InfoSec Advisory with Del Aden
Data is an incredibly important asset and collecting and sharing data can be big business in today’s digital economy. But for a business to safely and successfully take advantage of the data they are collecting; they need to have safeguards in place to ensure data is under tight lock and key and consumers aren’t subject to uninvited surveillance.
Data privacy is more important today than ever before, and businesses should be highly concerned with their data privacy policies and procedures for a few different reasons.
As businesses collect growing amounts of information on their customers, those customers have begun to see the potential downsides to this data collection. Consequently, there has been no shortage of data privacy laws enacted in the past few years.
At this time, the regulatory landscape has created new complications for businesses of all types. Data privacy regulations such as the Ghana Data Protection Act, the Nigeria Data Protection Regulations (NDPR) and the EU’s General Data Protection Regulation (GDPR) have significantly impacted how businesses can collect, store and handle such personal information from consumers. These legislations are comprehensive and designed to provide a level of legal protection to cover consumers that was not previously available.
Typically, these Data Protection regulations / laws set out the rules and principles governing the collection, use, disclosure and care for Personal data, also known as personal information or personally identifiable information (PII), by a data controller or processor. Further, it recognises a person’s right (data subject rights) to protect their personal data or information by mandating a data controller or processor to process (collect, use, disclose, erase, etc) such personal data or information in accordance with the individual’s rights.
Additionally, the COVID-19 crisis has made data privacy issues even more salient. As organizations collect personal information about employees’ health and travel as part of their response to contain the spread of the virus, they need to take appropriate measures to protect employees’ privacy and stay compliant with applicable data privacy regulations, including EU’s General Data Protection Regulation (GDPR).
As a business, your obligation to safeguard data has never been greater. Not only do you have to collect, store, process and discard data in ways that are compliant with regulations, you also need to have strong information security policies and practices that protect your clients’ data from malicious or unauthorized use.
This is the reason why businesses need to pay attention to data privacy, further they need to understand the key data privacy regulations affecting the jurisdiction where their businesses are based. Most importantly, they also need to understand key steps they need take to adhere to these regulations and adequately protect their critical assets and their reputation!
But why do we need data privacy laws?
Generally, laws exist to correct behaviours that various jurisdictions consider to be unacceptable, Consequently, I suggest that the spate of new data privacy laws has come about because governments are aware of the massive growth of organizations whose entire business model is the collection of personal information for the purpose of selling it to advertisers and others trying to reach targeted market segments. With very limited exceptions these companies do not steal our PII. We sell it to them, if not for a mess of potage then at least for online services that seem to us to be free.
Genuine Harm
PII has monetary value. Maybe it is not much on an individual basis, but in the aggregate, it is worth a lot, in the billions. However, most importantly, the various governments should take cognisance of the very real and very serious consequences of genuinely harmful privacy breaches. The ease with which victimizers can find their prey on the Web is not to be dismissed. Credit card numbers are being sold; people are being stalked; politicians are illicitly swinging elections.
As I write this, there is a controversy about the Ghana Electoral Commission (EC) inadvertently exposing the citizens personal identifiable data. Consequently, my point is that the latest generation of data privacy laws should be focused on cases of actual harm, not the so trivial ones that do not even merit a fine.
There is no data privacy without data security
Data privacy vs. Data security
Data privacy is comprised of the policies and processes that dictate how your business collects, shares, and uses data. Data privacy is often informed by state or federal laws that apply to businesses in a certain location or industry. On the other hand, data security protects your company’s data from being accessed or used maliciously. Data security is unique from one business to the next and will depend on the amount and types of data being collected and stored.
Both data privacy and data security are crucial to a bulletproof data protection policy. Without both of them in place, you will have an incomplete program that leaves you vulnerable to attacks or costly mistakes.
Consequently, Information security professionals have to implement systems and procedures to comply with the laws, however they are written. I think it is time for the community of those who work in our field to ensure that their work is not being used to hurt people and their legitimate interests. Designing “privacy” into systems wherein a breach will have no real consequences diminishes the attention that is required to protect us against truly intrusive systems.
Data privacy and your business
In conclusion, data privacy is critical to the survival of modern businesses and organizations’ leaders should embed data privacy into all processes or policies that touch consumer data within your company. No matter what size your business is, how mature your compliance program is, or how many people are on your compliance team, most businesses have room for improvement when it comes to data privacy.
Take some time, sooner rather than later, to evaluate your company’s data privacy policies and practices to make sure you’re utilizing all the resources at your disposal to protect your clients’ data, your business’ bottom line, and your customers’ trust in your company. In this regard, Delta3 International stands ready to support your organisation
I will further address the notion of privacy by design in a future article.
About the Author
Del Aden is a UK based Enterprise Solution Architect and InfoSec Evangelist. Currently, Del Aden focuses on helping customers prevent security breaches, implement Digital Transformation and advice on Business Continuity Strategies and Exercises. In addition, Del also provides security education to businesses and consumers by distilling complex security topics into actionable advice. Do you have something to say about this article? Share your thoughts and drop me a message via WhatsApp: +44 7973 623 624 | Email: [email protected] | Web: www.delta3.co