In 2023, regulators around the world stiffened or vowed to tighten their data privacy and cybersecurity laws. Expect more of that in 2024.
With Data Privacy Week starting today, it’s a development that should worry data privacy officers, CISOs, and CIOs who aren’t prepared.
In the U.S., the WilmerHale law firm noted, the Federal Trade Commission (FTC) last year expanded its definition of the “unfairness” doctrine under Section 5 of the FTC Act in the privacy context, asserting that an alleged data privacy violation goes beyond just being deceptive to the consumer; it is outright unfair.
Separately, this month the FTC proposed sanctioning a data broker for selling precision location data of mobile users without their consent.
Meanwhile 10 states have consumer privacy legislation in various stages before their legislatures.
In Canada, Parliament is debating a new Consumer Privacy Protection Act (CPPA), which would expand the powers of the federal Privacy Commissioner.
This means that, more than ever, Data Privacy Week is a period when public and private sector leaders should be re-examining their data privacy and protection controls — or start planning to create those policies.
It’s one thing to have a cybersecurity policy to prevent and respond to cyber attacks. It’s another to have a policy on what your organization collects, how it processes that data, how transparent it is to customers and partners about the sale or distribution of that data to third parties, and how long data is kept.
Here’s a small reminder of the pitfalls: In 2019, Canadian financial services provider Desjardins Group learned an employee had copied data on 9.7 million current and former customers. Of that number, half were customers whose banking or credit card accounts had expired and whose information didn’t necessarily have to be kept.
If being squeezed by governments isn’t enough, privacy pros worry about not getting support from the C-Suite. In a just-released report, ISACA (formerly known as the Information Systems Audit and Control Association) says a global survey of 1,300 professionals who work in data privacy roles found nearly half of respondents (43 percent) say their privacy budget is underfunded. Only 24 percent expect to get a budget increase this year.
They said the biggest privacy failures in their organizations were lack of or poor employee training (49 per cent), not practicing privacy by design (44 per cent), and data breaches (42 per cent).
“Unfortunately,” said Qaiser Habib, director of engineering and Toronto site lead at Snowflake, a Montana-based cloud compute and storage platform, data privacy “is one of those missions where you hear about it only when something goes wrong.”
“Things like Data Privacy Week are an important reminder to reassess, to make sure everything is working as expected,” he said in an interview.
During this week, he said, data privacy pros should be asking if the electronic data held by their organization is safe, if the organization follows legal and regulatory requirements, if the right data access controls have been implemented, if data has been properly classified for storage and protection, and if staff is properly trained to meet data privacy requirements.
“Data privacy week is an important reminder to organizations, individuals, and businesses alike to safeguard their data and maintain compliance,” said Greg Clark, director of product management at OpenText Cybersecurity. “It is also an opportune time to take privacy to the next level.”
Given the vast amounts of data organizations have—which will grow exponentially with AI, machine learning (ML) and generative AI—using disparate methods to collect, process and manage data will no longer be enough, he said.
In today’s increasingly digitized world, a modern data privacy program needs to unify data discovery and protection to improve privacy and security posture, he noted. By modernizing and taking data privacy to the next level, organizations can remediate risk and ensure compliance and the responsible use of data while reducing their power consumption and carbon footprints from managing data. Most importantly, he added, gaining control over data creates an opportunity to strengthen trust with investors, boards, business partners and customers in the face of increasingly stringent regulations and a complex security landscape.
“Up levelling data privacy should not be overlooked,” Clark said. “Organizations should take control this data privacy week to safeguard their data.”
He said that best practices privacy leaders should be implementing in their data privacy programs include:
— Understanding your data: Most organizations don’t understand how much sensitive or high-value data they have, nor where it is located. Understanding is key to reducing your data footprint and threat landscape. Data discovery tools, especially those that go beyond data mapping or metadata scans, are essential for privacy programs as they help find data, understand risk, and set priorities with internal stakeholders and business owners to mitigate compliance and financial risks;
— Putting in place privacy-enhancing technologies (PET) to help preserve privacy while data is in use by the business. These include anonymization or de-identification of personal data.This is increasingly important for protecting unstructured data before it hits AI in large language models;
— Wrapping your data privacy strategy in your Zero Trust approach to data access control and cybersecurity;
— Cleaning up your house. The risks presented by over-retention, global privacy regulations, and cyber threats are huge, not to mention the resources required to maintain data estates. Data minimization can help keep data and application sprawl in check.
