The changing global cyber security and data privacy landscape is driving a demand for compliance and IT specialists with the relevant skill-sets. The need for businesses to implement data and cyber security programmes is growing rapidly, driven by the actual risks and increased legislation around the world.
This has been highlighted by a number of high-profile hacks and leaks over recent years – organisations including Marriot, British Airways and Capital One bank have all been hit. Here in Hong Kong, Cathay Pacific suffered a high-profile data theft in October 2018, when the personal information of over 9 million people fell into the hands of hackers. And the effects of data breaches can be far-reaching; companies risk not only being fined, but can see their reputation being severely damaged and share prices falling.
Such leaks – and the growing legislation to try to prevent them – are making companies take the matter seriously. A survey by the IT analyst company Enterprise Strategy Group found that a large majority of businesses they questioned planned to increase spending on cyber security. All this points to more opportunities for legal, compliance, and risk professionals – especially those with strong IT skills and understanding.
Organisations now risk being given significant fines and penalties for not following laws and regulations on data protection. And the legal framework is becoming ever-more complicated. For example, certain elements of the European Union’s General Data Protection Regulation (GDPR) are extraterritorial, meaning they can affect businesses located outside of the bloc.
According to the International Association of Privacy Professionals, the introduction of GDPR in 2018 meant more than 28,000 Data Protection Officers would need to be hired in Europe and the US alone.
In Hong Kong, the government last year proposed significant changes to the Personal Data (Privacy) Ordinance (PDPO). These include provisions for the Privacy Commissioner for Personal Data to be able to impose direct administrative fines and regulate data processors; a mandatory data breach notification requirement and a data retention policy requirement; an expanded definition of personal data, and provisions to regulate the disclosure of personal data.
Because compliance and risk are part and parcel of the same thing, many organisations are introducing governance, risk management and compliance (GRC) programmes to help improve information sharing among the three disciplines. Real-time cyber risk management can also help businesses better monitor and manage their compliance initiatives.
Just as risk assessments are used in other areas of cyber security, when implemented in compliance, they can raise awareness of the potential for a data incident and its effect. Board members and executives then analyse these risks and make mitigating decisions based on their assessment.
The compliance aspect of GRC defines how an organisation conforms to internal and external requirements. The management, having identified the relevant requirements, can then examine the role of legislation, industry regulations and their own company policies. Measures are then introduced to assess the state of compliance.
The changing global regulatory frameworks – and ever-more sophisticated hacking attacks – have also led to a rise in cyber security compliance consultants. Such companies often offer not just advice on meeting required laws, but will provide technical help on keeping personal data safe and preventing hacks. Again, the growing numbers of such firms creates a demand for the relevant compliance and IT specialists.
Overall, there is a growing global awareness of the risks involved in cyber and data security. This, together with the increasingly complex legal frameworks involved, both mean there will be a continued need for talented professionals with the relevant skill-sets.
VIVIAN CHEN, Ashford Benjamin Ltd.