Article Preview
TopIntroduction
Data privacy is a principal statutory right of the European Union and most countries all over the world. Due to increasing digitalization, interconnected, mobile and virtualized business, artificial intelligence, big data and customer tracking larger volumes of data are produced, analyzed and exposed to threats and misuse. Data and information systems are faced with increasing privacy threats from a wide range of sources, such as human curiosity, employees’ actions, computer-assisted fraud, cyberattacks, phishing, sabotage, theft, fire or infrastructure incidents. Ponemon surveyed an increasing likelihood of data breaches and estimates that an organization will have with 27.7% probability a data breach in the next two years (Ponemon, 2017). A data breach may result in physical, material and/or non-material damage, such as damage to reputation, loss of customer (Martin, Borah & Palmatier, 2017), cost of mitigating and recovery, reduction of share price, discrimination for the person concerned and other significant economic or social disadvantages. Thus investors, boards and customers, as well as laws and authorities demand ongoing a higher level of data privacy. The clients of 90% of participants in a worldwide survey are concerned about the privacy of their data (Harvard Business Review Analytic Services, 2017). Most modern corporate governance guidelines make the board and specifically the CEO responsible for the well-being of the organization.
The new EU General Data Protection Regulation (GDPR) 679/216, (EU, 2016) obligates stringent legal requirements with administrative sanctions for noncompliance up to the greater of 4% of the total worldwide annual turnover or €20 million. It offers also great opportunities for enterprises by harmonizing a major part of the data privacy laws in the different EU countries, by driving new needs for services, IT systems and digitized products in order to fulfill the enhanced data privacy requirement, and others. The EU estimates €2.3 billion economic benefits of having one harmonized law (http://ec.europa.eu/justice/smedataprotect/index_en.htm). It affects after May 25, 2018 any enterprise doing business in Europe with their suppliers over all levels and all organizations worldwide which process data that can be used to identify directly or indirectly natural persons in Europe. 85% of responding organizations in a worldwide survey expect to be affected and 42% expect significant impacts (Harvard Business Review Analytic Services, 2017). Thus, data privacy and security for 81% of surveyed organizations has become a high priority (Harvard Business Review Analytic Services, 2017). Data privacy, the availability of all essential assets, confidentiality, data integrity and legal and regulatory compliance are central for organizations’ success (Bélanger & Crossler, 2011; Da Veiga & Eloff, 2007; Sowa, Tsinas & Gabriel, 2009; von Solms & Solms, 2009;). This poses great challenges for small and medium sized organizations. They need a very efficient and functional approach, which can be smoothly integrated in their daily business.
More than 1.6 million organizations worldwide are implementing a standard based management system based on international standards (e.g. quality ISO 9001, or environment ISO 14001, information security ISO 27001, IT service management ISO 22000 and others) (ISO, 2017a). In order to promote an efficient integration of different standards, the International Standard Organization [ISO] released a common structure for all management systems’ standards, the Annex SL of the ISO/IEC Directives (ISO, 2013c).