On January 28, 2020, we observed the 12th anniversary of Data Privacy Day to remind ourselves – businesses, organizations, and individuals – of the need to think Privacy First and of the distance that we need to cover for establishing data protection and privacy.
In this article, we discuss in detail why data privacy is a pressing concern especially for businesses and some best practices to ensure the highest levels of privacy protection.
Data privacy is essentially about handling all data/ information related to a person/ entity’s identity (such as name, passport number, social security number, biometric records, financial information, etc.) with the utmost respect for confidentiality and anonymity. Examples of such data:
It is no news that we are generating several quintillions of data every day. It is almost a given these days for businesses to leverage data for a range of purposes across the organization. The challenge is to strike a balance between the use of personal data for business purposes with the individual’s right to privacy. With the ever-increasing number, frequency, size, magnitude and sophistication of data breaches, privacy protection of data is emerging as undeniably one of the most pressing and defining concerns of the modern digital era; a concern that is starting to extend beyond the IT and cybersecurity spaces.
“New day, new data breach”, shows how far behind businesses, even the most tech-forward ones like Facebook and Yahoo, are in terms of fulfilling data privacy obligations towards the individuals – customers/ users/ clients, employees, vendors, partners, etc. Even when businesses are using personal data with the permission of the individuals in question, as mandated by privacy laws, there is a gross violation of customer/ employee/ stakeholder trust when data breaches occur along with the violation of the privacy protection laws such as GDPR, HIPAA, CCPA, etc.
Organizations often think that they need not bother about data privacy if there is no legislation in this regard in their country/ region. Every company, irrespective of their nature, location or size, must take action immediately, make the right investments and fortify their security posture and privacy protection as governments/ courts may not wait for legislation. Take Facebook’s example – they were slapped a USD 5 billion fine in February 2019 by the US Federal Trade Commission (FTC) for failing to protect customer data from third parties.
The cost of data breaches and breaches of data privacy are hefty. There are, of course, financial costs such as fines, class-action lawsuits, loss of productivity, escalation costs, etc. But there are heavy reputational losses owing to the erosion of brand image, customer trust, and loyalty, goodwill, etc. Larger organizations, with the resources at their disposal, may be able to resurrect themselves from such losses but many small and medium organizations are unable to make a comeback and often shut down.
Unlike other assets and resources, data is scattered within and outside the organization’s boundaries. So, ensuring data privacy and protection are no easy tasks. Simply increasing investments or buying an expensive security solution do not make the cut; there needs to be a company level compliance program with well-documented KPIs that is embedded in the company’s culture. Steps must be taken to improve the granular architectural control of data by focusing on three important components of the organization’s culture – people, processes, and technology.
It is not too late to begin your data privacy protection journey. Use the best practices outlined above to become an ethical, responsible and trustworthy steward of data.
Ashish Pradhan is responsible for all technology functions like engineering, client services and customer support at Indusface. Prior to joining Indusface, Ashish held various senior leadership roles at Symantec Corporation in India and USA. During his 25 years of global experience in the software industry, Ashish has helped create and grow a broad variety of software products spanning systems management, IT compliance, and information security domains.