If one good thing came out of the Facebook-Cambridge Analytica data privacy scandal, it was public awareness about data privacy. Mark Zuckerberg has made numerous apologies for the lack of respect for customer data and often refers, warmly, to the Facebook user base as a “community.” Although the jury’s still out on the privacy practices of Facebook and many other mega-corporations like Google, this idea of a community is a key one. As IT professionals, it is now not only a duty of compliance but an act of respect to take data privacy seriously.
In this article, we’ll take a look at eight things that you need to consider when looking at the data privacy practices of your organization.
8 Privacy Practices to Respect Your Customer Community
Privacy by Design (PbD) is a fundamental tenet that determines the privacy of a given system. It encourages the development of configuration, implementation and UX — with data privacy as a central requirement.
Privacy by Design is a process. It starts with data and ends with data and every part of the life cycle of a project in between, encompassing the IT system build, regulations, external parties, policies and business strategies. The following areas can be considered an intrinsic part of the PbD of an organization’s digital data infrastructure.
Inventorying and Updating Systems and Information
Data is a highly fluid entity in today’s hyperconnected world. A cybersecurity audit would typically look at your extended network to locate points of failure and map the attack surface. The same sort of methodology is needed to understand your data inventory and life cycle.
During this process of inventorying you need to include all devices and applications that come under your remit. This includes shadow devices, IoT devices and Cloud applications, as well as those used by associated third parties. All of these devices and applications can act as data conduits, and as such, can be points of failure in your privacy. Think about carrying out a Data Privacy Impact Assessment (DPIA) across your extended network.
Deleting Unnecessary Information
“If you don’t need it, don’t keep it” should become your catch-phrase for privacy. Extraneous data is data that can be compromised or exposed and just adds dead weight to your already-busy job. Securely delete any data that is not needed by your business.
Setting and Reviewing Access Controls
Access control to data stores is a known point of attack. Make sure that access controls are robustly configured. You should follow the advice from the NIST Special Publication 800-63B
about password policies and the use of second factor. Establish a “Principle of Least Privilege”: never give anyone or anything any more rights than they need to carry out their job.
According to CA technologies, insider threats cause 90% of enterprise concern over lost data. This concern isn’t just about malicious insiders; it’s also about the accidental exposure of data. Keeping tabs on what employees are doing with personal data not only prevents your organization from bad press, but your customer from data exposure. Tools such as data loss prevention (DLP) can help automate the process and prevent loss of sensitive data via email, for example.
But be wary: there are also new laws, such as GDPR, which may apply when monitoring employees.
As we connect our supply chains and automate our services, vendors become more intrinsically-linked with the customer data life cycle. This means that in order to spot possible points of privacy leakage, we have to include vendors in any inventorying and data life cycle mapping being done. In doing so, we can begin the process of closely managing data access and sharing across our vendor ecosystem.
Assisting with Developing and Implementing Policies and Training
Create a guide which sets out your organization’s approach to data privacy. This will become your foundation stone in creating a culture of privacy. All members of staff and beyond, need to be involved at some level with the generation of this policy.
The policy can be a stand-alone policy specifically addressing data privacy, or it can be part of a wider security policy. Whichever you choose, the policy needs to be aligned with your business goals, and staff can feed into this from their own experience of their particular department.
Regulations and privacy laws like GDPR mandate that an organization have a structure in place to train employees in various aspects of data privacy. Privacy awareness training should be given to all members of staff, including at executive level.
Customer Choice and Consent
Privacy is about choice. Make sure that the structures you have in place for collecting customer data and any subsequent processing of it capture the choice of the customer. This is often taken as consent to use the data for various purposes. But in fact, choice is what gives consent meaning. Facebook is currently being taken to court over GDPR data privacy violations because they collected consent without true choice. The case rests on the lack of choice — users either having to consent fully or delete their account.
Data Privacy and Compliance
You know data privacy has hit the mainstream when regulations and laws begin to reflect the issues. Laws such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act have set stringent expectations on the collection, sharing, processing, and management of personal data. Other industry-specific regulations, such as HIPAA in healthcare and the Dodd-Frank Act and BASEL II in finance, have at least given a nod to some aspects of data privacy.
Conclusion: Finding Focus
Data privacy is firmly on the agenda, partly because of privacy exposes such as Snowden and Facebook but also because the world we live in is increasingly digitized. This digitization has created a control issue and data privacy violations are the expression of that. As IT professionals, we must be prepared to understand the nuances of the world of data privacy and how to address customer concerns. These eight privacy-related practices will help you to find a focus on data privacy and establish a better relationship with your customer base.
Insider Threat Report 2018, CA Technologies