General security

5 best practices for ensuring data privacy

Susan Morrow
July 27, 2018 by
Susan Morrow

2018 must surely be the year of privacy. In a recent poll, 63% of U.S. adults said they would NOT be willing to share personal data in exchange for ads to keep a service free. This outcome is likely due to recent raised public awareness of privacy and its impact on lives. Much of this is thanks to the high-profile of GDPR compliance and the recent Facebook debacle.

Privacy has become an issue for all, and the general public's understanding of what privacy actually is has improved. Because if this, data privacy now touches both the enterprise and the individual.

But far from being a negative, attention to data privacy can have positive effects on a business. Being “privacy-respectful” is part of the exercise taken by a company to build relationships with customers. Time and again, data breaches result in not only lost information, but lost reputation and damages too. This can include share price drops — a typical example being the case of Equifax, which experienced a drop of 35% post-data breach.

Privacy, or specifically, the application of tenets of privacy to data, is often seen as a massive hurdle to cross for a company. How do you apply something that seems so amorphous? Well, privacy is part of a process, and that process can be achieved using some simple forethought and best practices.

 

5 best practices for getting privacy right

If you have dealt with GDPR at all, you will have heard of the phrase “Privacy by design and default.” This encapsulates an ethos which encourages the baking-in of privacy across technology, systems, processes and people.

The result of the actions taken to implement this is a “culture of privacy.” Having a culture of privacy will instill in your employees and wider business associates an appreciation of why data should be given privacy respect, and how this can be achieved. The best practices below can help you to begin your journey to a culture of privacy:

1. Practice minimal data collection

A rule of thumb when collecting data is to only collect what you need. For example, if you don’t need to know someone’s date of birth or their name prefix, e.g. Mr., Ms., Miss, then don’t collect it. This helps to save you bandwidth in protecting that information, too.

When collecting personal data, think of alternative ways of dealing with it. This can include using a “verify not store” framework wherever possible. This type of system uses third-party data sources to check the user’s input, verifying it does belong to them, and that they are who they say they are; after that, minimal or no actual data needs to be stored.

A typical use of this would be in a Know Your Customer (KYC) system. You could check that individual using passport, CRA, and other data checks, then assign a KYC level to that customer without storing some or all of the data input.

Or if you do collect it, but can apply minimal disclosure to these data — do so. In practice, this would mean that when you do share data with another service (e.g. the person’s age), you only show certain aspects of these data (e.g. date of birth becomes age over X).

2. Make it a two-way conversation

Privacy can become a way to engage with your customers and show them you respect their data. GDPR sets out to make the use of consent an integral part of data collection and use.

When you design your user experience and associated UI, build in consent models whenever you collect or use data.

Also consider offering a system of consent receipts wherever possible. Take a look at the work being done by the Kantara Initiative on the use of consent receipts.

3. Practice robust data security

Privacy covers many areas, including the ability to choose to share data. However, to apply these choices and to protect the underlying data, security measures need to be implemented.

Security, especially in cloud-based services, needs to be applied across multiple layers. This starts with understanding what your data is and classifying it correctly. Is it sensitive data? Will it need extra protection?

You must then look to measures such as access control, privileged access management (PAM) credential choices and management, encryption and web app security, including database protection.

4. Encourage education and awareness

Education on security and privacy issues is not just about your employees becoming security-aware. You should also endeavor to educate your customers about security and privacy. This can include regular advisories on patching, protection of credentials, phishing and so on.

5. Create achievable policies and SLAs with third parties

Privacy is a whole-system effort. Any touchpoint within your company, across your services, and in the way you process data and manage customers has a potential impact on privacy.

Security and privacy policies MUST reach out to the extended data and vendor ecosystem.

Make sure that these policies are enforceable by making them achievable. Set out ways to measure their implementation and effect. Avoid making sweeping statements on data; instead, break it down into bite-size pieces. Remember that human beings have a habit of making up their own paths when one path is blocked. If you close off a certain technology that was liked, give users a safe and usable alternative.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Conclusion

Privacy is an important aspect of the modern business. This is especially true as we transform and digitize our operations. Placing privacy into perspective and understanding that it is about customer respect as much as complying with regulations like GDPR will set your business apart.

A privacy-respectful company will reap the benefits of their data diligence through improved customer relations and a trusted brand image. Getting data privacy right from the outset should be as much a part of your business goals as your day-to-day operations.

Sources

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.