Data has been instrumental in disrupting nearly all functions of business today. Due in large part to the adoption of technology that aids in intelligent data collection and analysis, valuable insights are helping companies improve decision making related to everything from customer service to trends and correlations taking place within their own workforces. Data is the currency of business, and its value is increasing exponentially.
The insatiable thirst to collect, analyze, store, and, in some cases, purchase or even steal data has also disrupted another key area of concern for businesses: data privacy and security. Not only are companies recognizing its growing value, so too are hackers and cybercriminals. These factors combined have created a perfect storm for those tasked with managing and securing critical data systems.
More importantly, perhaps, is that our attitude toward privacy has further complicated business matters internationally. To date, U.S. data privacy laws, such as HIPAA, remain few and far between, and their enforcement against violators has been lax at best. Further, last year, the European Court of Justice ruled the Safe Harbor Privacy Principles—a 15-year old data-transfer agreement between the U.S. and Europe involving more than 4,000 companies—invalid, citing an inability to ensure adequate protection of European citizen data as it moves overseas. In its place, the EU-U.S. Privacy Shield has emerged in draft form and, once ratified, will again provide a framework for U.S. companies to continue transferring personal information about EU citizens across borders, albeit with a more rigorous set of requirements than under Safe Harbor.
While further discussions and negotiations about the proposed replacement to Safe Harbor continue, the future is clear: U.S. companies have no choice but to shore up their data privacy and security measures in line with Europe’s progressive stance. While a necessary evolution, history has proved time and time again that companies that take proactive steps today to address future needs will be better positioned than those who attempt to meet compliance-related requirements retroactively.
Thus, any forward-looking organization seeking to gain a head start on what will likely become our most restrictive privacy guidelines to date should look to the following three areas to prepare now for what’s to come:
Shift Mindset From Data Ownership to Custodianship
A staggering 91% of adults agree or strongly agree that they’ve lost control over how their personal information is collected and used by companies, according to recent data from Pew Research. Furthermore, of those respondents, many expressed a significant lack of faith in organizations’ abilities to keep their data private and secure.
As data monetization continues to become a lucrative revenue stream for businesses, the above consumer attitudes introduce a unique dichotomy for companies eager to cash in on the digital gold rush. In an effort to leverage data to more quickly turn a profit, innovate/develop products, target customers/prospects, and gain advantages over competitors, many companies have skirted the basic fundamentals of data privacy and protection, and thus, security gaps persist that have exposed and/or put consumer information at risk.
With a growing focus on data privacy—by way of everything from the EU-U.S. Privacy Shield to the FCC’s recently proposed rules requiring ISPs to obtain permission before using and sharing customer data—companies must shift their mindset away from being “owners” of customer data. Instead, they must view themselves as data custodians. In the IT realm, leaders must make a fundamental shift toward developing products and services with data security baked in from the beginning, not as an afterthought. This “security-first” approach supports the focus on “Privacy by Design” required by the EU General Data Protection Regulation (GDPR), which Safe Harbor sought and Privacy Shield seeks to address. Privacy by Design also involves better transparency and public disclosure about what data is collected, how it’s stored, when/how it’s used, and who has access to it. By shifting focus, not only will companies be in a better position to comply with privacy-related data regulations (both now and in the future), but brand reputation will also likely experience a boost as more and more consumers demand better treatment from the companies they do business with.
Emulate the World’s Security Leaders
In today’s global economy, very few companies can claim that they do business exclusively in the U.S. The global footprints of organizations are expansive—from employees and customers to partners and other third parties—and most companies have some sort of international tie. This dynamic has created significant tension as questions about international data privacy and residency persist. Both Germany and France in particular have been in hot pursuit of U.S. tech giants such as Facebook and Google over various data privacy violations.
But, despite the fact that globalization has made data privacy and cybersecurity an international concern, the U.S. still lags behind other data privacy and protection-aware nations in both their maturity and practice. According to The Financial Times, while the EU has taken action to toughen its data protection regime, the U.S. continues to maintain “minimal restrictions” on the use of personal data. Further, one glance at Forrester’s Global Heat Map of Privacy and Data Protection by Country shows just how far behind the U.S. actually is compared to the rest of the world.
Just as California is perceived as having the gold standard in vehicle emissions requirements, U.S. companies need to look to countries such as Germany, France, and the U.K. with superior data privacy and security standards to understand what’s needed to keep pace. For CIOs and other technology leaders, this means committing to the role of data custodian, ensuring that PII is securely and fairly collected, stored, and processed for clearly stated purposes in a timely and accurate fashion, and that private data is adequately protected before transfer across borders. While naysayers may argue that the U.S. will never view data privacy as a constitutional right in the manner that its European counterparts do, consumer and regulatory patience alike (by way of class action lawsuits and regulatory penalties) is wearing alarmingly thin for companies which have been negligent with private information.
Protect the Data Itself
Every year, the RSA conference brings together the best and brightest minds in security and, with it, the unveiling of bleeding-edge technology and services that promise to make security more effective for all. While innovation is absolutely necessary in this sector, the fact remains—the most technologically advanced and secure companies and governments in the world (the U.S. included) are still getting breached. Whether through malicious or accidental means, these incidents are happening daily, and the long-term impact to consumers and companies alike is frightening.
While companies should not abandon fundamental data security practices, more emphasis on protecting the data itself is needed. Data-centric security, such as tokenization, replaces sensitive information with fake data, which looks and feels like the real thing. This means that data is protected during processing and revealed only to those who are authorized to access it. If an unauthorized outsider intercepts that information—regardless of where it is in an increasingly dispersed dataflow—all he or she would see is false, worthless data.
Despite recent controversy surrounding Apple and the FBI, from a compliance perspective, data-centric security solutions are strongly favored. In many U.S. jurisdictions, the loss, theft, or exposure of encrypted data is exempt from breach notification obligation while Germany—arguably the world’s most passionate defender of data privacy rights—and the GDPR note tokenization as meeting their stringent requirements for the de-identification of data. As global scrutiny intensifies on how the U.S. will address its privacy and cybersecurity-related challenges, securing the data itself remains the only proven way to both satisfy international requirements, as well as deter hackers who are desperate to gain access to an organization or government’s most sensitive information.
While the world waits to learn the fate of Privacy Shield, U.S. businesses should take a proactive approach now to advance data privacy measures within their own organizations. This requires both a cultural mindshift in the way that data is managed and controlled in the enterprise, as well as a greater emphasis on protecting the data itself as part of a modern security framework. By raising security standards to match those who have set the bar the highest, companies will not only be able to comply more seamlessly with modern data privacy laws, but will also be able to at long last solidify their positions as trusted partners that put data protection first, no matter what side of the border—or corner of the world—customers reside.
Image courtesy of Shutterstock