In light of Data Privacy Day, we’ve reached out to a number of experts for their thoughts on the evolving nature of data privacy, as well as advice for businesses and individuals alike on how they can best protect their data.
Lecio De Paula, VP of Data Protection at KnowBe4:
“Although the metaverse took all the attention in 2021, some seemingly innocuous privacy accomplishments have been overlooked. In just the past year alone, dozens of new privacy laws were drafted and/or enacted, high profile organisations were slapped with massive penalties for violating privacy laws (over 350 million euro in fines globally) and regulators have been tasked with providing accurate guidance to assist organisations in achieving compliance with various applicable privacy laws. These various events that took place in 2021 represent the privacy-centric shifts that are being taken by global regulators and organisations. This is, and will continue to cause, upheaval in the tech and ad-tech industries, which rely on big data and swaths of consumer data sets which will continue for the foreseeable future. In addition, countries around the world have caught the privacy bug and have been leveraging the GDPR model to draft their own privacy laws — which is very beneficial to organisations, as it makes compliance with these laws scalable. Governments globally are beginning to understand that complexity is the enemy of compliance (to the extent it applies to privacy) and countries need to adopt similar standards in order to protect their data to help ensure the economy continues to run smoothly. I see these trends sustaining into 2022 and beyond with a couple of surprises here and there.
Data privacy is still in its infant stages and one thing is for certain — privacy is here to stay and organisations that embrace privacy will continue to be successful over the next decade. Regulators and consumer advocacy groups are just getting started and I expect 2022 to be a record year for enforcement, penalties and other fines alike.”
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre:
“When there are options to purchase an item or service, brand reputation is a key element in the selection process. Effectively, the purchaser expects delivery of a quality product and that the supplier will stand behind their products and be there should support be required. Since the majority of business activity involves personal data – even to the degree of a simple credit card transaction in a shop – businesses who fail to properly manage the data their customers willingly share risk damaging their reputation and by extension break the trust of their customers have placed in them.
It is far easier to break trust than to build it, or rebuild it. Trust is effectively a series of small successes that in the aggregate represent the value of a brand. A business that only requests a minimum of data from their customers and only retains it for the minimum time period required to satisfy the customer’s expectations reduces their potential exposure should a data breach occur. After all, the only data contained in a data breach is data that was available to breach, so it stands to reason that an abundance of customer data and profiles increases the interest cyber criminals might have in targeting specific businesses.
Transparency, simplicity and consistency are keys to restoring trust. Be transparent about the nature of the attack, which weaknesses were exploited, when it occurred and why specific customers might be impacted. The more complex communications are, the more likely some customers will view that complexity as being part of an effort to paint the business in a positive light. Accept and own responsibility for the weaknesses that were exploited, and outline the steps taken to prevent similar attacks from being successful in the future. Of course, you never want to change details on the attack, unless they are material to the customer impact. While regulators might require the additional information, they are also positioned to interpret that information within the context of the attack and often without any biases a customer might have on the situation.
Privacy statements that are written in plain English are best. Detail what information is collected and why it’s required. Ensure that internal software development teams understand the privacy statements and their implications. After all, the last thing a business wants is to have a clear privacy statement, and then have a development team implement software changes that invalidate that statement.”
Bindu Sundaresan, director at AT&T Cybersecurity:
“Building trust with customers and third-party vendors is critical to an organisation’s success and can only be achieved with an offensive approach to data security and data privacy. Given that businesses today use multiple suppliers, shared networks, cloud applications, and, in some cases, work with multiple vendors, one of the best approaches to enable data privacy and security is through data governance. It is about designing and implementing the norms, rules, and infrastructure that will foster trust by shaping the way people, organisations, and governments can legitimately collect, use, and share data to create sustainable value that is realised equitably. Data governance programs effectively support privacy management by giving organisations a clear look into what data they have, where it is stored, how it is used, and who it’s shared with — also allowing compliance with the current privacy laws and regulations.
The common denominator for a more effective security strategy is data governance. With it, organisations have a wider lens through which to monitor all of their data and its activity, protect data throughout its lifecycle and build a data privacy and security strategy that is better prepared for the evolving threat landscape. As organisations work to build customer-focused, digital business models, it’s critical to consider the role of trust and privacy in the customer journey. Delivering digital trust isn’t a matter of publishing a highly secure website or app, or avoiding a costly, embarrassing data breach. It is about creating a digital experience that exceeds customer expectations, allows frictionless access to goods and services, and helps protect customers’ right to privacy while using the data they share to create a customised and valuable experience. Today’s security strategies are, in large part, still responding to yesterday’s challenges. From reports of exposed personal information to data misuse, trust incidents are becoming increasingly visible to the public.”
Prof. John Goodacre, The University of Manchester and Director of Digital Security by Design Programme, UKRI:
“Businesses have long operated within frameworks of confidentiality, sharing their private or secret information with others with a legal expectation that that information will not be shared any further. The challenge with privacy, is it is more about ethics than legality. Is it perceived by those learning of some information on whether its ok to share that private or secret information? It’s when the perceptions between those accessing information and those holding the information differ that distrust can arise.
When businesses have access to private information, and whether provided with the expectation of confidentiality, or purposefully discovered by the business, consumers and corporate customers alike can quickly loose trust in that business when they find what they consider private used or shared in a way they consider inappropriate.
The GDPR law tries to formalise the expectations of privacy, with many businesses going further through publishing their perceptions of privacy through policy statements. This shift towards trying to make privacy a legal framework however overall does not have the legal reinforcement awarded to confidentiality.
In our digital world. enforcing GDPR through fines on the data holder can often be seen to be punishing the innocent when the data leak may have been due to cybercrime. If the business’ digital system was not secured by default, it’s configuration or design were flawed, failed to follow best cyber practice, were missing critical patches and so forth, then the owners of the system were more likely at fault. But what if the leak happened because components of the system were vulnerable, its software contained a vulnerability that permitted exploitation and it was because of this the data was compromised? It’s not clear the business could have done anything to have blocked the leak. The question then moves to could the supplier of the components of the system done more and could the supplier of components to that supplier of done more, and so forth.
Given the shear amount and complexity of todays software, vulnerabilities are inevitable. The technology community has worked with https://cve.mitre.org/ to maintain a list of vulnerabilities. For several years, around 70% of the ongoing vulnerabilities have been due to errors in the way software manages the memory of the computer. Controlled through a contract between the computer hardware and the software known as the memory system architecture at its core and has fundamentally been the same for decades. As long ago as the 1970’s it was known this architecture could not protect against software vulnerabilities from being exploited with various proposals being made on how to stop this. Unfortunately, the massive amount of software, and the disconnect between needing to change this and how long new hardware take to become available in market, has meant the cyber security sector has grown around trying to limit who can access what software, management of risks should an attacker access a vulnerability, and monitoring systems to know if they are being attacked rather than working to fix the problem.
In 2019, the convergence of research outcomes, business desire and UK Government support to address this situation came together in an UKRI delivered programme known as Digital Security by Design (DSbD). The programme is working with the researchers and key hardware and software businesses to realise an enhanced memory system architecture that can block, by design, this significant class of vulnerability.
Whether through legislation or ethical privacy statements, for consumers and business to maintain trust in the digital world, they need to not only trust the holders of private data that they won’t miss-place that trust, but they also need to trust that the digital technology storing their data can be trusted. A business may be able to recover from a miss management of private data but given the growing disclosure of technology failures and exploited vulnerabilities, would any business be able to recover our trust if we start to lose our trust that digital technology itself can be trusted to be secure.”
Brian Higgins, security specialist at Comparitech:
“Data Privacy isn’t just an issue for businesses and government. This January 28th take back some control and check it for yourself. Put your own name into a few different internet search engines and see what pops up. If you can find it so can everybody else. Then take a minute to update your Privacy settings everywhere you can. You’d be surprised how often Social Media platforms change their Terms and Conditions. This is your chance to catch up!”
Paul Bischoff, privacy advocate at Comparitech:
“Data privacy is a serious issue that needs to be tackled at both policy and individual levels. Policy makers need to keep up with laws and regulations necessary to hold privacy abusers accountable and establish guidelines for data protection. Those abusers range from private corporations to law enforcement agencies.
Individuals should take steps to minimise their digital footprint and stay safe online. The basics are easy: don’t reuse passwords. Don’t click on links or attachments in unsolicited messages. Block ads and trackers in your web browser. Don’t overshare on social media. Support end-to-end encryption.”
Chris Hauk, consumer privacy champion at Pixel Privacy:
“Use Data Privacy Day as a reminder to check your online accounts and accompanying privacy settings. Go through your social networking account settings on Facebook, Instagram, Twitter, and other platforms to double-check and adjust your privacy and sharing settings on each network. Also, enter your name in multiple search engines to find out what information about you is available online.
Also, double-check your login/password information for your online accounts. Make sure you are not reusing passwords on multiple websites. Change your passwords on a regular basis, using a password manager like 1Password to generate a strong and unique password for each site and to manage your login information. This makes it easier to have a different password for each site, as a password manager will help prevent duplication of passwords.”
Jamie Akhtar, CEO and co-founder of CyberSmart:
“Our personal data is being processed every second of every day – whether at work, when we visit the doctor, as we read the news, or when we buy goods. Sometimes this is for valid purposes, other times less so.
Yet most of us are unaware of the risks related to the protection of data or our rights. With regard to SMEs,we find that small business owners are seldom aware of the risks, what to do if their data has been compromised, or the role of national data protection agencies.
So events like Data Privacy Day are crucial in building awareness. But, at the same time, this needs to be a year-round initiative. We need to create a society in which small businesses think about data protection in the same way they might think about business insurance or end-of-year tax audits – as a fundamental part of modern business.”