The biggest roadblock to meeting privacy regulations is communication, writes Lecio de Paula, Jr., Director of Data Privacy, at security awareness training company KnowBe4.
Privacy has taken the world by storm in recent years, resulting in important changes in how we view and protect data. The formation of the European General Data Protection Regulation (GDPR) created a domino effect for countries around the world to implement their own laws and regulations; Singapore has the Personal Data Protection Act (PDPA) while individual US states have begun to adopt their own data privacy legislations with California flying the torch for the California Consumer Protection Act (CCPA).
As the number of cyberattacks increase in 2019 from a year ago, governments and organisations are in the firing line as they do their best to protect the millions, if not billions of personal data records held on their citizens. Unfortunately, the first half of this year alone has seen 4.1 billion records stolen. With the introduction of these data protection laws, which are intended to give control back to the individual, we will see better security of sensitive data.
Many people assume these newly formed data protection regulations are just privacy laws when, in actual fact, they are so much more. As their names imply, they are data protection regulations; so by default, they encompass both privacy and security. These laws are explicit in what organisations MUST do in order to protect the confidentiality, integrity, and security of personal data, as well as how personal data is to be used. The GDPR, for example, provides a list of minimum technical controls that need to be implemented and the governing body known as the European Data Protection Board (EDPB) provides even more guidelines on how organisations are to protect personal data.
However, what has been observed over the past few decades is privacy and security handled as two separate entities. This is not to say that privacy and security are the same, because they are different in many aspects.
Security is about implementing the appropriate technical controls, such as multi-factor authentication, strong encryption, and logging in order to protect the data. Privacy boils down to how that data is stored, accessed, its confidentiality, and ultimately how the data is used.
They may not be two peas from the same pod, but privacy and security are certainly from the same branch and you can’t have one without the other.
To ensure the survival of the business, it’s vital to promote collaboration between staff that handle privacy with staff that are responsible for security. The main objective of this practice is to know how data is being used so that the appropriate security controls can be applied. These are just some of the requirements for the newly introduced data protection laws. Failure to meet these standards and implement appropriate controls will result in fines and other sanctions that could range in the millions.
This old way of thinking that has resulted in organisations looking at privacy and security separately will not suffice in today’s volatile cyber climate. Instead, a harmonised relationship between privacy and security is required. It may be initially difficult for organisations to adopt this new mantra, but security and privacy need to work closely together to ensure the business is secure, complies with the law, and maintains the trust of consumers.
This responsibility isn’t left to the Data Protection Officer (DPO) or the Chief Information Security Officer (CISO), or any one individual – it needs everyone from all departments in the company to pull in the right direction to be effective.
Here are just some of the duties the various departments in a company will have regarding data protection which involve privacy, security, and legal.
Human resources: responsible for training employees and ensuring Data Protection Notices are signed off on (also known as privacy policies).
Engineering: implements Privacy by Design (PbD) and ensures users’ privacy is guaranteed as well as follow secure coding practices. They also create data subject access request tools.
Marketing: responsible for ensuring web pages are compliant and are collecting data in accordance with the Data Protection Notice.
Legal: takes into account data processing activities of the company, creates contracts, terms and other legal items that provide privacy and security protections.
Security: ensures the products are secure, manages third-party vendor risk, and sees to it that internal processes are secure.
Privacy: collaborates with all departments, performs audits, creates policies, ensures privacy contracts are in place, and ensures that the organisation is compliant with the law and its policies.
Whenever personal data is acquired, stored or used, it’s good practise to check that data protection principles are being followed at the beginning of a campaign to ensure compliance is being met.
This by no means is a definitive list, but it should be used as a starting block and a guide as to what processes need to be evaluated to effectively guard sensitive data. It’s not uncommon for most departments in a company to encounter critical data which is why its pertinent that these employees are provided effective training on how to handle personal data. When it comes to protecting data it only takes one slip up to sink the ship and nobody wants to be responsible for their company having to pay millions in fines. By educating the workforce, the company can build its resilience which in turn will result in a drastic decrease in privacy and security risks.
