An Awakening that is Overdue – Security, Privacy and Compliance Management in the Digital Age Requires Systemic Change
The digital information era has seen exponential growth in the quantity of data being collected, managed and distributed across organizations, both internally and externally. Given the large quantities of data in play, there exists a huge potential for misuse and loss with which to contend. In fact, the great promise of benefits of the digital information era appears to be coupled with an unprecedented loss of data security, loss of personal privacy and a lackadaisical sense of compliance management.
In an effort to address these issues, over the past few years, many countries have promulgated data privacy-related regulations. But with delayed enforcement provisions and differing implementation timetables these regulations are only just starting to kick in now. As a result, business adherence to such regulations has been uneven at best and the security, privacy and compliance management process could be vastly improved.
There are several reasons behind the current privacy and compliance management system not working optimally. These include businesses not following rules and regulations with respect to how data are collected, how they are stored, how they are protected, how they are managed and monitored, for how long, with whom the information is shared and what kind of policies are in place.
As everyone adapts to and adopts digital technologies, we have all become a number and all our activities are being tracked and monitored and shared. Loss of privacy leads to potential for misuse of information, loss of identity, loss of reputation, loss of trust, loss of revenue, and increased costs due to fines. So lack of sound governance and compliance management practices has potentially significant consequences.
I. HOW DID WE GET HERE?
A. Privacy is a misunderstood topic, it is overwhelming, with a lot of unknown elements, and people don’t appropriately value it.
For more than a decade, protecting privacy has been a losing proposition. Businesses have been luring consumers with the promise of free products and services to entice them into sharing their personal information. But each of the free products and services (and even most purchased products and services) is intrinsically tied to a data element that businesses can monetize and which consumers either fail to recognize, overlook or disregard the hidden cost of obtaining the free (or often paid) product or service. Furthermore, lengthy and convoluted privacy terms and conditions that consumers “agree to” are overwhelming in their detail and legalese and are rarely read in their entirety, if at all.
What consumers and businesses really need to understand is that freely collecting and sharing Personally Identifiable Information (PII) and Sensitive Personal Info (SPI) has long-term impacts, with the main consequence being the loss of individual privacy.
B. We have now socialized privacy risk!
Digital disruption is redefining markets globally and next-gen technologies are transforming the way business is being conducted across industries. Even in order to get required things like phones or electronic gadgets, one has to provide personal information, which is regarded as the cost of getting the basics in life.
Last year in particular, the socialization of privacy risks has accelerated and expanded into innumerable spheres of personal space. The pandemic has forced people in our hyper-connected world to rely extensively on the internet and online/mobile platforms/tools to utilize the services offered by businesses and to maintain social connections.
With employees working from home (WFH) and online/virtual schooling being the new norms, each individual home has become its own digital hub. The need for hi-speed connections in homes and offices has grown with the increasing number of smart mobile devices in our hands that we use to monitor and facilitate our activities and lives. These devices collect and process myriad quantities of personal and sensitive data, including geographical and biometric data, and the frequency and timing of interactions with the devices.
The insidious socialization of privacy risk leads one to wonder about the consequences of such accelerated, widespread and massive losses of privacy experienced in this pandemic year, what can be done to mitigate the risks and how to achieve all this retrospectively.
II. WHY SHOULD WE SOLVE THE PROBLEM?
A. Why should organizations care about data privacy and compliance?
Poor data privacy and data security postures have opened the doors to data breaches. The biggest challenge we all face is the lack of transparency with respect to the amount of data collected and accessed by people both in government agencies and commercial organizations. This leads to consumer frustration over the perceived loss of control over their personal data and privacy.
Protecting personal and sensitive data can be a mammoth task for companies that collect, transmit and store information. Data privacy is a juggling act for businesses of all types and sizes, (startups, small, medium and large) when it comes to fulfilling the needs of the organization and complying with global and local privacy regulations and laws. Despite the daunting task, the following are a few reasons why companies should care about data privacy and compliance.
Since companies are collecting more information about their customers than ever before, compliance with privacy laws, how companies handle personal and sensitive information and how they comply with privacy laws significantly impact marketplace reputations. Privacy controls have become a cross-border concern and companies face potential legal risks should they fail to keep track of regulations in different jurisdictions and comply with the necessary laws. In addition to penalties and fines for non-compliance, companies may also lose out on potential business or partnership opportunities by failing to take privacy into account. Data breaches have regularly made their way into headlines in the past decade, and have been amplified by the ever-increasing number of social media platforms acting as news media, demonstrating that it’s impossible for companies to keep privacy breaches under the radar.
Furthermore, businesses should focus their attention on and care more about data privacy with growing threats in the ever-expanding AI, ML and IoT space.
Lastly, there’s no better reason than “you have to” or “it’s the right thing to do”. Privacy is a highly culturally sensitive and personal issue. Some kinds of information are just not meant for public consumption or for everyone to access. In fact, a number of countries and regions have established data privacy laws to govern the way personal and sensitive data are collected, handled, transferred and stored.
B. Why should enterprises consider a restart/reboot?
Businesses need to consider privacy compliance from a business perspective, looking at the potential for operational risks to their business as they become increasingly dependent on data. They should also adopt a resilience mindset governing how they would respond to and recover from any major data breach event.
Ultimately, it boils down to how businesses are planning on protecting the information gathered and held about individuals and preventing others from accessing their customers’ personal and most sensitive information and/or stealing their identity. When it comes to privacy, organizations should be transparent, proactive and start viewing it with a precautionary, defensive or even warrior mindset.
III. HOW DO WE SOLVE THE PROBLEM?
A. Understanding and Complying with Regulations
There are numerous and diverse privacy and data protection requirements both globally and locally in different countries including, for example, General Data Protection Regulation (GDPR) – the European Union’s Data Protection Directive, and numerous other privacy laws and regulatory requirements in the United States like the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), California Online Privacy Protection Act (CalOPPA), Japan’s Personal Information Protection Act, Australia’s Privacy Principles (APP), Canada’s Personal Information Protection and Electronic Data Act (PIPEDA) and the Personal Data Protection Bill 2019 (PDP Bill 2019) in India, which businesses need to consider when sending or sharing information across borders and between countries.
It is important to adhere to these regulatory requirements and to do so in a consistent and continually evolving manner as the regulations mature. This requires a culture of continuous monitoring and improvement.
B. Changing Attitudes: “Seeing data as gold, data as being valuable, and data as a public good is essential for everyone to respect data privacy.”
While businesses already recognize the monetary value of data, the general public is only slowly starting to understand this fact. It is essential that both businesses and the public appreciate that data functions as a commodity, and like other valuable commodities such as gold, has an intrinsic value that must be protected. Another viewpoint is to see data as a public good, like the other great commons of air and water, and worth safeguarding for the greater benefit of all. Such a paradigm shift in attitude towards the value of data is critical for everyone to respect the need for data privacy.
C. Thinking Ahead: Considering Potential Solutions in Emerging Areas
Managing privacy and compliance is a plodding, tedious task. To build trust, it is important for companies to check and recheck their data privacy and security posture; review and re-review their data protection policies and put their design principles and processes through rigorous testing. A data security breach doesn’t adhere to a standard timeline. Privacy and security management requires a continuous improvement attitude.
As a next step in blockchain adoption, tokenized technological solutions could be implemented as a privacy and compliance management instrument within an industry
Considering that the current security, privacy and compliance monitoring and management setups are not working optimally, they require an update/change, a reboot and design makeover.
Companies must start to take responsibility for and worry about where the data go, just like their customers worry about what companies do with their information. It is important to setup an overarching framework as a consistent frame of reference.
Complying with security regulations and privacy laws while taking the necessary precautions to protect customers’ information from bad actors will help ensure loyal and happy clients – who are likely to stick around longer too!
In the end we are responsible for many of the conditions of our lives, and we have the power and free will to change them.