Protecting citizens' privacy is ingrained in the history of the United States; one can look back to the creation of the constitution for proof. For example, the fourth amendment protects against unreasonable search and seizure, while the fifth protects against self-incrimination. The nation's founders recognized the importance of guarding personal privacy to maintain citizens' safety and general well-being. As a result, individual citizens' right to privacy was woven into the country's fabric, and it has been reinforced time and time again in the centuries since.
Grady Summers, Executive Vice President of Product at SailPoint.
The foundational values that informed these initial privacy laws can be viewed as a roadmap for today's privacy-related statutes. Take the California Consumer Privacy Act (CCPA), which was enacted in 2018 and regulates modern personal data collection and use to prevent an individual's privacy from being breached. Or Data Privacy Day originated 41 years ago and brings awareness to how European organizations and individual users can implement best practices in data protection. When enacting data privacy day four decades ago, it's doubtful the Council of Europe could foresee the digital landscape we operate in today and the increasing importance of data privacy – much less the U.S. founding fathers trying to comprehend digital data privacy more than two hundred years ago.
As modes of data creation, collection and use continue to evolve, governments and organizations across the world are tasked with evolving data privacy laws at the same rate. And while many countries have made great strides in upholding data privacy as our digital footprint has grown, the job is never done. What next steps can we take in ensuring that data privacy, a constitutional right, depending on interpretation, is maintained? From an organizational standpoint, evolution in protecting the data of individuals relies on further communication, compliance, and integrating privacy as a core value.
Communicate how data is used
For enterprise organizations, user data is best protected when all affected parties are on the same page regarding where that data is stored and what it is used for. When data is siloed or individuals are left in the dark about how their information is leveraged, data is more susceptible to misuse. As a result, customers risk being uninformed when their personal identifiable information (PII) is tampered with, whether it be due to malpractice by the organization or theft by malicious hackers.
Organizations must be able to locate and retrieve user data upon individual request, and they have to let users know if their data has been impacted by any malicious activity. When it comes to data privacy, transparent communication is always a best practice. A user should always be informed about how their collected data is used, how it is protected, what privacy options they have, and how they can alter (or opt-out of) how their data is used. If those four boxes are checked, data misuse is far less likely. As a result, organizations must be able to locate and retrieve specific data points on-demand (more on that in a second).
Comply with global regulatory laws
Data privacy laws continue to grow in number and significance. The European Union's 2016 General Data Protection Regulation (GDPR) is a landmark example, setting guidelines for collecting and processing PII for Europeans. Awareness of and adherence to data privacy laws promotes a framework conducive to protecting user data and investing in the supportive technology needed.
Right-to-be-forgotten capabilities provide a great example. Is your organization technologically able to delete user accounts and any associated personal data on command? I hope so (GDPR already requires this capability). However, following right-to-be-forgotten regulations is not such a simple task when one considers that personal information for users is often located across various files, applications, and databases. Data subject access requests are another common feature in most global data privacy regulations, carrying similar complexities. Therefore, preparation and prioritization are key in ensuring data privacy regulation compliance.
Modern data privacy is shaped by the policies we've created and embraced globally. If such laws are not internalized and a reference by organizations, then data privacy will devolve.
Make data privacy a core value
Adhering to the CCPAs and GDPRs of the world is an important step in protecting data privacy, but organizations must also prove that they are investing in privacy through technology integrations and a self-set policy. This is no easy feat, but businesses can more easily and efficiently comply with regulations and facilitate data access requests by leveraging AI.
AI has evolved from a supplement to a requirement for those striving for data privacy due to its contextual Natural Language Processing capabilities in file access. Proper AI implementation provides organizations with an efficient tool to recognize what stored data is PII (or regulated to a degree), where it is stored, who can access and who has accessed it. That last part is essential, as 95% of enterprise organizations have suffered identity-related data breaches.
Organizations hold the capability to model data management for AI and can teach it to understand normal and abnormal data access behavior. As a result, they can ensure that data protection is always accounted for, even when the human workforce is tending to matters elsewhere.
Ensuring data privacy must be a team effort. Individual users, organizations, and governing bodies must establish clear lines of communication and invest properly to secure personal data – a commodity that is practically equitable to gold in value today. In this digitally transformed age, users have a right to their data privacy, and organizations have a legal obligation to adhere to that right. Privacy looks different than it did 100, even 40, years ago, but the importance of privacy, and the protection it deserves will always remain an essential right now and in the future.
