January 28th should be a day observed by all. Yes, for some it could be a birthday while for others it could be an anniversary. But for those operating within the realms of the technology industry - more specifically cybersecurity - this date is commonly known as Data Privacy and Protection Day. The objective: boosting education and raising awareness amongst businesses and users about data protection and privacy, especially as more critical and personal information is being stored online.
This year will mark the 13th anniversary since European Data Protection Day was founded by the Council of Europe. It is now widely acknowledged by 47 European countries, along with Israel, Canada and the United States. This has led to the formation of allegiances amongst the cybersecurity fraternity, with CISOs and security personnel determined to bring data protection and privacy to the fore in attempt to generate awareness and change behaviours of employees and consumers alike.
Yet, 2019 was one of the worst years in terms of information stolen and number of data breach occurrences; so is it time data privacy and protection day is more than just a one-day occasion?
Data Protection and Privacy today
If you were to examine some of the biggest data breaches in recent history: Yahoo, Equifax, eBay, Capital One, Facebook, Friend Finder or Marriott, it would be difficult to locate an individual that wasn’t affected by any one of these. Whenever a breach occurs, questions are always asked around whether data protection and privacy were being taken seriously. For most organisations, data is key; and as a commodity, it is considered by many to be more valuable that either gold or oil.
Businesses rely on data to project growth and improve the efficiency, services and products that are, ultimately, aimed at benefiting their consumers. Indeed, businesses understand that data protection is paramount. As such, they will often protect their perimeters with traditional defences such as firewalls, anti-malware solutions and intrusion detection systems amongst others, in attempt to protect valuable data.
However, when it comes to data privacy, it is unfortunately the case that compromises are usually found as many organisations seemingly do the bare minimum just to meet compliance for data regulations and laws. Or worse, they abuse the data entrusted to them by consumers. A notable example was the Facebook Cambridge Analytica data scandal, where the data gathered by Facebook was not hacked but instead, purposely handed over to Cambridge Analytica for them to utilise without the knowledge of end users. It was the total disregard of privacy to critical consumer data that shocked the world and highlights a serious issue with data privacy (and what constitutes private data) in modern times.
Thankfully, the understanding of what is needed for true data privacy is changing and this is largely due to the introduction of data privacy and data protection laws which set the standards and requirements to being secure and complaint.
The power of regulations
The ratification of the European General Data Protection Regulation (GDPR) in 2018 was a momentous period in the history of data protection and privacy. The fact that there are now laws in place to dictate the way in which organisations leverage personal information on individuals means that data protection is finally being taken seriously. GDPR impacts every business in the world that collects the data of European citizens, so it is no trivial matter. On top of this, there are the significant fines for non-compliance which could easily range in the millions.
GDPR set a precedent that would go on to transcend international borders and now, in America, data privacy and protection are equally viewed as a high-priority matter. As such, many individual state laws across the United States have formed, with the most recent being the California Consumer Privacy Act (CCPA). CCPA is designed to enhance privacy rights and consumer protection for residents in the state of California and will apply to any organisation that collects and processes personal data on Californian residents. CCPA will essentially give power back to consumers on how organisations use consumer data.
The likes of GDPR and CCPA can be seen as guiding lights for enterprises seeking to become champions of data privacy and protection, leaving no grey area when it comes to compliance for companies around the world. While GDPR covers the majority of Europe, in America there are roughly 18 data privacy and protection laws that have either passed or are being planned in separate states. What we could potentially see in the future is an American equivalent to GDPR where all 50 states adhere to one federal data privacy and protection regulation. Other countries are following suit with Brazil, Australia, South Korea, Thailand and Japan all adopting comparable data privacy laws.
Indeed, cybercriminals will always find nefarious ways to steal critical information. To complicate and confound matters further, the overall attack surface is increasing exponentially as reliance on digital services grows and vulnerabilities within classic perimeter defences are mounting. For this reason, organisations need to deploy a security solution that can cover the many security necessities like data protection, privacy, compliance and risk reduction. It’s easy for CISOs to go out to the market and purchase a new solution, but it’s important to conduct the necessary due diligence..
To best uphold privacy commitments and to protect the data within an organisation’s infrastructure, a data-centric security strategy approach is required. This will allow for personally identifiable information (PII) to be protected at its earliest stage, throughout its lifecycle and only de-protected when absolutely necessary. Incorporated within this strategy should be tokenisation technology, which will mask the critical information and allow for data processing and analysis in a protected manner, while keeping overall operational impact to a minimum.
The laws currently implemented have helped elevate the issue of data security and privacy so that it can no longer be ignored, and Data Privacy and Protection Day is a welcome initiative to boost these two critical elements within society. Good habits form good behaviour; therefore, ensuring data protection and privacy is not a one-day event and best practice is regularly adhered to is paramount to building a more cyber-secure world we live in.
Anna Russell, EMEA VP, comforte AG