It’s Time to Take Personal Data Protection Seriously

The arrival of COVID-19 has given many companies the push they needed to undergo the digital transformation that the country requires. According to analyst firm IDC, e-commerce in Mexico experienced growth of up to 500 percent per week in the second quarter of 2020 due to social distancing policies.

In addition, the implementation of the US-Mexico-Canada Agreement (USMCA) seeks to encourage digital trade among the three countries, promoting consumer confidence and eliminating unnecessary barriers through a legal framework that supports safe operations. All of this indicates that digital sales will continue to grow in the country at an accelerated rate, including for SMBs.

These business models and commercial practices incorporate digital technologies that require the exchange of data from various sources. At the same time, data breaches continue to increase around the world. During the first quarter of 2020, the number of exposed records soared to 8.4 billion, a growth of 273 percent compared to the first quarter of 2019.

Furthermore, according to Kaspersky’s most recent Global IT Corporate Security Risk Survey, phishing attacks targeting customers are the main security challenge for companies in Latin America (44 percent of large companies; 41 percent of SMBs). As companies remain vulnerable to these types of threats, it is clear that the transition to digital is not an issue that should be taken lightly. In fact, the increasing dependency on all things digital forces companies, regardless of their size, to identify potential vulnerabilities and protect personal data.

When a company, whether small or large, suffers a data breach, it incurs various unbudgeted expenses: fines, purchase of new IT tools, hiring of personnel to repair the damage, in addition to the loss of business opportunities, due to either service interruption or reputational harm. However, beyond the damage to the business, companies have a responsibility to their stakeholders: customers, employees, business partners and shareholders.

To better understand this point, consider a scavenger hunt. In this game, several people gather a number of clues that will take them to the finish line. Many cybercriminals behave the same way, following small pieces of information that are part of a larger puzzle. The main difference is that, in the scavenger hunt, the matter will stop once the players reach the intended destination, while the information in the hands of a cybercriminal will have serious repercussions that can range from adding your email address to the databases used for phishing or targeted attacks for financial purposes, to committing crimes such as identity theft. The management of personal data then becomes a matter of corporate responsibility.

We cannot deny that there have been important advances in this matter. In Mexico, the Federal Law on Protection of Personal Data Held by Individuals governs how personal data is managed, including its acquisition, use, transfer and storage, granting the individual the rights to access, rectify, cancel or refute this data. Thanks to this legislation, companies have made progress in being transparent about the data they collect, thus giving their customers or users greater control over it. At the same time, the same survey also revealed that data protection continues to be the main concern for businesses of all sizes for the fourth consecutive year, ranking as the most worrisome for 64 percent of decision-makers throughout Latin America.

Although it is encouraging to learn about the advances in transparency and that data protection is a priority for companies, there is still a lack of maturity in the strategies to protect it. For example, it is striking that 42 percent of companies invested in IT only after experiencing a security breach when, had they done so earlier, they could have prevented it.

In the midst of all this, customers, employees, users and suppliers are beginning to demand that their data be used and stored responsibly, forcing corporations to take appropriate action. The recent discontent with WhatsApp’s new privacy policy, which prompted users to migrate to other messaging apps, is an example of this. 

The first step in adopting best practices for the protection of personal data begins with the evaluation of the processes related to the collection, handling and storage of this information. This analysis is key to defining priorities and next steps. The second step relates to the analysis of the infrastructure to guarantee the integrity of the information. Based on these two steps, the appropriate policies and technologies can be implemented to promote the correct use and protection of the information. Cybersecurity training for employees must also form part of the strategy to promote safe online habits and reduce risks.

Overall, I am certain that advances in digitalization at companies nationwide will bring forth new opportunities and will undoubtedly contribute to the economic recovery that is so necessary at this time; however, this cannot happen at the expense of others. Ideally, companies will think about data protection at the same time they are defining their business model and developing technological solutions, as this is the only way to guarantee everyone’s privacy and security.