With this new and rapid shift to operations online, businesses have also now begun to collect, utilise, share and store large amounts of personal and sensitive data across varied digitally transformative technologies like cloud, virtualization, big data, IoT, blockchain, etc.

This use of new technology not only allows organisations to radically change and improve their operations and delivery of services to the customers, it also increases their exposure to data breaches, as safeguarding this new collection of personal data within these new technology environments becomes a complex task.

Within recent we have seen advisories issued by the Trinidad and Tobago Cyber Security Incident Response team of an increase in ransomware attacks targeting local organisations.

With a growing number of security breaches and different cybercrimes, with data being mined, monetized and resold, not only would customers become more irritated and upset, but these incidents can also cause reputational, financial and legal damages to organisations that mishandle customers personal and sensitive data.

Within the context of digital transformation, therefore, data security becomes a vital factor and a major challenge for every organization, underlined by stricter regulations and severe consequences in the case of data loss.

Furthermore, data protection has evolved from a “nice to have” to a business imperative and competitive advantage for companies, their boards, and senior leaders who embrace accountability and transparency in how they manage personal data.

While some may argue that businesses must choose between security and data protection as you cannot achieve both, I subscribe to the positive-sum approach of “Privacy by Design as advocated by Dr. Ann Cavoukian. Her approach of Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made.

Privacy by Design avoids the pretense of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both. From a business perspective this, therefore, means that when entrusted with the personal and highly private information of its consumers, the business must enact effective data security and data protection program to protect this valuable asset.

Data security is focused on protecting personal data from any unauthorized third-party access or malicious attacks and exploitation of data. It is set up to protect personal data using different methods and techniques to ensure data protection. Data security ensures the integrity of the data, meaning data is accurate, reliable and available to authorized parties.

Data Protection is concerned with the proper collection, handling, processing, storage and usage of personal data. It is all about the rights of customers with respect to their personal information. The most common concerns regarding data protection are:

• managing contracts or policies,
• applying governing regulation or law (like General Data Protection Regulation or GDPR),
• third-party management.

Within the last 2 years, governments around the world have begun countering the increased demand for data protection through bringing different legislations. For instance, the EU’s General Data Protection Regulation (GDPR) is a revolutionary data privacy law in the digital age. Many other countries like Brazil, Thailand and recently India have also introduced data protection law into their regions.

Within the Caribbean Barbados in 2019 and Jamaica in 2020 passed their respective Data Protection laws (modeled against GDPR) and the Government of Trinidad and Tobago are currently in the process of amending our own Data Protection Act in keeping with GDPR best practice.

Additionally, in 2019, the International Standards Organisation implemented the ISO 27701 standard. This new standard is a data privacy extension to ISO 27001. This newly published information security standard provides guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements.

ISO 27701 outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to manage data privacy. This reduces risk to the privacy rights of individuals and to the organisation by enhancing an existing Information Security Management System.

These new laws and standards have brought new rights for individuals as well as obligations for businesses that utilise personal and sensitive data. In addition to these from a data security perspective, these laws have also made notification of security breaches mandatory and in some cases, the breach must be reported to the regulator and those affected within 72 hours of the first detection.

While data security and data protection are certainly interconnected, there are different ways to properly address both. Data security focuses on the technology and tools required to deter cybercriminals from getting their hands on your information such as social security numbers, credit cards, accounts, etc.

Data protection is complying with local and international laws and standards to ensure the personal and sensitive data businesses collect and process are law-abiding. While data protection can be achieved with good data security it also needs organisational measures, like privacy policies, governance, training etc.

The race to digital transformation is a vital one — it brings agility, cost-effectiveness, and longevity to both traditional and disruptive businesses. However, it is not one that can happen independently of a revised focus on data protection and security.

Attention to these two distinct yet related areas will provide businesses with the time needed to revisit established data practices, and ensure data access, security, and compliance — all with a view of providing a better service to customers.