Unless you’ve been living under a rock, you must have noticed Privacy has become a huge buzz word among companies and professionals worldwide. Regulations such as General Data Protection Regulation (GDPR) came into effect May 25th, 2018 and has far reaching consequences. It’s first major victim, Google, was fined $56.8 million USD for failure to provide enough information to users about its data consent policies. GDPR was created to ensure the adequate protection of customer’s personally identifiable data. The basis of this suggests that strong controls should be placed around how data is created, stored, used, shared, archived and destroyed within the organisation and their vendors and affiliates.
Sophistication has driven technological innovations to the point where they have now become intrusive and invasive, this has led to increased data risks for businesses and consumers. GDPR and other regulations are now holding businesses accountable for adequately securing consumer data that is collected and how it is used. This leaves organisations facing an incredibly complex risk portfolio for ensuring that personally identifiable data is protected. Implementing a robust and comprehensive privacy program within your organisation can help to curtail and mitigate privacy risks.
Organisations often violate individual’s privacy rights unintentionally. Violations occur when data processing is not done in accordance with respective data protection guidelines and/or initially intended purpose. Some scenarios include:
Under GDPR, individuals have more control over their data therefore consent must be given with a clear explicit action. Frankly, this means a mechanism should be in place to allow individuals to provide deliberate consent, this disqualifies pre-ticked boxes.
Individuals reserve the right to request that their data stop being processed without any reason. Therefore, policies and procedures should be created to allow users to withdraw consent which should prompt data owners/controllers to discontinue processing.
Organisations whose strategic goals and initiatives revolve around processing large amounts of data sometimes have trouble in adequately tracking data whether during usage or afterwards. For example, files containing sensitive/personal information may be stored on peripheral devices or servers even after they have been used for intended purpose.
Information is sometimes shared between companies and their third-party partners and vendors. This is sometimes done through removable media or emails, the problem with this is that the Data Controller no longer has control over the data once it has left their environment.
GDPR’s mandate for “the pseudonymisation and encryption of personal data” is being violated if businesses store certain personal data in plain text. It is the responsibility of the data controller to anonymize and mask sensitive data contained on their environments.
In order to Implement Privacy within your organisation, you must first determine the extent of which privacy should be incorporated in the business’ operations by considering the kind of data you collect and matching it against your company’s strategic goals. As well as understanding the information privacy laws for the respective jurisdictions your clients operate and reside. Organisations can comprehensively assess their procedures and controls by doing a Privacy Impact Assessment.
New and looming data privacy legislation reflect growing public concern about the protection and personal ownership of personal and sensitive information. It is important for organisations that touch personal data to re-evaluate their IT security infrastructure and data privacy and protection policies. Are your IT security solutions able to effectively communicate, regardless of where they have been deployed, to optimally protect data and provide network-wide visibility? Does your network include enough data-protection measures such as threat detection and data loss prevention? And finally, have you documented, and more importantly, tested your data-breach response plan?
Today’s organisations need to be able to answer “yes” to these questions if they want to be prepared for the new data privacy regulations on the horizon. As the Data Protection Officer responsible for the regulatory compliance of your organisation, are you prepared to answer yes to the above?
Ashdane Beckford is a Privacy and Information Security Consultant at Symptai Consulting limited. He is currently completing is B.Sc. in Computing majoring in Information Technology and Minoring in Information Systems at the University of Technology Jamaica (UTECH). He is a former member of the Utech rugby team and has a demonstrated passion for information technology. When he isn’t glued to a computer screen, he spends time reading finance books and talking about current affairs.