Happy Data Privacy Day! Begun in 2007 in the European Union (E.U.) and adopted by the U.S. in 2008, Data Privacy Day is an international effort to encourage better protection of data and respect for privacy. It’s a timely topic given the recent enactment of the California Consumer Privacy Act (CCPA). Citizens and governments have grown concerned about the amount of information that organizations collect, what they are doing with the data, and ever-increasing security breaches. And frankly, they’re right. It’s time to improve how organizations manage data and protect privacy.
Let’s look at some concrete steps you can take to begin that process in your organization. But first, a little context.
The data privacy landscape
Since Data Privacy Day commenced in 2007, the amount of data we collect has increased exponentially. In fact we generate “2.5 quintillion bytes of data per day!” Unfortunately, we’ve also seen a comparable increase in security incidents. There were 5,183 breaches reported in the first nine months of 2019, exposing a total of 7.9 billion records. According to the RiskBased Data Breach QuickView Report 2019 Q3, “Compared to the 2018 Q3 report, the total number of breaches was up 33.3 percent and the total number of records exposed more than doubled, up 112 percent.”
In response to these numbers, governments across the globe have passed or are debating privacy regulations. A few of the key milestones:
- Between 1998 and 2000, The E.U. and the U.S. negotiated Safe Harbor, which were privacy principles that governed how to protect data that is transferred across the Atlantic.
- In 2015, the European Court of Justice overturned Safe Harbor.
- In 2016, Privacy Shield replaced Safe Harbor and was approved by the courts.
- In 2018, the General Data Protection Regulation (GDPR) took effect in the E.U.
- On January 1, 2020, CCPA took effect for businesses that operate in California.
Last year, GDPR levied 27 fines for a total of € 428,545,407 (over $472 million USD). California will also levy fines for violations of CCPA. Compliance is clearly important if your business resides in a region or employs persons in regions protected by privacy regulation. But protecting privacy is also the right thing to do. Companies who stand on the side of protecting the consumer’s data can differentiate themselves and earn customer loyalty.
Don’t build a data privacy program, build a data privacy culture
Before you get started, recognize that improving how your organization manages personal data, means building a culture that respects privacy. Break down siloes and engage people across the company. Legal, Marketing, SecOps, IT, Senior Managers, Human Resources, and others all play a part in protecting data.
Embrace the concept that privacy is a fundamental human right—Privacy is recognized as a human right in the U.N. Declaration of Human Rights and the International Covenant on Civil and Political Rights, among other treaties. It’s also built into the constitutions and governing documents of many countries. As you prepare your organization to comply with new privacy regulations, let this truth guide your program.
Understand the data you collect, where it is stored, how it is used, and how it is protected—This is vital if you’re affected by CCPA or GDPR, which require that you disclose to users what data you are collecting and how you are using it. You’re also required to provide data or remove it upon customer request. And I’m not just talking about the data that customers submit through a form. If you’re using a tool to track and collect online user behavior that also counts.
This process may uncover unused data. If so, revise your data collection policies to improve the quality of your data.
Determine which regulations apply to your business—Companies within the E.U. that do business with customers within the E.U., or employ E.U. citizens, are subject to GDPR. CPPA applies to companies doing business within California and meet one of the following requirements:
- A gross annual revenue of more than $25 million.
- Derive more than 50 percent of their annual income from the sale of California consumer personal information or
- Buy, sell, or share the personal information of more than 50,000 California consumers annually.
Beyond California and the E.U., India is debating a privacy law, and Brazil’s regulations, Lei Geral de Proteção de Dados (LGPD), will go into effect in August 2020. There are also several privacy laws in Asia that may be relevant.
Hire, train, and connect people across your organization—To comply with privacy regulations, you’ll need processes and people in place to address these two requirements:
- Californians and E.U. citizens are guaranteed the right to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; and to access their personal information.
- Organizations will be held accountable to respond to consumers’ personal information access requests within a finite timeframe, for both regulations.
The GDPR requires that all companies hire a Data Protection Officer to ensure compliance with the law. But to create an organization that respects privacy, go beyond compliance. New projects and initiatives should be designed with privacy in mind from the ground up. Marketing will need to include privacy in campaigns, SecOps and IT will need to ensure proper security is in place to protect data that is collected. Build a cross-discipline team with privacy responsibilities, and institute regular training, so that your employees understand how important it is.
Be transparent about your data collection policies—Data regulations require that you make clear your data collection policies and provide users a way to opt out (CCPA) or opt in (GDPR). Your privacy page should let users know why the data collection benefits them, how you will use their data, and to whom you sell it. If they sell personal information, California businesses will need to include a “Do not sell my personal information” call to action on the homepage.
Extend security risk management practices to your supply chain—Both the CCPA and the GDPR require that organizations put practices in place to protect customer data from malicious actors. You also must report breaches in a timely manner. If you’re found in noncompliance, large fees can be levied.
As you implement tools and processes to protect your data, recognize that your supply chain also poses a risk. Hackers attack software updates, software frameworks, libraries, and firmware as a means of infiltrating otherwise vigilant organizations. As you strengthen your security posture to better protect customer data, be sure to understand your entire hardware and software supply chain. Refer to the National Institute of Standards and Technology for best practices. Microsoft guidelines for reducing your risk from open source may also be helpful.
Microsoft can help
Microsoft offers several tools and services to help you comply with regional and country level data privacy regulations, including CCPA and GDPR. Bookmark the Security blog and the Compliance and security series to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity and connect with me on LinkedIn.
The post Data privacy is about more than compliance—it’s about being a good world citizen appeared first on Microsoft Security.