One of the most significant recent events regarding data privacy occurred in 2018, when it was discovered that the (now defunct) political consultancy Cambridge Analytica had illegally collected data from up to 87 million Facebook users. Such incidents would speed up the introduction and enactment of new data privacy policies such as the UK Data Protection Act and the EU General Data Protection Regulation (GDPR).
The majority of countries have adopted some form of legislation regarding cybersecurity and data protection, and many have several frameworks in place to ensure that their citizens are protected online. Websites and online services are now legally required to be more transparent about the data they send and receive from Internet users.
This is good news for the average Internet user, but it adds some complexity for organizations trying to maintain their presence in multiple territories. So how do you comply with jurisdictional regulations while ensuring a consistent product? This guide will help resolve the issue to make it easier for organizations to maintain compliance.
The Changing Nature of Data Privacy
Data is the new gold, they say. It may sound dramatic, but the data is extremely valuable. It is also at risk of being misused. As we create and store more data, the laws that govern how data is handled will intensify with them.
New technologies are not the only factor affecting the nature of data. Consumers’ relationships with technology and data privacy must also be taken into account. For example, Gen Z invests differently than previous generations. They are savvy consumers with more financial literacy at their fingertips than their parents and grandparents, and it shows.
Younger generations want high-tech solutions and are also looking for personalized user experiences. Collecting user data helps retailers and businesses understand customer trends and tailor offers to their interests. Yet savvy internet users are increasingly wary of privacy risks, even if they allow their data to be collected by social media platforms, apps, etc. Current and future legislation will need to adapt to the privacy mores of the majority – and the majority are beginning to understand the risks.
Diversity of regulations
At the time of writing, 128 countries (out of 194/195) around the world had some form of data privacy and cybersecurity legislation. Many of these jurisdictions have multiple regulatory frameworks that are increasing in complexity almost every year.
In November 2020, China passed its Personal Information Protection Act (PIPL). The law deals with how foreign and local organizations handle personal data on the Internet. With China’s Data Security Law (DSL) and Cyber Security Law (CSL), PIPL is helping to form a broader regulatory framework for data privacy and cybersecurity in the PRC.
Also at the end of 2020, the US Congress promulgated the IoT Cybersecurity Improvement Act. It requires the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) to develop security guidelines that can be implemented by the federal government. It’s still evolving regulation that could spawn more laws within a larger framework, but it’s a start.
Emerging and developing economies have also adopted data privacy legislation. After 17 years of development, South Africa finally passed the Personal Information Protection Act (POPIA) in June 2021. It is based on the 2018 iteration of the GDPR, which has since been amended and updated. Some experts believe that POPIA should also be updated.
This is where the problem lies for businesses. Not only are new laws and regulations constantly being introduced, older regulations are evolving. So what can organizations do to maintain privacy and comply with a multitude of regulations?
The importance of transparency
Originally, it seemed like the onus was on the individual to protect their privacy online. However, it is unrealistic to expect the average user to read every nondisclosure agreement they come across, especially nondisclosure agreements that are subject to constant updates.
That’s why the first step in complying with most data privacy regulations is to be transparent with customers. You need to make sure that visitors to your websites fully understand the privacy implications of using your services. It’s not just about avoiding heavy fines from jurisdictions and commissions – the public image of your business also depends on it.
Since the 2018 data breach, public perception of Facebook has deteriorated. While it’s still a popular platform, it no longer has the cultural significance it once had. Executives have been doing public relations for years trying to regain relevance and fall back into the good graces of the public.
Organizations can learn from their mistakes by making data policies more accessible. Do your customers understand what cookies are? Do they understand the risks of your website or app storing their data? These are just a few of the things your organization should provide a simple explanation for.
Businesses can create helpful videos and audio segments (podcasts), explaining the intricacies of their revised confidentiality agreements. You can also send SMS and email campaigns with links to your new privacy agreement, as well as content and guides that provide simple explanations.
In most cases, if your business operates in different territories, your confidentiality agreement can incorporate and comply with all the laws of the jurisdictions in which your business operates. Alternatively, each privacy agreement you choose to display to your users should be tied to their territory. This could mean that some users may be limited in accessing certain features of your service depending on the region they are in, and this information should be clear from the start.
Optimize data privacy
First and foremost, businesses need to make sure that all of their data can be accessed and stored securely. They also need to have effective protection against cyberthreats such as ransomware and phishing, or risk heavy fines and loss of customer trust.
A good example is the Marriott International data breach in 2014 (discovered in 2018). A cyberattack exposed the personal information of approximately 339 million guests worldwide. After a thorough investigation by the Information Commissioner’s Office (ICO), the company was fined around $ 124 million for violating the EU’s GDPR.
To avoid similar breaches, organizations should incorporate tools to help them maximize user privacy. Take advantage of privacy enhancement technologies / tools (PETS) that help ensure security when accessing and sharing data. Here are some examples of PET:
- Secure multi-party computing
- Homomorphic encryption
- Differential confidentiality
- Zero Knowledge Proofs (ZKP)
- Federated learning
- Synthetic data generation
- Data minimization
Use an AI-powered machine learning or data privacy solution that can update its protocols according to new privacy laws and embrace automation in your organization’s data privacy practices.
Additionally, under GDPR, organizations must hire Data Privacy Officers (DPOs). Even if you plan to operate outside of EU jurisdictions, it is still imperative to hire an experienced and certified DPO for your business. Over the next few years, we can expect this to be one of the most valued jobs in cybersecurity.
Your organization shouldn’t experience data loss and degradation of your public image before prioritizing data security and privacy. A proactive approach can save a lot of money and time in the long run, and companies have a plethora of data protection techniques and tools. When it comes to data security, there are very few excuses for surveillance.
Note: This blog post was written by a guest contributor with the goal of providing a wider variety of content to our readers. The views expressed in this guest author article are those of the contributor alone and do not necessarily reflect those of GlobalSign.