Privacy Day, or Data Protection Day in Europe, was instituted to raise awareness on the importance of upholding data protection best practice. The recent institution of privacy regulations such as GDPR and CCPA made organisations reflect on how they store and use consumers’ personal information across the board, marking a significant milestone in the way data is handled in the digital era.
Here’s what experts had to say:
Corin Imai, Senior Security Advisor at DomainTools:
The importance of data privacy in the global economy cannot be underestimated. Organisations of all size now spend untold millions on targeted online marketing and advertisements, and the ways in which this data is used remain extremely murky. What’s more, the increasing prevalence of online data has seeped into the political process in most mature democracies, as evidenced in the 2016 US Presidential election and the European Referendum in the UK. Encouraging people to take a more stringent approach to data security is an important step to make in cleaning up how both politicians and businesses use our data, making this awareness day extremely important to support.
Tim Mackey, Principal Security Strategist at the Synopsys CyRC
With each new data breach, hack and ransomware attack, we’re faced with a choice – either resign ourselves to the potential that our personal data is in the hands of people who shouldn’t have it, or try and take control of the situation. With today being Data Privacy Day, I suggest it’s time for us to go on the offensive and hold the people collecting data on us more accountable. Becoming an active participant in managing online data sends the message that “business as usual” with data management needs to change. Regulations like GDPR provide individuals the ability to request what data a company already has collected, but the fight to control data actually starts with its collection and not reviewing what is already out in the wild. I submit that if more people asked their vendors or providers of services they’re subscribed to what data they collect, how its secured, how long its retained for, precisely who its shared with, who has access to it and under what conditions, and how they would detect that someone accessed your data without proper authorization – then we’d start having consumers driving the agenda for data protection rather than being passive recipients of breach notifications containing offers of credit monitoring. Even if the answer is a highly technical one that might not be immediately understandable, the act of asking sends a signal that the consumer cares about how their data is used and managed.
Of course, on business side, if the vendor simply cites their license agreement or privacy policy, then that vendor is in essence saying one of two things. The first, and likely most common, is that their license agreements and privacy policies are written in generic terms. In this situation as the application and services they provide evolve, the use of generic terms helps ensure that developers don’t need to have a legal review of any changes because the agreement is so vague. The second, and least likely scenario, is that the company has developed a constructive partnership between their development teams and their legal counsel. Under such a model, the policies can accurately reflect the current state of what data is being collected, processed and retained by the vendor. As users, the only way to detect which situation is real is if the answer to your questions simply point to a license agreement or privacy policy, then ask when that document was last updated and what version of their software it covers. If the software is newer than the last review, the policies are generic. Importantly, the act of asking these questions will cause the customer support team to log your request and how it was answered. While the initial response might be less than helpful, with more customers asking for the same information, the business will eventually recognize that their customers and prospects value clear and accurate disclosures of what data is collected, how data is being processed and expect to be active participants in understanding how their data is used.
This type of partnership between consumer (data provider) and vendor (data consumer) is one which will take time for some organizations to adopt. Ultimately, some vendors will surface as true stewards of consumer data while others will develop a reputation for the opposite side of that coin. Given we’re in a data economy, consumers have a right to influence and control how they share their data and with whom that data is shared. The easiest way to start that conversation is by asking questions and making your choices in vendors based on how they respond to your concerns. After all, consumers have a choice in who they select to do business with, and privacy should be one of the selection criteria.
Robert Meyers, Compliance and Privacy Professional at One Identity
All Industries Exposed to the Effects of Negligent Data Handling. We see companies across all industries struggle with the implementation of proactive data privacy programs and policies. The European GDPR, the recently introduced California Consumer Privacy Act (CCPA) and other regulations in the works are designed to will punish those organizations that are handling personal data with negligence. These regulations require organizations to demonstrate the implementation of proper data protection practices, such as identity governance and administration and privileged access management – those who fail to implement such systems are considered negligent and thus exposed to higher fines and stronger punishments. We see a rush from companies catching up with these requirements and working to implement the right security tools and practices after a breach. We also see a lot of head in the sand trying to pretend that the new laws and regulations don’t affect them. Hint: it does. We hope that the Data Privacy Day is a good initiative to remind companies to think ahead and will lower the number of companies where privacy is just an afterthought.
Charles Southwood, Regional Vice President, Northern Europe and MEA, Denodo
In our current climate, protecting personal data has never been more important or more challenging. The annual celebration of Data Privacy Day, provides us not only with a chance to reflect on how far we’ve come, but also to look forward to how we can improve in the future.
The introduction of the EU’s General Data Protection Regulation (GDPR) in 2018 presented a tough challenge for some companies. Since then, we have seen many organisations continue to struggle to ensure the simple and transparent management of personal data, mainly due to the fact it is distributed in different and separated repositories.
Data virtualisation provides a solution for the data privacy challenge. It enables easy and complete access to all repositories, through a single information layer. This means that data can be traced and audited in real time, no matter where it is stored.
Data virtualisation facilitates compliance with current legislation whilst enabling organisations to protect their most valuable asset; their data.
Felix Rosbach, product manager at comforte AG
According to statistics 35% of people use weak passwords and 55% of people use the same password for the majority of services they use.
And what’s worse, 97% of people are unable to identify a phishing email and therefore can’t even recognize malicious behavior.
Regardless of our circumstances, it is critical that we all become aware of and understand the risks facing our data. Everyone should know how high the chances of a data breach are and that you will not always be aware of a breach and sometimes you won’t be informed at all. Our personal data can easily be abused. We need to understand the consequences. If bad actors, for example, steal our identity they are able to influence elections, take out a mortgage in your name, and open 15 new credit cards.
Once we become aware of these risks and understand why data protection is important – only then will we have a chance to do something about it.
And to do something about it, we have to understand our rights and our options. While regulations like GDPR made a lot of noise in the industry, many consumers are still unsure what to do to exercise their new rights and how to find out if companies are compliant.
We should know what concrete steps we can take to protect your privacy, where to find out how our data is being used and how to exercise the right to be forgotten.
We are the only ones who can make sure that we only give data away to organizations that take the proper measures to protect our data.
We have to be clear about what we want, what parts of our data we are willing to “sell” to get free access to services, and for what services we are better off paying for.
Richard Meeus, Security, Technology and Strategy Director, Akamai Technologies
Data Privacy Day should act as a stark reminder to businesses that the battle to protect their own and customers’ data is never won. Criminal hackers have shown frequently over the last year the value of personal data and we have seen big fines associated with the mishandling of these identity stores. Companies are in a position to foster more trust from their customers by showing good care over their data, allowing them to change what is stored instantaneously, and delete if necessary. Protecting these databases is now key to a company’s stability and its ability to do business. Lack of availability or integrity of identity data, or a breach of confidential information, can bite hard in the online world from both a regulatory and reputational point of view.
By Jitesh Ghai, SVP and General Manager, Data Governance and Privacy at Informatica
The way the world sees and manages data privacy has been subject to a massive shake up in the past two years. And while data privacy has always been on the agenda of truly customer-focused organisations, it’s heartening to see that data privacy is now a boardroom priority for every business.
Privacy isn’t just a compliance concern; it has broader implications for the business. It’s data that drives competitive differentiation and companies that take privacy seriously are five times more likely to have their customers entrust their data to them, which in turn helps drive key strategic business initiatives, such as customer experience, supply chain optimisation, new product and services innovation.
While data protection has become more ingrained into corporate culture, due in part to regulation, it’s frustrating to see many businesses put data privacy governance on the back burner, as they consider it a ‘nice to have’, rather than a necessity.
Businesses are failing to appreciate that data governance is the bedrock for data privacy. Focusing on data privacy governance aligns an organisation to drive business value, by providing best practices for discovering data, who’s using it, who it belongs to; understanding risks for prioritising remediation; and protecting personal data exposure as the key to building trust with consumers.
In reality, data governance enables greater data democratisation while supporting data privacy. By putting de-sensitised data insights into the hands of data-driven leaders and subject matter experts from across the lines of business and IT, as opposed to just one data scientist, businesses can empower employees to utilise data-led insights to collaborate and deliver successful outcomes that build trust and improve customer experience.
Those businesses for which data privacy governance is already a well-understood and organisational competency are gaining the edge in their market. They’re the ones that can comply with regulations, rely on accurate analytics, power customer experience initiatives, migrate to public cloud safely, and optimise business processes for greater efficiencies.
