November is Retail Privacy Month
In their 2020 Cyber Resilience Toolkit for Retail, the British Retail Consortium noted:
“All retailers should have a cyber resilience strategy, which must take account of business and operational imperatives. They must understand the systems and processes that are crucial for the business to function and which data is their most valuable asset, and use that to inform their approach. The strategy must not be limited to IT but expanded to cover issues such as – if there were a breach, who would talk to customers and the media; how would the financial position be kept healthy; who would engage with the regulators; and what could the longer-term effect be on the business?”
They emphasize the role of the Board and suggest the following elements part of the role of the Board:
Having a solid cybersecurity program and Sr. Management support is a great launching pad for the privacy program. Protecting all data and the systems and the networks are foundational for implementing privacy protections.
The Boards and Business Management need to be educated to realize that once the data is collected, it cannot be used and abused. Customer data has to be used according to privacy regulations rules and protected at all times. E-commerce, consumer expectations, and data are changing retail and opening up new opportunities for cybercriminals every day. In the event of a successful breach, share prices can collapse by over 7% on average – sometimes much more – but far less when early appropriate action is taken. The cost of prevention is less than the reputational and financial cost of recovery – so the fewer occasions on which recovery is necessary the better.
A culture of risk and risk awareness, allows staff from various departments to recognize and raise the alarm when they believe the data protection practices are not being followed.
Does your business know what the sensitive and business’ critical digital assets (e.g. customer data/payment systems) are and how to protect them?
Talking to the board about risk management and risks to the business strategic goals needs to happen in tandem with business resilience and continuity. Your board and the CEO are responsible for protecting the information systems:
a) to their shareholders
b) to their customers
c) to comply with certain privacy and other laws.
By providing them with solid, decision-making facts about the risks in the organization, you are supporting their mandate of accountability on behalf of the business and the customers.
Having a strong risk management program that includes vendor management, allows retailers to focus on what they do best: “give customers what they want, when they want it”.
At Managed Privacy Canada we encourage organizations to conduct multi-team enterprise privacy and security risk assessments annually, and furthermore have risk assessments when new business models or data models are being pursued. We encourage retailers to think about data protection as an umbrella of cybersecurity and privacy-protective strategies. Our approach to practical privacy begins with your free 20-minute consultation. For more information, visit www.managedprivacy.ca