From high-profile celebrity hacks to social media whistleblowers and COVID-19 scammers, data privacy (opens in new tab) is a topic that reached just about everyone in 2021. While the general public may be concerned with maintaining their digital identity, businesses –– especially small and medium businesses –– and other organizations need to consider data privacy as a priority that can determine their success moving forward.
Frédéric Rivain, CTO, Dashlane (opens in new tab).
A comprehensive and holistic approach to data (opens in new tab) privacy is critical to instill consumer confidence in your brand, maintain a trusting relationship with vendors and partners, ensure employee privacy, and remain compliant with regulatory and professional standards. Data privacy must be backed by strong cybersecurity practices. Data Privacy is a Priority on the Global, National, and Local Levels
According to the National Law Review, 65 percent of the world’s population will have its data covered under modern privacy regulations by 2023. This is a massive jump up from 10 percent in 2021, indicating the priority governments worldwide place on data privacy.
In May of 2021, US President Biden issued an executive order indicating that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The administration followed that up with subsequent National Security Memos in August 2021 and January 2022, designed to “encourage, develop, and enable deployment of a baseline of security practices, technologies, and systems that can provide threat visibility, indications, detection, and warnings.”
The high priority placed on security and data privacy at all levels of government is commendable. However, the patchwork approach to data privacy regulation, no matter how well-intended, is a potential minefield for organizations that have not historically taken data privacy seriously.
Making data privacy a priority in your organization
Understanding the rules and regulations of data privacy in the markets where you collect data and/or do business is just the baseline for organizations that prioritize data privacy. To truly impact the way data is protected and secured, organizations need to take a holistic approach, including policy, process, technology, and training.
Define your company privacy stance
As a company, it is important to establish the key privacy principles that guide how you offer your service or build your product for your customers, so that there is an alignment across the organization on how everybody should think about data privacy, from product & engineering to sales & marketing (opens in new tab). One way to do it is to write an internal Privacy Stance, that any employee can reference and use as a decision helper.
Create a culture of security
The first line of defense for data privacy is to create a culture of cybersecurity (opens in new tab) within your organization. Employees need to understand their roles in protecting your company’s data and IT resources, become active participants in ongoing security conversations, and have the tools they need to maintain good security habits without impeding their work. Organizations with a strong security culture will:
- Help employees (opens in new tab) understand why they need to maintain good password habits.
- Actively and frequently discuss the importance of having a security culture at your company.
- Instill the understanding that data privacy and security are everyone’s job (not just IT) because only as good as the weakest link.
- Walk employees and admins through all your privacy and security apps and tools, and ensure they understand how and when to use them.
Train employees on what data privacy is and how to report suspected breaches
Employees who receive comprehensive data privacy training tend to view it as more of a priority and understand its importance to the organization. At a minimum, employees who handle Personally Identifiable Information (PII) should receive training on recognizing and protecting that data.
Employees should also be made aware of the trends in phishing scams –– the pace of modern business leads employees to look for shortcuts or not follow proper procedures regarding data privacy. This is one of the areas that cybercriminals love to exploit.
Data Privacy breaches aren’t always some grand hacking scheme by malevolent outside actors. In fact, research from Verizon in 2021 suggests that insiders are responsible for approximately 22 percent of all security incidents. Examples of data privacy breaches may include:
- Accessing personal or sensitive data by an unauthorized third party (vendor, partner, other customers).
- Sending personal data to an incorrect recipient (such as the wrong mailing or email (opens in new tab) address.)
- Losing control of devices such as phones, laptops, or memory drives (opens in new tab) that contain personal data. These devices could be lost, stolen, or hacked, but once they are out of your control, they are considered breached.
- Alteration of personal data without permission. This could be a deliberate or accidental action by someone who controls or processes personal data.
Any of these scenarios can be considered data privacy breaches, and it is critical that employees understand when to report these breaches and how to do so without fear of reproach.
Implement processes and technology to make employees' lives easier
If everyone in your organization is responsible for data privacy, then they all need the right tools to do the job. In many cases, organizations attempt to secure data using a “one-size-fits-all approach” that combines existing off-the-shelf software with generally reasonable password policies and other regulations.
According to a comprehensive report presented to the Network and Distributed System Security (NDSS) Symposium, “This approach often fails, resulting in software that does not address the most pressing vulnerabilities of the organization and in policies that are hard to follow in practice and engender workarounds. The workflow of the organization is often a major reason for the poor fit.”
One of the biggest changes in information security technology over the past few years is the consumerization of technology. Employees need simple to use security tools like password managers, end-point security, and antivirus software that help them secure their on-premise, remote, and hybrid work stations and mobile devices.
One of the advantages of using web-based security technology is that it can enable analytics and other monitoring tools to help track and measure your progress. For example, some offerings have a password health feature that can track company-wide password security scores over time.
Walking the data privacy walk
Data privacy tools are not a band-aid to cover up poor cybersecurity literacy. Organizations have to implement a culture of security that brings policy, procedure, training, and technology together in a way that impacts every interaction – internal and external – with sensitive data.
Smart organizations that implement a holistic approach to data privacy are well suited to succeed. They can reduce their risk, improve compliance, strengthen customer relationships, and foster goodwill and cohesiveness among their employees.
Check out our article on the best identity management software (opens in new tab).