I recently received an email from a major corporate organization advising me that my personal data may have been breached – but not by them. The organization used the services of Melbourne-based PageUp People to manage its recruitment processes.
PageUp collects and processes personal information such as names, addresses, phone numbers and much more – everything you’d supply when applying for a job with a major corporate organization. I provided my information when I applied for a job at that organization – and I’d completely forgotten about it.
In late May 2018, PageUp detected “unauthorized activity” in its computer systems. PageUp acted promptly in declaring the data breach and has engaged security experts to help resolve the situation.
Prior to the introduction of the Notifiable Data Breaches scheme (NDB) in Australia on February 22, some organizations might have sat quietly on bad news of this nature, but, with some 55 breaches declared in the latest quarterly statistics from the Office of the Information Commissioner, it does seem that transparency and openness have been improved.
Unfortunately, in situations like mine, the damage is done. Regardless of what information has been accessed and how it might subsequently be used, an incident of this nature is not just a breach of security, but of the confidence and trust of clients, past, present and future.
In the PageUp situation, major corporate clients have warned prospective job applicants about the breach, with some suspending use of the service. The average cost of data breach per organization estimated to be around USD $3.6 million.
And there’s potentially worse news to come with the obligations placed upon organizations to protect personal information (PII) under the new GDPR legislation. In Australia, the right to access and correct personal information was introduced in the Australian Privacy Act 1988 (Cth) (“APP”).
So, it’s safe to assume that we’re becoming increasingly better informed about our rights to access our own information than ever before, and that we’ll start exercising them as situations like PageUp People continue to be exposed under the NDB spotlight.
The business process around assessing, collecting, cleansing and providing information will be complex, time-consuming and expensive and it will not scale well for many organizations. According to the International Association of Privacy Professionals (IAPP), subject access requests were among the top three most difficult GDPR obligations for those surveyed, specifically, data portability, followed by right-to-be-forgotten requests and gathering explicit consent.
Let’s look at a hypothetical situation. Your organization collects and/or processes PII belonging to 100,000 individuals. Of those, say 1% decide to exercise their new rights under GDPR or Australian Privacy Law, and request a copy of their PII. That information is stored across a typical range of systems including marketing, sales, fulfilment and support, and a shared content repository.
How long would it take, and how much would it cost, for someone to collate, redact, and provide the information to the requestor, redact it, and provide it back to the requestor?
The ideal solution will be a blend of good process, competent and skilled people, and appropriate technology. Let’s break these down and take a look at what’s involved.
What Would the Process Look Like?
From the moment an access request is received, the clock starts ticking. You’ll have one month to respond to the request.
A helpful approach to this situation is to understand where PII is stored, and what business processes exist around it. An initial data flow and process mapping exercise could provide this information and act as a guide for the collection process.
Potentially, many different roles, including system administrators, information architects, security officers, legal counsel, and project managers, could be required to play a part in a subject access request. These people will need to know what they’re supposed to achieve, understand the parameters within which they will perform the work, and have the necessary skills and competencies to undertake the work.
Therefore, a training program may be needed to ensure that the request is met within the obligations of the law, whether European or Australian.
Using the Right Technology
The right technology can help the process to scale and reduce business risk. For example, the business processes that you’ll need to follow might lend themselves to automation.
You may already be using the Nintex Platform elsewhere in your business, and the same platform could be used to automate your subject access process.
Nintex Forms can be used for entering information about the request, while Advanced Workflow can automate the review and approval components, and retrieve the information from your CRM, email, or document management systems using connectors.
Nintex DocGen then can go into action to automatically generate documents with the information. Nintex Process Intelligence can also analyze the effectiveness of the process and provide an audit trail.
If an organization has legal obligations, they must meet them or risk facing penalties. Regardless of how big and complex the problem is, approach it one bite at a time.
Empired can help you make sense of this complex technology landscape, achieve your business objectives and meet your compliance obligations by delivering the business outcomes you need. You can start with a quick, high-level assessment to determine where you are, where you need to be, and how to get there.
Improving data compliance procedures is an involved process, but the investment is much better than dealing with the cost of managing a data breach. It is better to build customer trust and your clients will thank you.
Interested in trying the Nintex Platform for yourself? Try it free for 30 days!