Data privacy is top of mind these days – for good reason. The number of exposed online records has doubled since last year, reaching a total of 446.5 million. International regulations such as the EU’s General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA) in the U.S., and the Personal Information Privacy Act (PIPEDA) in Canada have helped to provide standards for governance over our information, but it is not always simple.

We Are Our Data

When all our personal data is digital, privacy becomes a much bigger issue, with many more stakeholders. With all the progress society has made during our digital transformation, we somehow managed to sacrifice our data privacy along the way. We shifted from moving physical material that makes up a person’s identity around in space to moving bits and bytes of data around in the cloud — and somehow this shift made the data seem less valuable…for a while.

When it comes to data protection, most people fall into one of three categories:

  1. Just stay offline.
  2. My data will be used/misused and it’s no big deal.
  3. Wait a second – that data is who I am!

Despite your opinion however, there have been too many stories about organizations mishandling data recently including negligence and loss of personal data, cybersecurity breaches, inadvertent misuse of data by a third party, and on the list goes on.

A Responsibility to Protect PII

There are several reasons why organizations should do everything in their power to protect Personally Identifiable Information (PII). Firstly, it’s the law. Data breaches can be bad for business both in terms of regulatory fines and loss of business due to class-action suits. Not to mention the subsequent reputation damage.

Secondly — and more importantly — there’s an ethical responsibility: it’s the right thing to do. And the public expects organizational leaders to take charge — 76% of those surveyed in the 2019 Edelman Trust Barometer believe that CEOs should take the lead on change, rather than waiting for a government to impose it.

The C-suite has a responsibility to take an active role in ensuring that data security and privacy controls are in place. Failure to do so puts innocent people at risk and could be likened to the digital world’s version of reckless endangerment.

3 Simple Aspects of Data Privacy

Data Residency. Your organization is full of sensitive data and, unfortunately, employees unwittingly put it at risk all the time.  An organization is responsible for understanding where the data it collects and stores resides, especially if it is stored in another country. However, your data sits out there on more endpoints than you think, not to mention what happens when one of those devices goes missing.

You need the equivalent of Google for your endpoint data — a lexicographical crawler for PII that can alert you to any unauthorized data hiding out there on endpoint devices. Unless you have that, you simply won’t be able to track all the places where the data resides.

Orchestration of Controls. There is no shortage of security controls, whether they be native in the operating system or come as third-party applications like antivirus, antimalware, encryption, or other endpoint detection and response (EDR) solutions. These controls help ensure that the place where data resides is secure.

The problem is in ensuring that the third-party controls remain in place and functioning at all times. Native controls can help with this, giving organizations the ability to pull information from the controls and push actions to the device if they are not operating as they should, or if the user of the device is acting suspiciously.

Continuous Monitoring. Annual auditing is only valid on the day the audit takes place. Can you be sure on any day in between audits that data is not residing in the wrong place and, if it is, that security controls are in place to protect it? Without continuous monitoring, you’ll never be able to keep track of all the data copies that exist on all your devices. This can leave you in hot water when the regulators come knocking.

Data privacy affects all of us. As the speed at which the world operates in digital increases, we can expect everyone to take a greater interest in their personal data. The organizations that act now to build data privacy into their company’s mission statement will be the ones that retain customer trust.

For more information on data privacy in our digital world, watch the next episode of our Cybersecurity Insights video below. And while you’re at it, watch and subscribe to our full Cybersecurity Insights video series on YouTube.

Video transcript:

Welcome back! Josh here from Absolute. If you’ve been on planet Earth the last couple of years, you know one topic in Information Security is grabbing everyone’s attention: Data Privacy

Look around at a home of 2019 and compare it with a home of 1980s or even the 90s. Take notice of what’s likely missing…

  • Answering machines
  • Rolodex
  • Alarm clock
  • Maps
  • Vinyl records, VHS tapes, cassettes, CDs or DVDs

Each (and there are many more) have been replaced by a smartphone. Digital has dematerialized our world. The things people need are no longer dependent on physical stuff but are satisfied by digital technology.

What this have to do with data privacy?

Well, digital has also dematerialized people. We live in a digital reality. Who we are has become a collection of individual pieces of data; we call it Personally Identifiable Information or PII.

People have always been conscientious about their personal privacy, but now that we’ve been dematerialized, personal privacy takes a new shape. Each person’s right to privacy is more easily overthrown, because we’re not moving physical material around in space, but manipulating bits and bytes that compose a person.

One school of thought says, ‘Just stay offline.’

Another way of thinking says, ‘Hey, my data will be used (or misused), it’s no big deal.’

While others contend this by saying, ‘Wait! That’s my data and that is who I am!’

For starters, just saying ‘stay offline’ isn’t reasonable for a 21st century person: the digital world is where things happen. That’s why we call it The Digital Transformation. Business, government, school, research, and even friend-to-friend interactions, all happen in the digital town square.

For those saying ‘No big deal’, would you say that if you were being harassed or stalked by someone in the physical world? And even if you don’t care about how your data is used, other people do… and they want assurances that their privacy is always secure.

You can see why data privacy is all the rage right now. And it’s not just social media data scraping to create ‘fake news’; we see credit bureaus, city governments, and even hospitals, schools and universities all fail to safeguard individual privacy.

Data privacy goes to the heart of what we value as a society, which demands that we do our best work to protect those digital persons in our care.

Be sure to subscribe and put your comments below. I’ll see you next time, and we’re gonna take a deeper dive into the laws that are designed to protect personal privacy.