When risk management gets personal

In today’s data-focused, techno-reliant world of consistent connectivity, issues relating to privacy loom large for every single business across the globe. So how should Asia’s risk managers approach the mitigation of privacy risk?

The head of security management, security transformation and privacy in Deloitte Australia’s cyber risk services practice Gavin Cartwright suggests that risk managers must first ask whether personal information is involved in a particular project or business change.

“From there it is a case of asking: what type of personal information? How much personal information?” he adds.

Cartwright says these questions are about quantifying the volume of privacy risk.

“Is this project internal only, with a really small user set, or is it a project that’s going to put in place such an online portal where consumer information could be accessed via the internet?” says Cartwright.

“So from quantifying this personal information you move along and you start working out ‘what is the size of this risk?’.”

While there is a need for risk managers to be involved in privacy risk considerations from the outset of business change, the head of the Deloitte’s risk services security team Tommy Viljoen says risk manager should also look at past ventures.

“From a risk management perspective, it is about doing a bit of an inventory across the organisation of where is the private data – where is it being held? How is it being used?” Viljoen says.

“We are seeing a lot of organisations undertaking those sort of inventory assessments of private data to catch up with the rest of the organisation.”

Viljoen explains that in the past, privacy has been treated as something organisations have had to manage from a compliance perspective.

“In this day and age, where we have got so many devices that we are using as individuals, and where organisations are scrambling to digitise and provide new ways of connecting with us, that volume of information has grown exponentially,” he says.

Viljoen says companies are no long just trying to comply with privacy requirements, they are trying to excel on privacy issues so they can build trust with clients.

“Trust and transparency go hand-in-hand, so we really are seeing a new approach by organisations to dealing with privacy, and certainly a new approach from those that are leading the pack,” he says.

“The focus is moving from how do we preserve our brand to how do we enhance our brand? Privacy is no longer just a compliance issue; it’s a lever that organisations can pull to really build that trust with individuals, with the consumer.”

‘Scrambling to innovate’

Cartwright says that the filtering of business change and projects through a project management function involving the risk manager has increased in importance due to the privacy risks inherent in today’s technological landscape.

“It’s really important that awareness [of privacy risks] is amongst everyone and not just relying on that [project management] funnel to capture any personal information changes,” he says.

Deloitte cyber risk services team member Marta Ganko adds that organisations currently are “scrambling to innovate”.

“There is so much technology that’s out there: cloud software, [new] social media sites appearing pretty much on a monthly basis and they are all trying to adopt to compete with their competitors obviously,” Ganko says.

“So during that ‘time-to-market’ to push that new product or that new service out to their consumers, one thing that also needs to be considered is making sure that the privacy concerns of those consumers have been considered upfront before that service or product is released out to market.”

If, for example, an organisation is going to start storing consumer data in cloud software in an overseas country, Ganko says it must be mentioned in the privacy policy. “Do consumers know that is going to occur?” she asks.

Cartwright points to the specific example of mobile apps, specifically when there is a demand for these to reach the market quickly, even if there are some bugs in the initial offering.

“Those bugs could potentially be a security issue, they could be a privacy issue whereby it seemed great at the time because they are going to collect some information about browsing habits but they have not thought through that, actually, if you go back a couple of times in a certain sequence you can suddenly see the last person who visited the site,” he says.

“That speed-to-market gets the focus of people from an innovative perspective and it does not always cover all of the privacy issues in that initial design.”