The US and Canada have observed Data Privacy Day every January 28th since 2008. It is a follow-on to Data Protection Day in Europe that commemorates the Jan. 28, 1981 signing of the Council of Europe treaty known as Convention 108. This treaty was the first legally binding agreement designed to protect an individual's right to digital privacy, anticipating the increasingly automated processing and distribution of personal data.
While remarkably prescient, the original authors and signers of Convention 108 could not have possibly foreseen how data would be being created, shared, processed, and stored today, nor the volume of personal data that exists for virtually every human being on earth.
That original treaty has been enhanced by legally binding legislation over the years in nearly every country in the world, culminating most recently with the most comprehensive law ever enacted to protect personally identifying information (PII). The EU’s General Data Protection Regulation (GDPR) is the most important change to data privacy regulation since that first treaty was signed in 1981. It provides comprehensive data protection and privacy for all individuals within the European Union and the European Economic Area, including the export of personal data outside the EU and EEA.
It has also raised the bar in other countries around the world, with volumes of new legislation patterned after GDPR. The California Consumer Privacy Act of 2018, for example, signed into law in June of 2018, gives California citizens the right to know what personal data businesses possess. As with the EU's GDPR. Californians in 2020 will not only be able to require that organizations delete their PII, but also forbid those organizations from selling their data to third parties. Since California is now the fifth largest economy in the world, surpassing the UK last year, the impact of this new law will have national and international implications.
This past July, two months after the passage of the California law, the White House announced that it was working on a new "consumer privacy protection policy that is the appropriate balance between privacy and prosperity." Since then, members of Congress have introduced multiple data protection bills.
If your organization does business with any organizations or individuals in the EU, you have already had to make significant changes to how you process, manage, and store the data of EU residents. Prepare now to provide many of the same sorts of protection to your US and Canadian customers. Here is a quick checklist of the things you will need to do:
1. Implement a comprehensive, integrated security strategy. It has been said that there cannot be any data privacy without good data security. Because of that, you have to start by ensuring that any PII data your organization touches is secured from the moment it enters your network to the moment it leaves. This includes applying security measures and policies that can seamlessly identify, follow, and secure data as it moves between network domains and devices, including across multi-cloud or SD-WAN environments, as well as into your storage area network (SAN).
Security plays a critical role in helping you know where every bit of data is located and who and what has access to it. An integrated security framework allows all security components to see other devices, share and correlate information between them, and participate in a coordinated threat response. It needs to be woven into and across every aspect of your evolving network to enable things like unified policy creation, centralized orchestration, and consistent enforcement. This approach allows you to extend visibility deep into your infrastructure to see every device, track every application and workflow, and more importantly, see and secure all data. It also allows you to demonstrate compliance with regards to protected privacy requirements and the verification of its secure storage, use, and removal.
2. Change what and how you collect PII data. New privacy laws such as GDPR define individuals as the sole owners of their data, and not businesses or institutions. As a result, these individuals must be able to withdraw their consent to the collection of their data as quickly and easily as it was given. This will require organizations to collect only the minimum amount of data needed for a specific purpose, and to then be able to completely remove it when it is no longer needed.
3. Reorganize your data so that PII can be easily identified, flagged, and deleted. Be prepared to demonstrate to compliance officials that you can prevent specific data from being shared or sold to third parties and that you can remove all instantiations of an individual's PII regardless of where it is being stored or used. For larger organizations, this is not a trivial task. It will require significant retooling of databases, rewriting software applications and websites, and redesigning internal processes to simplify and accelerate internal processes to identify all data related to a single customer. The GDPR’s “right to be forgotten” (RTBF) means that data needs to be found and removed quickly and easily, rather than relying on humans to hunt for each instance of personal information scattered across your distributed network.
4. Encrypt PII to ensure that if possesses no risk if compromised. You should consider encrypting data in transit and at rest in your network. Encryption negates the value of data if it is compromised. But encrypting large volumes of data is no easy task. Organizations should consider ability of encryption performance and any associated degradation of performance.
New and looming data privacy legislation reflects growing public concern about the protection and personal ownership of PII. Data Privacy Day is an urgent reminder that every organization that touches personal data needs to re-evaluate its IT security infrastructure. Are your IT security solutions able to effectively communicate, regardless of where they have been deployed, to optimally protect data and provide network-wide visibility? Does your network include sophisticated data-protection measures such as threat prevention and detection, pseudonymization of PII, and internal segmentation to isolate and track customer and employee data? And finally, have you documented, and more importantly, tested your data-breach response plan?
Today’s organizations need to be able to answer “yes” to these questions if they want to be prepared for the new data privacy regulations on the near horizon.
Explore The CISO Collective - an online content hub and mobile application that provides CISOs with one stop to find the most relevant news and information to enable them to be more effective in their roles.