring the appropriate procedures and means of communicating with personal data subjects and providing them with the necessary information, etc.

These are just some obligations imposed on organizations that can act as personal data controllers — whether in large or small enterprises. While fulfilling all these demands can be challenging for businesses of any size just in terms of scope, even greater difficulties may arise for SMEs due to resource constraints.

In these circumstances, some organizations might focus on compliance first and security later, revamping corporate systems and processes just to ensure compliance with minimum regulations in fear of possible sanctions and hefty fines or of being “named and shamed” by the public and in media reports. However, this approach might backfire.

Legal requirements are the beginning of the journey, not the destination

When companies take a formalistic approach to data protection legislation observation and overlook the security of processes and mechanisms put in place, ironically, they risk undermining the goal of the entire legislative effort. They jeopardize the data entrusted to them and inflict dire consequences on their business due to possible cyberattacks and subsequent data breaches.

While data protection frameworks provide a basic foundation for cybersecurity practice, companies must further build on those to achieve a continuous state of protection and ensure a well-rounded and effective security program. When organizations try to build the security of their data based on compliance without ongoing monitoring and testing, attempted and successful attacks can go unnoticed and unaddressed.

According to Kaspersky’s recent research, the most significant cybersecurity issue for SMBs is data breaches (41%), potentially exposing corporate and customer data and leading to financial and reputational losses. At the same time, for enterprises, 2022 ended up being the year in which the highest percentage of operational technology computers attacked by malware (40.6%) occurred.

To prevent these threats, organizations should choose a reliable cybersecurity vendor to support them with scalable security solutions. These possible security measures vary from regular security testing and scanning, staying current on new vulnerabilities and developing threats, to ongoing education and staff awareness, which will pay back and support business by creating a safe environment for further growth. All this helps to prevent cybercriminal attacks and data breaches that can significantly affect a company’s reputation and efficiency.

Even more than in the past, cybersecurity is a business issue today – and it is no longer just the responsibility of the organization’s CISO but a concern for several departments. This includes all areas engaged in adapting new frameworks, from application development, infrastructure, and product development to finance, human resources, and risk. Even company boards, for instance, are now responsible for organizations’ cybersecurity frameworks and risks as part of their fiduciary and oversight responsibilities.

Also Read: Perianne Boring on Empowering Financial Inclusion and Redefining Digital Ownership

Adopting data protection frameworks primarily incentivizes companies to pay special attention to implementing and strengthening cybersecurity strategies. Only by accomplishing these aspects together can they prevent possible risks, continue developing their business securely, and comply with regulations, achieving the most significant goal for companies—data protection.

More articles

Latest news