Give information governance same priority as corporate governance
With the Data Protection Act (DPA), 2021 set to come into effect in a couple days, a number of players in the information security space are moving beyond hoping companies increase and include information technology (IT) professionals on their executive teams to recommending that organisations give the same priority to information governance as they do to corporate governance.
While the DPA recommends that businesses hire a data controller to ensure their compliance with the Act, it does not specify whether that individual should be hired on a permanent basis, as a contractor, or even an outsourced activity.
In this regard, lawyer and head of Design Privacy, a consultancy, Chukwuemeka Cameron pointed out that, “There is a responsibility or obligation imposed on companies to build out how they secure the personal data of individuals, and that is where you have [the interplay] between information security and data protection [begins].”
He further highlighted that it is imperative that corporates and their data controllers train staff members in how to handle data as well as to report when they suspect there is a breach, as not doing so is a criminal offence.
However, Norman Chen, CEO of tTech Limited, a leading IT services provider in Jamaica, pointed out that with data security having a number of layers depending on the size of an organisation, the strength of that company’s data protection will also depend on its corporate governance framework. In this regard, he bemoaned the fact that IT departments are not properly represented at the executive level in some organisations.
“Even today, we have a lot of companies where IT doesn’t even have a seat on the board of directors and the IT department sits under the CFO or somewhere else. But it’s so paramount because…in a lifetime your digital footprint has become so important, we have to look on all of that,” he asserted.
Cameron shared that this is one of the recommendations his firm makes to its corporate clients.
“…There must be a seat at the board level and it’s what we call or make reference to as information governance. So it’s not necessarily data protection or cybersecurity, but if it is that we accept that data is the new order, if it is we want to do this digital transformation, what we recommend to all our clients is that you have an information governance committee…similar to how you have finance and HR,” the attorney stated.
He added that once a company has created an information governance committee, the members “must then get the requisite training and that is where you start assessing the robustness of the company’s systems to withstand or respond to cyberattacks”.
Moreover, Cameron advocated for shareholders to also become aware of the importance of information governance and the negative effects of data security breaches on the company and its operations.
“If that’s [data security breach] going to be our biggest risk, how can we have a responsible board if you’re not acknowledging the risk or managing the risk?” he questioned.
On this note, he emphasised that there cannot be any disparity between how companies treat corporate governance and information governance.
For his part, Chen acknowledged that the passing of the Data Protection Act will catalyse a transformation in how companies treat data security. However, he noted that since the legislation is still at the incubation stage, once in effect the companies there will be in need for far more regulations.
“[The] Data Protection [Act] is the start because boards are now asking about how you protect data,” the tTech CEO noted.
“But we will need more regulations…in terms of what type of controls your company has to put in place and as those regulations become more prevalent, companies won’t have a choice whether you’re private or publicly traded,” he continued.
On the matter of how the Act will impact private limited companies, Cameron explained that such entities should ask themselves if they are prioritising making money and securing their revenues. He added that how companies treat data has implication for customer service as it was an indication of if they are being accountable and whether or not customers can trust them.
According to David Grey, deputy information commissioner, as part of the registration process to be compliant with the Data Protection Act entities are required to make full disclosure on the type of architecture being used to manage consumer data.
The men were speaking to Jamaica Observer reporters during a Business Forum exploring topics on cybersecurity and the Data Protection Act.