Data Privacy Week occurs annually from January 22nd - 28th and is observed in many countries from North America to Europe to Africa. The purpose is to raise awareness about data privacy and best practices for data protection. This is a follow-on to Data Protection Day in Europe, which commemorates the January 28, 1981, signing of the Council of Europe treaty known as Convention 108. This treaty was the first legally binding agreement designed to protect an individual's right to digital privacy, anticipating the increasingly automated processing and distribution of personal data.
While remarkably prescient, the original authors and signers of Convention 108 could not have possibly foreseen how data would be created, shared, processed, and stored today, or the volume of personal data that exists for virtually every human being on earth.
That original treaty has been enhanced by legally binding legislation over the years in nearly every country in the world. Despite all of these changes over recent decades, there is still education and work to be done in the realm of data protection. This is why Data Privacy Week is more crucial than ever.
There cannot be any data privacy without good data security. Therefore, below is a quick checklist of the things organizations should do to help protect and secure data.
The first step in protecting data is ensuring that any Personally Identifiable Information (PII) data your organization touches is secured from the moment it enters your network to the moment it leaves. This includes applying security measures and policies that can seamlessly identify, follow, and secure data as it moves between network domains and devices, including across multi-cloud or SD-WAN environments, as well as across the extended network. In addition, zero-trust access is vital. As users continue to work-from-anywhere and Internet-of-Things (IoT) devices flood networks and operational environments, continuous verification of all users and devices is crucial as they access corporate network resources, especially data.
Security plays a critical role in securing every bit of data as well as managing who and what has access to it. A cybersecurity mesh platform allows all security components to see other devices, share and correlate information between them, and participate in a coordinated threat response. It must be woven into and across every aspect of the evolving network to enable things like unified policy creation, centralized orchestration, and consistent enforcement. This mesh approach allows organizations to extend visibility deep into the infrastructure to see every device, track every application and workflow, and more importantly, see and secure all data. It also allows organizations to demonstrate compliance with regard to protected privacy requirements and the verification of its secure storage, use, and removal.
Privacy laws such as the General Data Protection Regulation (GDPR) define individuals as the sole owners of their data, not businesses or institutions. As a result, these individuals must be able to withdraw their consent to the collection of their data as quickly and easily as it was given. This requires organizations to collect only the minimum amount of data needed for a specific purpose and to then be able to completely remove it when it is no longer needed.
Organizations need to be prepared to demonstrate how to prevent specific data from being shared or sold to third parties and how to remove all instantiations of an individual's PII regardless of where it is being stored or used. For example, the GDPR’s “right to be forgotten” (RTBF) means that data needs to be found and removed quickly and easily, rather than relying on humans to hunt for each instance of personal information scattered across a distributed network.
Consider encrypting data in transit and at rest in the network, as encryption negates the value of data if it is compromised. That said, encrypting large volumes of data is no easy task. Because of this, organizations should consider what is a priority based on the ability of encryption performance and any associated degradation of performance.
Encourage cybersecurity training for all employees and follow up with practice and drills. Good password hygiene along with multi-factor authentication (MFA) should be requirements to help add extra protection.
Data privacy legislation reflects concern about the protection and personal ownership of PII. Data Privacy Week is a reminder that every organization that touches personal data needs to evaluate its IT security infrastructure. Ask yourself:
Today’s organizations need to be able to answer “yes” to these questions to be prepared for existing data privacy regulations or others on the near horizon.
Discover how Fortinet’s Zero-Trust Access framework allows organizations to identify, authenticate, and monitor users and devices on and off the network.