Cybersecurity Conversations: Make Data Privacy and Security A Top Priority in 2020
January 28, 2020
January 28 is known as Data Privacy Day, an initiative developed by the United States and Canada, which acts as an extension of the Data Protection Day initiative by Europe. Data Privacy Day raises the importance of privacy awareness and education.
Data privacy issues don’t just arise from shopping online or having social media accounts. With the sharp rise of the Internet of Things (IoT) devices, such as wearable technology and smart appliances, organizations have access to more personal data than ever before. Enterprises must also protect themselves when their networks are accessed by potentially insecure or unprotected “consumer devices”.
Since the enactment of the General Data Protection Regulation (GDPR) in May 2018, there has been an increased focus by enterprises to ensure that the personal data provided by their users is minimized and protected.
According to a new study by DLA Piper, since GDPR came into effect, more than 160,000 breach notifications have been reported and data protection regulators have imposed fines of up to $126 million under GDPR.
In fact, Facebook’s Cambridge Analytica scandal in 2018 served as a catalyst to spur conversations on the importance of digital privacy regulations on a global scale. Shortly thereafter, the California Consumer Privacy Act (CCPA) was introduced and as of January 2020, is now in effect.
Given these recent events, data privacy should be a key conversation for all businesses this year, specifically regarding the differences between data protection and data privacy.
Data protection is a subset of data privacy that focuses on the tools and processes organizations use to protect data, data, largely making it the organization’s responsibility to limit access to the data. However, data privacy is the regulatory framework that defines how a user can positively manage the sharing, use, and distribution of their personal data, and the obligations of organizations to only collect and use the user’s personal data in a manner consistent with the purpose it was collected and the legislation.
So, how can organizations work to safeguard the personal data they have access to? Here are some recommendations from Herjavec Group:
- Be transparent about how your enterprise will handle personal data. Have a page on your website that details how you collect data, where you store it, how you protect it, and most importantly, how you plan to use it.
- Conduct a 3rd party risk assessment if your business relies on external partners. A number of cyber attacks have leveraged lax security controls of 3rd parties to indirectly target the organization using those 3rd parties.
- Protect the personal data you collect. If you collect personal information of your users or employees as a result of their use of your product or service, prioritize protecting that data.
- Perform a Privacy & Compliance assessment on a consistent basis (at least yearly) to ensure that your enterprise follows any compliance directives that may impact it.
- Invest in a Security Information and Event Management (SIEM) tool and leverage 3rd-party Managed Services support to streamline data logging, correlation & threat intelligence gathering.
- Assess the effectiveness of your existing security controls, particularly when it comes to storing, processing or transmitting data, to determine where you are most vulnerable to cyber attacks.