It’s International Data Privacy Week, so let’s talk privacy! With increased focus on data privacy (there are now data protection and privacy laws in effect in 144 countries and eight additional US state privacy laws going into effect in this year), we wanted to highlight the intersectionality between data privacy and our normal focus area, cybersecurity. Data privacy is becoming a more important component in everyone’s daily lives – according to a KPMG survey, 86% of consumer respondents indicated that data privacy is a growing concern for them. Additionally, 48% of consumers reportedly stopped using a service over privacy concerns. It is evidence that consumers want to feel safe and know that their data is secure.
With the increasing digitization of everything that we do, regulators have been trying to catch up and set forth regulations to protect individuals’ privacy. These Data privacy regulations were primarily born of needs to provide individuals with more control over their personal data and, critically, establish requirements to protect that data. Frequently, companies can make improvements that achieve both privacy and security goals.
We are going to highlight a few topics on which improvement contributes to both greater control over security and compliance with the privacy regulatory landscape.
1. Take control of your data.
As we mentioned in our Shadow IT article, it is difficult to protect what you don't know is within your network. This concept is also relevant to help meet data privacy obligations. If you don't know what personal data you collect, use, and store, you won't be able to protect the personal data from an intentional or unintentional data breach or determine what obligations apply to that data. For example, organizations that use tracking pixels have suffered legal consequences and lost truth with consumers because they did not understand the breadth of personal data collected using tracking pixels--especially relating to the collection of sensitive health data. Since they failed to understand the data collected, these organizations did not put in place controls that were commiserate with the sensitivity of data that was collected (e.g., obtaining consumer's consent or limiting the sharing of that sensitive data).
Furthermore, understanding the personal data your organization collects is fundamental to maintain compliance with privacy obligations. In many jurisdictions, organizations are required to maintain a formal record of data collected and complete privacy assessments that weigh the personal data collected and use of that data with the privacy rights of an individual.
2. Share data responsibly, particularly when evaluating vendors and services.
By utilizing new software, applications, or services to process your data, you expand your attack surface and introduce new ways a threat actor can steal your data. Therefore, you should be confident the vendor is committed to protect your data before utilizing their software or services. From a security and privacy perspective, you should – at the very least – evaluate (1) the technical and organizational measures the vendor and their systems have in place to protect personal data and (2) the limitations and commitments they make in using your data.
With the prevalence and potential uses of AI tools and services, it has increasingly become more important to assess how those tools (and vendors) are using data and respecting consumers’ privacy. It is important to understand if personal data – especially sensitive personal data – will be used for training any AI system. There have been concerns that AI tools can be influenced through prompts by a bad actor to leak personal data, and before implementing an AI tool or service, you may want to better understand what controls are in place to prevent inadvertent data leakage. The answers to these questions would be illuminating to understand if the AI system and vendors are going to protect and respect the data that you share with them.
3. Implement privacy and security by design.
Instead of reacting to privacy and security issues, organizations can adopt a more prospective approach to protecting personal data through a concept called “privacy by design”. A well-known concept in the privacy space, organizations can take the following approach into consideration when reviewing their security program as well:
- Take a proactive, preventative approach to anticipate privacy risks and address them;
- Implement privacy as a default setting within your services and processes – limit collection and storage unless a consumer opts-in to sharing more;
- Embed privacy as an essential aspect of technologies and business operations – start the design process considering data privacy;
- Ensure full functionality of services and processes – no need to make trade-offs to achieve privacy and security goals;
- Secure data when processed by your organization or its vendors through the entire lifecycle;
- Be transparent with clear and accurate information regarding data collection; and
- Respect the interests of the individual by keeping the services and processes consumer-centric.
4. Respect consumers.
Privacy is synonymous with trust, as it shows customers that you know the importance of appropriately handling and safeguarding their data and that you are committed to respecting their rights. Consumers expect a seamless, customized experience when using a service, purchasing a product, or interacting with a website. All-the-while businesses are collecting troves of data to provide their services and develop new and innovative products. Each business must harmonize their interest in developing and delivering their services with the rights and interests of the consumer.
Challenge the decisions you make by asking if there is a way to achieve the goal without impacting to the consumer. Take stock in how you collect, use, and store personal data and be transparent to consumers about your practices. Evaluate if any of your practices would undermine the trust and loyalty of your consumers. Lastly, treat privacy and security as an enabler not a hinderance. Use it as a way to demonstrate to consumers that you value their business and as people.
