Today is Data Privacy Day. Businesses and individuals around the world recognize January 28 as a day to raise awareness about data privacy challenges and reiterate data protection best practices. One of the things that is still often missed, though, is that it’s not realistic to approach data privacy from a militant perspective—you have to view it with nuance and find the right balance between security and privacy, and the convenience you get in exchange for sacrificing some of it. Companies also have to consider the purpose and value of their data and weigh that against the technical and compliance challenges of protecting it.
Recognizing Data Privacy Day
“Data Privacy Day, like many of the new man-made holidays, can come across as a day dedicated to marketing fodder,” explained Stan Christiaens, Co-founder and CTO of Collibra. “However, this does not mean the root message behind the day is not valid. Considering past scandals and the massive political events to take place this year – the 2020 elections and Brexit finally happening (?) – this is a perfect time for businesses to stop and reflect on how they can improve their compliance and data privacy strategy. Consumers increasingly care about privacy, and they do vote with their wallets.”
While we’re at it, it’s also worth noting that data privacy should be a concern beyond cybersecurity circles. Phillip Dunkelberger, President and Chief Executive Officer of Nok Nok Labs, emphasized, “The data privacy discussion is often isolated to the technology industry, when really it ought to be a national imperative. With just 10 months before the 2020 elections, candidates should be more aggressive about data privacy, building it into their platforms alongside other key topics like immigration, tax reform and more. For candidates to be taken seriously, they will need to demonstrate a deep understanding of privacy concerns that impact everyday citizens. Voters should be evaluating potential candidates on how willing they are to put privacy at the forefront.”
Ethical and Compliance Challenges of Data Privacy
Brian Vecci, Field CTO for Varonis, stressed, “Consumers need to be vigilant but also need a basic set of online rights. The GDPR is a great starting point for such a bill of rights. Consumers should have the right to know what data is being collected and used, the right to have their data deleted when no longer needed or when they ask, and that companies take common sense precautions to keep that data safe. Online giants shouldn’t be able to just grab your entire social network through your contact list without specific permission, and companies like Facebook need to face stiff penalties when they do it. Without basic consumer protections that lead to real penalties, this kind of thing will continue to happen. And while financial penalties are a good disincentive, unless there’s real legal teeth behind the regulation, these companies will continue to search for ways to do things the easy and cheap way.”
“We see companies across all industries struggle with the implementation of proactive data privacy practices and policies. GDPR, the recently introduced California Consumer Privacy Act (CCPA) and other regulations in the works are designed to punish those organizations that are handling personal data with negligence,” declared Darrell Long, VP of Product Management for One Identity. “These regulations require organizations to demonstrate the implementation of proper data protection practices. The reality is that privacy begins with identity management. Though the concept is simple, companies that fail to implement practices such as identity governance & administration and privileged access management are considered negligent and thus exposed to higher fines and stronger punishments.”
“One of the biggest challenges for companies dealing with data privacy regulations is understanding where all the data is and knowing the systems that house that data,” cautioned Myke Lyons, CISO at Collibra. “Specifically with CCPA, a single individual can actually take legal action against a company for every single incident (for example, sharing an email, full name, address, etc.) for damage caused by a breach. Therefore, taking a sloppy approach to data privacy can be costly. Companies must have a proactive plan in place, especially as more regulations are introduced beyond CCPA. By employing a Data Intelligence strategy and understanding what data you have, how to protect it, and how to use it, organizations can best face the challenges associated with data privacy and compliance targets with more agility in the face of future regulatory change.”
Long added, “We currently see many companies playing catch-up with new regulations, working to implement the right security tools and practices after a breach. Hopefully, Data Privacy Day becomes a good initiative to remind companies to think ahead and maintain a proactive stance on privacy before a cyber incident occurs.”
Balancing Data Privacy and Convenience
We expect—and hope—that the companies we trust our data to will take that responsibility seriously and do everything in their power to protect it. Not every company will, though, and it is up to individuals to be discriminating about the apps and services they use and vigilant about where and how personal information and sensitive data are shared.
Dan Pitman, Principal Security Architect for Alert Logic, recommends keeping business and personal information separate as much as possible. “This can be as simple as remembering to use personal emails and other contact details for personal online activities and work details for work activities.”
“Modern workers — regardless of whether they are formal employees or temporary contractors — don’t want IT monitoring everything they do on their devices,” proclaimed Michael Covington, VP of Product for Wandera. “Our research shows that 50% of all data usage on mobile devices can be attributed to personal content; that statistic is consistent on company-owned devices. Given the natural mix of personal and business activity that can occur on a smart-device, businesses are constantly adapting the ways they approach mobile security, and the consideration of employee privacy is becoming a major factor in this ongoing process.”
“Looking at how businesses can improve, the answer is simple: don’t be lazy, pay attention and ask questions,” noted Collibra’s Christiaens. “Claiming not to know and remaining ignorant on the main issues behind privacy and compliance is no longer an excuse. Taking the road of least resistance and doing just enough to comply is simply the wrong attitude towards doing businesses in the 2020s. We are way past the point that yet another checkbox on your website is sufficient. Data is the lifeblood of any organization and if it is not protected and monitored correctly, it can cripple an organization. Instead of thinking of CCPA as an extra annoying daily exercise you have to do to comply with a new fad diet, it should be thought of as a fundamental health concern to keep your vitals in check. And remember, boards will measure those vitals.”
Wandera’s Covington summed up, “Like with so many things, moderation is key – there is always a balance to be found and both the user and the company are responsible for finding it. Users need to understand that in order for company assets to be adequately protected, they need to get comfortable with security solutions being present; sometimes privacy requires the user to carry the burden, by using a separate device for personal apps. While IT team needs to understand and respect the privacy of the user by only collecting the information that is absolutely necessary to deliver protection.”