Kevin Tunison, Data Protection Officer, Egress Software Technologies
Wherever you may be in improving your organisational data compliance initiatives, there’s one truth that will always persist: you cannot anticipate with 100% certainty where the next emerging risk will stem from. (If you can, please get in touch!)
However, there are plenty of effective ways we can uncover hidden risks within our organisations. So as a DPO, where do you start? I think supply chains and departmental communications are as good a place as any – and I’ll share some practical examples on how you can get started.
Initial documentation
Let’s side-step the business cases and organisational buy-in for a moment – I’ll come back to that. For me, in my roles as a CISO and DPO it has always been important to get an initial assessment of the state of the present. You need to understand what you have in terms of data assets and vendors then build out from there.
This gives you a solid baseline to make some initial subjective decisions on where risk may exist in your organisation. It’s also a good place to make use of a corporate risk register or for smaller businesses to create one. Having these buildings blocks now will give you the opportunity to map back into any business processes.
For mature organisations that already have their processes documented, this will be a big help. If you don’t, there are many providers in the marketplace that can help automate a lot of these efforts. You’ll then need to start accounting for your most valuable (and at times most risky) resource: your employees.
Data flow within your organisation
No matter how well all the above documentation is done, the organisational culture will – pardon the cliché – eat that up for breakfast. Having confidence in how your staff handle data (despite the training, policies, engagements, and any other initiatives you may have) will still not tell you where your data flows in practice.
Knowing how data can flow into, through, and out of your business is going to give you a tremendous amount of insight. It might also give you some sleepless nights when risks start to present themselves.
Do newer joiners to your organisation engage with departments and suppliers in the same way? Have supplier relationships built up with specific staff? Is there due diligence with a potential buyout or customer? Answering these questions will help you to understand who the primary vendor contact and business process owners are.
As part of your employee engagements, you’ll also want to ask them how they work. Is it mainly via email? Or via spreadsheets on a shared drive or in the cloud? What apps do they use for instant messaging? Your list could contain several different communication channels.
It’s then important to ask how those activities relate back to your vendors and products. You’ll get an insight into the reliability and security of your vendors and products in practice. As a result, you grow your understanding of risk in the supply chain.
Organisational buy-in
It’s worth being mindful of seeing risk as something to be addressed by a new/different product, or through adding an additional product from existing well-intentioned suppliers. Be careful of taking this approach because there can often be blind spots that you have yet to discover.
Moreover, you will have just become a stakeholder influencing other budget holders in your organisation. Now you could find yourself sharing responsibility for aspects of the business in a way that is not realistic.
Which comes back to the discussion of business cases and organisational buy-in. You have blind spots. We all do. The most challenging aspect is you will not know how big these risks are until they are discovered.
Suggesting improvements or products will always be met with a healthy dose of challenge. So, what if there was a way to better surface where these risks are hiding?
New ways of discovering risk
Email is the go-to communication channel for most organisations. It’s also one of the most common sources of data breaches. During those employee engagements or internal audits, you’ll likely have seen a healthy amount of email communication between your employees. This can give you a good idea of which teams and departments are collaborating.
You should also examine communication with your suppliers, business development reps, and external parties such as financial auditors and legislative bodies. How often do your suppliers request and get granted access to your systems? Are departments aware when they do?
Without detailed analysis of all email and systems, it would be extremely difficult to surface these blind spots. Now you might be thinking at this point, would I even want to surface that? A CFO may not respond well to learning their department externally shared sensitive financial information by unencrypted email!
Of course, the simple answer is yes, you do want to discover these incidents. Operating in transparency is justification enough. But so is doing the right thing, even if that involves difficult discussions.