One of the most significant recent events regarding data privacy occurred in 2018, when it was discovered that (now defunct) political consulting firm Cambridge Analytica had unlawfully collected the data of up to 87 million Facebook users. Such Incidents would go on to hasten the introduction and enactment of new data privacy policies such as the UK’s Data Protection Act and the EU’s General Data Protection Regulation (GDPR).
The majority of countries have adopted some form of legislation regarding cybersecurity and data protection, and many have multiple frameworks in place to ensure their citizens are protected online. Websites and online services are now legally obligated to be more transparent about what data they send and receive from netizens.
This is good news for the average internet user, but it adds a fair amount of complexity for organizations trying to maintain a foothold in multiple territories. So how do you toe the line of jurisdictional regulations while ensuring a consistent product? This guide will help to break down the problem to make it easier for organizations to maintain compliance.
The changing nature of data privacy
Data is the new gold, they say. It may seem dramatic, but data is extremely precious. It’s also at great risk of being misused. As we create and store more data, the laws that govern how data is handled will escalate along with it.
New technology isn’t the only factor affecting the nature of data. Consumer relationships with technology and data privacy should be considered as well. For instance, Gen Z invests differently compared to previous generations. They are savvy consumers with more financial knowledge at their fingertips than their parents and grandparents, and it shows.
Younger generations want high-tech solutions, and they also seek personalized user experiences. Gathering user data helps retailers and companies understand trends among their customer base and tailor offerings to their interests. Still, savvy internet users are increasingly suspicious of privacy risks, even as they allow their data to be collected by social media platforms, apps, and more. Current and future legislation will need to adapt to the privacy mores of the majority – and the majority is coming to understand the risks.
Diversity of regulations
At the time of writing, 128 countries (out of 194/195) in the world had some form of data privacy-related and cybersecurity legislation in place. Many of these territories have multiple regulatory frameworks which expand in complexity almost annually.
In November 2020, China passed its Personal Information Protection Law (PIPL). The law addresses how both foreign and local organizations process personal data over the internet. Along with China’s Data Security Law (DSL) and Cybersecurity Law (CSL), the PIPL helps form a more extensive regulatory framework for data privacy and cybersecurity in the PRC.
Also at the end of 2020, the US Congress signed the IoT Cybersecurity Improvement Act into law. It requires the Office of Management and Budget (OMB) and The National Institute of Standards and Technology (NIST) to develop security guidelines that can be carried out by the federal government. It’s still an evolving regulation that could spawn more laws as a part of a larger framework, but it’s a start.
Emerging and developing economies have also embraced legislation concerning data privacy. After 17 years of development, South Africa finally passed the Protection of Personal Information Act (POPIA) in June, 2021. It is based on the 2018 iteration of the GDPR, which has since been amended and updated. Some experts believe that POPIA should be updated too.
Herein lies the problem for businesses. Not only are new laws and regulations being constantly introduced but older regulations are evolving. So what can organizations do to maintain privacy and compliance with a host of regulations?
The importance of transparency
Originally, it seemed that the onus was on the individual to protect personal privacy online. However, it’s unrealistic to expect the average user to read every privacy agreement they encounter, especially with privacy agreements going through constant updates.
That’s why the first step to complying with most data privacy regulations is to be transparent with customers. You need to ensure that visitors to your websites fully understand the implications of using your services concerning their privacy. This isn’t just about preventing lofty fines from jurisdictional authorities and commissions – your company’s public image also relies on it.
Since the 2018 data breach, the public’s perception of Facebook has soured. While it’s still a popular platform, it doesn’t have the cultural significance it used to. Executives have been doing PR for years trying to recapture relevance and fall back into the public’s good graces.
Organizations can learn from their mistakes by making data policies more accessible. Do your customers understand what cookies are? Do they understand the risks of having your website or application store their data? These are just a few of the things your organization should provide a simple explanation for.
Companies can create helpful videos and audio segments (podcasts), explaining the intricacies of their revised privacy agreements. You can also send SMS and email campaigns with links to your new privacy agreement, as well as content and guides providing simple explanations.
In most cases, if your business operates in different territories, your privacy agreement can integrate and comply with all laws from the jurisdictions that your company operates in. Alternatively, each privacy agreement you choose to display to your users must be related to their territory. This could mean that certain users may be restricted from accessing certain features of your service depending on what region they’re in, and this information should be made clear from the get-go.
Optimizing data privacy
First thing’s first, businesses must ensure that all their data can be securely accessed and stored. They must also have effective protection against cyber threats such as ransomware and phishing or risk heavy fines and loss of customer trust.
A good example of this is the Marriott International data breach of 2014 (discovered in 2018). A cyberattack exposed the personal information of approximately 339 million guests worldwide. After an extensive investigation by the Information Commissioner’s Office (ICO), the company was fined roughly $124 million for infringement of the EU’s GDPR.
To avoid similar breaches, organizations must integrate tools to help them maximize user privacy. Take advantage of privacy-enhancing technologies/tools (PETS) which help provide security when data is accessed and shared. Some examples of PETs include:
Cryptographic algorithms
- Secure multi-party computation
- Homomorphic Encryption
- Differential Privacy
- Zero-knowledge proofs (ZKP)
AI-assisted algorithms
- Federated learning
- Synthetic data generation
Data masking
- Obfuscation
- Pseudonymization
- Anonymization
- Data minimisation
Using a machine learning or AI-driven data privacy solution that can update its protocols based on new privacy laws and embrace automation in your organization’s data privacy practices.
Additionally, under GDPR, organizations must hire Data Privacy Officers (DPO). Even if you plan on operating outside of the jurisdictions of the EU, it is still imperative that you hire an experienced and certified DPO for your company. Over the coming years, we can expect this to be one of the most valued jobs in cybersecurity.
Conclusion
Your organization should not have to suffer data loss and degradation to your public image before prioritizing data security and privacy. A proactive approach can save a lot of money and time in the long run, and companies have a plethora of data protection techniques and tools at their disposal. When it comes to data security, there is very little excuse for oversight.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.