Data Privacy Day — how do you want your information treated?
Today, January 28, the key word is privacy: who has your information, what they’re doing with it, and whether you, the individual, have any kind of control over that information.
The world is still catching up
Back in 1997, the early days of the internet, data privacy wasn’t a phrase. If you were interested in your privacy, you might have written a letter asking that your home telephone number be delisted from the public telephone directory. Stealing personal information would have involved breaking into a location and taking floppy disks, or even a few filing cabinets full of paper.
In 2020, it’s estimated that 1.7 megabytes of data are produced per person, every second. It’s effectively impossible in large areas of the planet to exist without leaving a digital footprint. Without those digital records, it’s extremely difficult to get a job, to get healthcare, to get simple access to money, to travel. Because of that, data privacy is now very nearly the phrase.
Joanna Steel, Information Assurance Analyst, Trulioo: “The explosion in information sharing that the World Wide Web enabled has resulted in an unprecedented amount of data being made readily available. As understanding of all the ways that this information could be used has spread, we’ve collectively moved from excitement, to caution, to giving control back to individuals over how much of themselves they want to share.
Data privacy is one of the fastest growing and most rewarding fields to work in today, because it enables people to make informed choices about how they interact with the world.”
Data privacy and information security currently show skills shortages listed across multiple countries. It’s testimony to just how fast personal data has grown in importance — and the extent to which individuals, companies, and governments are scrambling to catch up.
Data protection challenges
Protecting personal information is complicated by the fact that companies have procedural and budgetary restraints, and governments need time to study problems, come up with solutions, and get legislation approved. Given the pace of innovation, this means that security measures and legislation are out of date in some cases before they’re even finalized.
Criminals have few such restraints. Worldwide, the take from cybercrime is predicted to exceed $6 trillion by 2021, making it more lucrative than even the drug trade, and the most sought-after information in hacks is personal information. Today, unlike in 1997, stealing vast amounts of personal information only requires having an internet connection and finding an exploitable information security weakness.
Personal information is overwhelmingly collected, stored, and consumed in the online environment. This means that data protection doesn’t just concern a data protection officer or a compliance specialist; it also requires a team of information security specialists with tools and training and access to a constant stream of information on current threats and their own organization’s environment. To put that into perspective, a 2019 study by IBM indicates that the average total cost of a data breach was 95% higher in organizations without security automation deployed.
The importance of dismantling the silos
When it comes to data privacy, legal and information security concerns are inextricably bound together. Companies that fail to adapt to that fact place themselves at increased risk of a breach and all the potential long-tail consequences of reputational impact and legal action.
For example, under the General Data Protection Regulation, companies are mandated to ensure appropriate security of personal data and to use appropriate technical or organizational measures. The California Consumer Privacy Act draws a clear distinction between a theft of encrypted files versus non-encrypted files. In context, hackers steal an average 75 records every second, and the fastest hackers in the world can infiltrate a network in 18 minutes.
A compliance team can spread awareness of obligations, but without an information security team to implement solutions, and perhaps most importantly, monitor them and keep them up to date, that awareness is useless.
At Trulioo, where development is done in-house and personal information is at the core of our business, we’ve found that two initiatives are of key importance:
- Really, dismantle the silos. It’s crucial to have our information security, our legal, and our compliance teams in close communication. Those teams become an information resource for teams as diverse as app development and human resources to ensure that questions are investigated and information is made available.
- Ensure that security and legal compliance conversations are incorporated early on. Once teams start bolting security onto the end of projects, it impacts deadlines and it impacts the effectiveness of the solution. The earlier in any project that security and compliance can be discussed, the more likely it is that the final product will be secure and compliant, and also the less likelihood that there will be an unforeseen impact to cost, timing, or operations.
Data privacy moving forwards
Data privacy is a critically important topic, not only because of the risks incurred by sub-standard security or legal non-compliance, but because an individual’s digital identity is increasingly the benchmark of their existence. If you were born after the mid-1990s, the chances are good that your entire life is documented in digital archives in various locations around the world. At the moment, your rights to access, update, move or delete that information are patchwork. However, as of the end of 2019, 107 countries worldwide have some kind of data protection legislation on the books, and more are being announced every day.
Rather than addressing data privacy as a checkbox, or a series of inconvenient hoops to jump through, the fundamental question should be: “If this were my identity, how would I want my information to be treated?” If companies are able to approach their data privacy from that standpoint, and design security and operational measures to support it, then we will be in a solid position to empower consumers worldwide to engage with us safely and make informed decisions about how they want to interact with the world.