GDPR Archives - IEEE Innovation at Work

In the rapidly evolving digital era, internet users have become increasingly aware of how their information is collected and used online. According to Norton LifeLock, 85% of adults want to do more to protect their online privacy. As consumers express concern and global regulations tighten, it is important to understand the premise of digital privacy and how to comply with it.

Data Privacy or Digital Privacy?

Despite similar names and concepts, there is a stark distinction between data privacy and digital privacy. Data privacy refers to when a company or website properly handles sensitive user information such as personal contacts, medical records, financial history, and intellectual property. Data privacy works to prevent unauthorized access to confidential information by governing how data is collected, used, and shared. This concept pertains to both the digital and non-digital realms.

On the other hand, digital privacy focuses specifically on protecting our own information that we knowingly or unknowingly share online. An astonishing 90% of the world’s data was generated in the last two years alone! Most of that information was created or provided by individuals while using the internet. Safeguarding this user data mitigates the risk of web-based attacks, further promoting a more secure and trustworthy cyberspace. Without maintaining digital privacy, bad actors could easily monitor online activities, such as conversations and transactions, leading to harmful interceptions and breaches.

The concepts of data privacy and digital privacy both exist to protect individuals and their private information. It is crucial for internet-based systems to satisfy the level of security required by each of these measures.

Engineering Digital Privacy for All

The responsibility of creating a technical framework that fosters digital privacy falls heavily on engineers. Concurrently, existing and emerging laws have brought big changes to the technical engineering landscape. Soon enough, digital privacy regulations will cover 75% of the world’s population.

By not paying close attention to these laws, companies could be risking data breaches, harsh financial penalties from violations, and jeopardizing their reputation within the industry.

Adapting to changing data regulations has resulted in the creation of the Privacy by Design concept, which incorporates the idea of including privacy in every aspect of the engineering and product development cycle. The emerging role of privacy engineer implements this concept, ensuring that data privacy considerations are integrated into the product design.

Gather the Tools to Operationalize Internet Privacy

Is your team up-to-date on the latest privacy technologies and ethics?

Get ahead with Protecting Privacy in the Digital Age, brought to you by IEEE Educational Activities in collaboration with IEEE Digital Privacy. This four-course program provides a framework on how to operationalize privacy in an organizational context, how to make it usable for end users, and how to address emerging technical challenges to protecting digital privacy.

Connect with an IEEE Content Specialist today to learn how to get access to this program for your organization.

Interested in access for yourself? Visit the IEEE Learning Network (ILN).

Resources

(2022). 2022 Norton Cyber Safety Insights Report: Special Release— Online Creeping. Norton LifeLock.

(3 March 2021). What is Digital Privacy? Definition and Best Practices. Microanalytics.

What is Data Privacy? SNIA.

Privacy By Design. Deloitte.

The Growing Role of Data Privacy Engineering on Technology. IEEE.

data-privacy-skills

Experts, commentators, and pundits alike have been saying it for years: Data is the new oil. The phrase is widely credited to mathematician Clive Humby, who also said, “Like oil, data is valuable, but if unrefined, it cannot really be used. It has to be changed into gas, plastic, and chemicals to create a valuable entity that drives profitable activity. Data must be broken down and analyzed for it to have value.”

Artificial intelligence and automation technology offer new ways to target potential customers, personalize messaging, and recommend products, thereby making data an essential resource for modern enterprises and business decision-making. Companies around the globe collect and analyze volumes of data daily. This highly valued commodity needs to be protected, but so do the individuals who provide it.

For modern companies, navigating data privacy can seem overwhelming. Different regions may be subject to varying legislation levels. Additionally, citizens of a particular region may still be protected by those laws no matter where they’re presently located. As data privacy regulations grow, companies face constantly changing data management requirements to secure the correct opt-in permission and ensure compliance. Recent data breaches and hacks of Uber, Verizon, Meta, and Microsoft demonstrate how sophisticated hackers have become.

Flawed Practices Lead to Consumer Mistrust

Inferior consumer privacy practices expose businesses to real repercussions, such as an increase in consumer data breaches. In 2021, there were more than 130,000 personal data breaches. These instances led to material losses like fines, but more importantly, loss of trust for current and prospective customers. According to a recent report, 87% of consumers “would not do business with a company if they had concerns about its security practices.” Investments in data protection and privacy fosters consumer loyalty and trust in a company’s products.

Data Security is Paramount

Without a solid data security platform, your company risks financial penalties for violating data privacy regulations and jeopardizing your company’s reputation. A recent article in Apple Magazine provides six tips for better data security in the workplace:

Make sure all employees have strong passwords
Have disaster recovery plans in place
Create strong firewall and antivirus software policies
Monitor and analyze your users’ online habits
Encrypt your data whenever possible
Invest in employee training programs

Technologies such as artificial intelligence, machine learning, the Internet of Things, virtual reality, and facial and biometric recognition all use or generate personal data. Protecting that data should be a top priority—and training your organization in data privacy can provide a critical competitive advantage. Does your company place a priority on data privacy skills?

Privacy by Design is the Future

Companies should consider both data privacy and security issues daily. According to Lindy Cameron, CEO of the UK National Cyber Security Centre (NCSC), a secure-by-design approach is vital to protecting the growing Internet of Things (IoT) and consumer-connected devices. She goes on to explain how the last decade has seen an increase in significant security risks as “the scale of consumer-, enterprise-, and city-level IoT has exploded in the last decade,” along with a growing dependency on connected technology.

Data privacy is not the domain of just IT departments anymore. Protecting personal data should start in product development—ensuring that every product team member understands privacy by design. For effective results, privacy should be layered throughout the product development lifecycle.

Enhance Your Data Privacy Skills

Engineering and technology professionals must increasingly consider data privacy and security when designing products and systems. As the world becomes more automated, it’s crucial for your organization to understand how to protect its data and devices.

Cyber Security Tools for Today’s Environment, an online 11-course program from IEEE, helps businesses improve their security techniques. Contact an IEEE Account Specialist today to get access to the course program for your organization. Interested in learning about getting access to the course for yourself? Visit the IEEE Learning Network to learn more.

Protecting Privacy in the Digital Age, brought to you by IEEE Educational Activities in collaboration with IEEE Digital Privacy, is a four-course program that provides a framework on how to operationalize privacy in an organizational context, how to make it usable for end users, and how to address emerging technical challenges to protecting digital privacy. Connect with an IEEE Content Specialist today to learn how to get access to this program for your organization. Interested in access for yourself? Visit the IEEE Learning Network (ILN).

Resources

Drapkin, Aaron. (18 October 2022). Data Breaches That Have Happened in 2022 So Far. Tech.co.

Hill, Michael. (24 October 2022). Security by design vital to protecting IoT, smart cities around the world. CSO.

Huang, Helen. (18 October 2022). Putting privacy first: A global approach to data governance. Treasure Data.

Newsroom AppleMagazine.com. (24 October 2022). 6 Tips for better data security in the workplace. AppleMagazine.com.

Talagala, Nisha. (2 March 2022). Data as The New Oil Is Not Enough: Four Principles for Avoiding Data Fires. Forbes.

Robicquet, Alexandre. (19 October 2022). Why Businesses Don’t Need More Data—They Need Better Data. Forbes.

In today’s hyper-connected world, phrase “data is king” rings truer than ever. Data now drives our economy. Companies and organizations across industries actively leverage it to gain a competitive edge.

People share information constantly — face-to-face, over the phone, through online forms, and via email or text. Even more varied are the types of data we disclose: addresses, phone numbers, social security numbers, financial data, and health records. Beyond that, our digital footprints include what we buy, what we post, how we unlock our phones, and even how we move through public and private spaces.

Whether we share this information voluntarily or not, countless entities collect it. They use it for purposes we often don’t fully understand.

For Instance, Did You Know…

Your DNA holds value. When people submit saliva samples to genealogy or genetic testing services, those companies may resell the data to pharmaceutical firms for research or marketing. Kirsten Ostherr, PhD, director of medical humanities at Rice University, warns that this data could also influence life insurance rates, loan interest rates, or hiring decisions. In some cases, law enforcement may access DNA data without consent during criminal investigations.
Apps track browsing and purchase histories to deliver personalized ads. While some ads, like those for similar clothing items, may feel helpful, others can cross ethical lines. For instance, targeting individuals based on medical conditions can feel invasive or even predatory.
Social media platforms routinely analyze shared content — photos, videos, and posts — using AI. These algorithms help companies identify patterns and pursue business goals. However, many users don’t realize that “private messages” may not be truly private.

Transparency Is Key

Ultimately, information is power. In all of the above cases, “the user received something in return for allowing a corporation to monetize their [personal] data,” confirmed Louise Matsakis of technology publication Wired.

However, this often-unwitting exchange isn’t something all users take lightly. A recent Pew Research Center study revealed that four out of five people surveyed feel that they have little control over the data that companies or government agencies collect on them and are either “very” or “somewhat” concerned about how companies are using it.

In light of growing ethical concerns and the alarming incidence of personal data breaches and other cyber crime that’s forecasted to incur more than US$10 trillion in damages worldwide by 2025, according to Cybersecurity Ventures, most countries have enacted some level of data privacy legislation that sets parameters around how data is collected, used, and shared. However, these laws aren’t standard across different countries – or even centralized at the federal level, as is the case across the U.S. This gap leaves countries/states to largely enact their own data privacy laws and penalties for non-compliance. For organizations serving a global population, this can be especially difficult to navigate.

Privacy By Design

Given that data privacy definitions aren’t yet standardized, experts say that organizations must take measures to ensure that data privacy and transparency are addressed up-front in order to be more efficient. In other words, personal data will be better insulated and companies will be increasingly protected from the legal and financial repercussions of data privacy non-compliance when they make concerted efforts to build the key pillars of data privacy into their product development process at the outset.

The European Union formally subscribed to this theory by adopting the concept of ‘Privacy by Design,’ a process by which technology is used to engineer data privacy into the development of products at their earliest stages. It’s an approach that savvy companies are watching closely in the best interests of both their customers’ privacy and security as well as their organization’s integrity/brand.

Position Your Organization for Success

The protection of privacy and personal data is an essential human right – one that requires organizations to take action to ensure data privacy for their users. Ideally, data privacy should begin in the product development stage. It’s a best practice undertaken to ensure that every member of the product team understands privacy by design and how to put those guidelines into practice.

Resources

Matsakis, Louise. (15 February 2019). “The WIRED Guide to Your Personal Data (and Who Is Using It).” Wired.

“Americans And Privacy: Concerned, Confused And Feeling Lack Of Control Over Their Personal Information.” (19 November 2019). Pew Research Center.

Morgan, Steve. (13 November 2020). “Cybercrime To Cost the World $10.5 Trillion Annually By 2025.” Cybercrime Magazine.

14 December 2022. “Data Privacy Laws: What You Need to Know in 2023.” Osano.

Nudson, Rae. (9 April 2020). “When Targeted Ads Feel a Little Too Targeted.” Vox.

qualified-data-privacy-professionals

Utah and Connecticut recently joined a growing number of U.S. states – including California, Colorado, and Virginia — passing data privacy laws. These regulations give citizens greater control over their data and empower them to hold organizations that violate the rules accountable. A number of federal governments, including the European Union, China, Brazil, have also passed similar laws.

While the U.S. does not currently have a federal data privacy law, federal regulators are still taking action. The U.S. Justice Department and the Federal Trade Commission recently settled a suit against Twitter over allegations that it misled people over how their phone numbers and email addresses would be used, slapping the social media company with a $150 million USD fine.

Meanwhile, a recent ruling in a $650 million USD class action lawsuit against Facebook found it violated the Illinois’ 2008 biometric privacy law over its handling of facial recognition data. As a result, the social media giant must pay over 1.4 million residents up to $397 USD.

These legal actions are only the beginning. According to CPO Magazine, legislators in at least 27 states in the U.S. have introduced data privacy bills in the last several months.

“By 2024, it’s likely that almost every state will have its own version passed into law,” writes Bill Tolson, Vice President of Global Compliance & eDiscovery at Archive360, in CPO Magazine. “This is getting little to no attention in the business world, and yet it requires serious effort to ensure compliance. Businesses getting prepared now are barely ahead of the curve; those that put it off till the laws hit the market will have to scramble to keep up.”

Data Privacy Professionals Are In High Demand

Data privacy professionals are quickly becoming some of the most in-demand technical professionals in the world today. A recent report from the recruitment company TRU Staffing Partners found a 30% increase in open data privacy jobs, due to a combination of the rise in remote work and the recent proliferation of data privacy laws. In addition to there not being enough data privacy professionals, the report also found a shortage of professionals with the right qualifications. According to CPO Magazine, some key findings from the report include:

Qualified data privacy professionals have a competitive advantage in the current job market. Whereas it generally took up to six weeks for someone with the right qualifications to get hired after submitting their resume in 2019, it took roughly one week on average in 2021.
Data privacy professionals typically have a minimum of two job offers at a time. When they are actively looking for a job, this increases to three.
Privacy professionals have seen a 22% growth in pay (earning about $20,000 – $30,000 USD more in general annually for the same positions). Similar increases are anticipated by 2023.
About 75% of these positions are in corporations, 20% are in consulting and software companies, and 5% are in the legal industry.

As more governments pass regulations and organizations seek to fill their knowledge gap, now is the perfect time for technical professionals to learn the ins-and-outs of data privacy.

Growing Your Data Privacy Skills

As privacy grows in importance, the need for technical professionals to possess strong knowledge in the area also grows.

Ethical transparency is critical to an organization’s success and it must be included in digital environments. Successful digital environments require rigorous ethical standards that incorporate honesty, impartiality, protection, security, and privacy.

AI Standards: Roadmap for Ethical and Responsible Digital Environments provides instructions for a comprehensive approach to creating ethical and responsible digital ecosystems. Contact an IEEE Content Specialist to learn more about how this program can benefit your organization. Interested in getting access for yourself? Visit the IEEE Learning Network (ILN) today!

Resources

Bensinger, Greg. (30 May 2022). How Illinois Is Winning in the Fight Against Big Tech. New York Times.

Casale, Elizabeth; Collum, Christopher; Shreve, James; Sosnicki, Luke. (27 May 2022). Utah and Connecticut enact comprehensive data privacy laws. thompsoncoburn.com.

Gordon, Marcy. (25 May 2022). Twitter to pay $150M penalty over privacy of users’ data. ABC News.

Sauer, Megan. (25 May 2022). Some Facebook users are receiving $397 checks over data privacy violations—and these tech companies could be next. CNBC.

Tolson, Bill. (20 May 2022). Data Privacy Conundrum: When Different States Play by Different Rules. CPO Magazine.

Ikeda, Scott. (9 May 2022). Data Privacy Jobs Report Shows Demand for Privacy Pros at Record High Thanks to Complex Regulatory Requirements, Mass Migration to Cloud Services. CPO Magazine.

Blockchain technology will not only revolutionize medical records, it will also create a patient-centric healthcare industry dramatically different from what exists today. As discussed in previous posts, blockchain is a decentralized digital ledger of transactions that records data in a way that prevents hacking and altering of data by duplicating transactions and dispersing them to “nodes” across the network.

“Blockchain possess the potential to revolutionize the healthcare industry by placing the patient at the center of the ecosystem, amplifying interoperability, privacy, and security of health data,” write Vic Gupta and Harish Nanda, the Executive Vice President of Digital & AI and Chief Architect of Coforge, in ET Healthworld.com. “The technology is set to equip [the] healthcare industry with a more advanced Health Information Exchange (HIE) model that could genuinely transform electronic medical records, making them significantly more secure, efficient, and disintermediated.”

However, the healthcare industry has been slow to adopt blockchain due to the sensitivity of the data handled.

Healthcare Blockchain Relies on Hybrid Technology Stacks

Because the healthcare industry needs to protect highly sensitive patient data, its blockchain technology must rely on a hybrid technology stack, rather than a system in which data is delivered across blockchain nodes, according to Stuart Hanson, CEO of Avaneer Health.

“Instead, this technology can be used to help index the complex industry sources of data across a network and make this data more fluid and, therefore, valuable,” he told Healthcare IT News. “In other words, we need to figure out a delicate balance between blockchain and other technology components within the stack in order to preserve the key value added from blockchain while making the entire system robust and optimized for the healthcare use cases.”

How Multiple-Signature Contracts Will Provide Solutions to the Healthcare Blockchain

According to Xudong Huang, a researcher at Harvard Medical School who was interviewed by Managed Healthcare Executive, healthcare blockchain is valuable to patients because it simultaneously provides them with data security and data ownership, compared to traditional data management and security systems, which he discussed in a 2019 paper.

Blockchain-based systems would require patients to authorize retrieval of their data through what Huang and coauthors call multiple-signature, or “multisig,” contracts in healthcare blockchains. Using these signatures, both the patient and healthcare provider use separate private keys to access the patient’s medical record in the network. While this means the provider can’t access the patient’s data without permission, it also means that only providers—not patients—can change the patient’s data.

While silioing data in such a way can create obstacles for big data analytics, which researchers and healthcare companies often rely on to create solutions in the healthcare industry, Huang thinks it may actually help.

“An easy solution for this is any de-identified patients’ data can be released to a public database for easy access,” he told the publication. In other words, blockchain would allow wider, simplified access of data among vetted parties on the blockchain.

As the blockchain brings major solutions to healthcare, the industry will need to learn to adjust to a new, patient-centric network. Other industries will find themselves in a similar position. Has your organization prepared to adopt blockchain technology?

Designing Blockchain Solutions

Get practical guidance for how to design a blockchain solution with the IEEE five-course program, A Step-by-Step Approach to Designing Blockchain Solutions. Developed by experts, this course program recaps the basics of the technology; the expected benefits of a blockchain solution; how a solution would benefit a prospect company; and more.

Contact an IEEE Account Specialist to learn more about how this program can benefit your organization.

Interested in getting access for yourself? Visit the IEEE Learning Network (ILN) today!

Resources

Gupta, Vic and Nanda, Harish. (24 March 2022). Blockchain Disrupting the Healthcare Ecosystem. ET HealthWorld.com.

Siwicki, Bill. (3 March 2022). Healthcare blockchain leader talks challenges and trends in DLT. Healthcare IT News.

Kaltwasser, Jared. (8 February 2022). Is Healthcare Ready For Blockchain? Managed Healthcare Executive.

successful-data-privacy-program

A number of new laws – recently passed in Europe, China, the U.S., and Brazil – are presenting an urgent need for organizations to develop data privacy policies. Not only are these laws creating compliance concerns, they are also compelling organizations to start embracing data privacy as a core value.

How Can Organizations Establish Data Privacy Policies As A Core Value?

According to Kevin Shepherdson, CEO and Founder of Straits Interactive, a leading data privacy consultancy in Singapore, transformation around data privacy needs to start with an organization’s leadership. Senior leaders need to make it clear that their organizations take data privacy seriously by providing the necessary resources to institute a data protection management program (DPMP). This also should include training their staff around such programs.

“We often see data breaches being described as ‘human error’, which is unacceptable to regulators and should not happen where there is sufficient staff training and strong ‘tone at the top,’” Shepherdson writes in CPO Magazine. “As important as initiating the DPMP is sustaining it. The organization must maintain compliance efforts by educating stakeholders about its data protection policies, including conducting regular data privacy audits and regular risk assessments.”

How Can Organizations Successfully Implement a Data Privacy Program?

Stu Sjouwerman, founder and CEO of KnowBe4, which develops security awareness training and simulated phishing platforms, offers the following four recommendations for organizations that want to implement a successful data privacy program, which he originally outlined in Security Magazine:

Be inclusive of every department in your organization: Data security impacts every facet of your organization. Each department likely processes data in its own way, so it’s important to include each department, process, and vendor in your data privacy plans.
Track your practices using documentation: Documenting your data privacy practices as you go along will give you valuable perspective into how your practices deliver value and risk. “Map out your entire data lifecycle (using data flow diagrams) and the process each department uses to collect, store, access, use and share consumer data,” writes Sjouwerman. “Outline the organization’s legal and contractual obligations and the process with which end users can manage their privacy rights.”.
Go Beyond Compliance: Organizations have a tendency to see legal and compliance obligations as “a checklist of items that need to be crossed.” According to Sjouwerman, this is a common mistake. Instead, he suggests looking at privacy as your users’ fundamental right that your organization’s compliance practices must work to uphold.
Continuously re-assess your data privacy practices: No organization stays the same. Departments, processes, vendors, products, and people change over time. As such, it’s important to regularly assess your data privacy practices to ensure they are evolving with your organization. According to Sjouwerman, this involves undergoing a Data Protection Impact Assessment, which he says will help “identify risks proactively and reduce the likelihood of any impact to the organization or its customers.”

With data privacy laws becoming more common, privacy policies are no longer a consideration – they are a necessity. Is your organization equipped with the knowledge to implement a successful data privacy program?

Data Privacy by Design

Privacy has emerged to be a critical aspect of our increasingly digitized world. Technological innovations are progressively becoming more intrusive into our personal lives attempting to extract sensitive personal information. This is often detrimental to an individual when any breach or spillage of data leads to a severe impact such as financial loss or identity theft.

Resources

Sjouwerman, Stu. (22 March 2022). Data privacy in 2022: Four recommendations for businesses and consumers. Security Magazine.

Shepherdson, Kevin. (18 March 2022). Data Privacy in 2022: Navigating the Ever-shifting Terrain. CPO Magazine.

data-privacy-practices

Despite a rush of new data privacy regulations around the world, many organizations have yet to transform the way they collect user data. However, due to the digitization and interconnectedness of modern-day businesses, those that wait to transform their policies may soon find themselves in trouble.

“Waiting even a year or two to start building out a compliant data privacy and management program will cost more, take longer, and be more disruptive to your business operations than having to adapt strong, existing processes to legislative and cultural changes,” wrote Jodi Daniels, CEO of Red Clover Advisors, an organization that assists companies in simplifying their data privacy practices, in Inc.com.

Alternatively, organizations that start building the new regulations into data privacy programs “have a unique opportunity to market themselves as a forward-thinking, consumer-friendly industry leader,” she added.

Three Rules That Should Replace Your Current Data Privacy Practices

As organizations come under increasing pressure — both from regulators and the public — to transform their practices around data collection, they will need to start adapting new rules. Writing in Harvard Business Review, Hossein Rahnama, an associate professor at Ryerson University in Toronto, and Alex “Sandy” Pentland, the Toshiba Professor of Media Arts and Sciences at MIT, recommend that organizations should put:

Trust before transactions: Many organizations currently collect troves of consumer data without obtaining user permission. However, as regulations become the norm, “data collected with meaningful consent” will become the most valuable data— given that it will become the only data that organizations will be allowed to use. As such, organizations will need to start creating processes in which they obtain explicit permission to obtain data, as well as a plan that clearly communicates with customers how their data will be used.
Insight before identity: Organizations also need to make data transfer processes between themselves and other organizations more secure. Instead of transferring data through traditional data agreements, they should consider adopting technology like federated learning and trust networks that use algorithms to obtain insight from data without having to transfer the actual data.
Flows before silos: Currently, chief information officers and chief data officers tend to work in silos. However, making the above changes should help them be able to break free of silos. By working with each other, they can better achieve a shared goal of obtaining the best possible insight from customer data.

“For instance, a bank’s mortgage unit can secure a customer’s consent to help the customer move into their new house by sharing the new address with service providers such as moving companies, utilities, and internet providers,” explain Rahnama and Pentland. “The bank can then act as a middleman to secure personalized offers and services for customers, while also notifying providers of address changes and move-in dates. The end result is a data ecosystem that is trustworthy, secure, and under customer control.”

Is your organization ready to deal with the growing onset of new data privacy regulations? While you may think it’s smarter to watch and wait, preparing for them in advance is the best way to avoid potential problems in the future.

Data Privacy Training for Your Organization

As privacy grows in importance, the need for technical professionals to possess strong knowledge in the area also grows.

Resources

Daniels, Jodi. (3 March 2022). Why You Shouldn’t Wait to Build Out Your Company’s Data Privacy Function. Inc.com.

Rahnama, Hossein and Pentland, Alex “Sandy.” (25 February 2022). The New Rules of Data Privacy. Harvard Business Review.

As the 2022 Winter Olympics began, so too did increased concerns over security. While no threats have been detected so far, the FBI has warned that various cyber criminals could try to take advantage of the Olympics to “make money, sow confusion, increase their notoriety, discredit adversaries, and advance ideological goals,” Tech Radar reported.

Among the FBI’s major concerns is that these potential attacks could result in breaches to Olympic participants’ and workers’ personal information. The agency warned those involved to use a VPN, consistently monitor networks and endpoints, and to review security policies, user agreements, and patching procedures.

More Organizations Fined Under the European Union’s General Data Protection Regulation (GDPR)

As we reported in a previous post, European agencies are issuing hefty fines on organizations they claim are failing to comply with the GDPR. In January, France’s data protection agency, the Commission Nationale de l’Informatique et des Libertés, fined Google and Facebook $210 million USD for allegedly violating the GDPR. Later, Austria’s Data Protection Authority found that the use of Google Analytics violates the GDPR.

Given the widespread use of Google Analytics, this decision is expected to have a far-reaching and powerful impact. According to the International Association of Privacy Professionals (IAPP), the decision is the first of 101 complaints filed across EU nations by NOYB, an advocacy organization.

The group alleges that the companies’ use of Google Analytics was not in line with the requirements for the Court of Justice of the European Union’s “Schrems II” ruling on data transfers. (Declared in July 2020, that decision invalidated the EU-U.S. Privacy Shield agreement, which is a framework for regulating transatlantic transfers of personal data for commercial use between the United States and the EU.)

According to the ruling, Google is collecting and transferring users’ personal data to the U.S. without shielding data from U.S. government surveillance. It also found that steps taken by the company to protect users, such as data encryption, were not enough. Some experts fear the decision could make legal data transfer between continents difficult, if not impossible.

“In the absence of a breakthrough in Privacy Shield negotiations, data transfers – and consequently international trade – between the EU and U.S. face a bleak future,” says IAPP Senior Fellow Omer Tene.

The IAPP also reported that Belgium’s Data Protection Authority recently slapped IAB Europe, an association for the digital marketing and advertising ecosystem, with a €250,000 fine. The authority is claiming that IAB’s Transparency and Consent Framework (TCF), followed by many advertisers in the EU, does not comply with the GDPR. Among its accusations, the authority has claimed that IAB Europe acted as a data controller, which the organization denies. It also accused IAB Europe of failing to comply with a number of requirements under the GDPR, such as appointing a data protection officer, establishing a legal basis for processing, and performing a data protection impact assessment. IAB Europe has just two months to show that its framework is compliant with the rules. On 11 February, IAB Europe confirmed that it will appeal the ruling.

While data privacy laws can be confusing, one thing is clear: organizations that fail to comply with them can expect big penalties. Is your organization ready to deal with these new laws?

Data Privacy Engineering

As privacy grows in importance, the need for technical professionals to possess strong knowledge in the area also grows.

Resources

Fadilpasic, Sead. (2 February 2022). FBI warns Beijing Winter Olympics could be a big target for cyberattacks. TechRadar.

Bryant, Jennifer. (2 February 2022). Belgian DPA fines IAB Europe 250K euros over consent framework GDPR violations. IAPP.

Bryant, Jennifer. (20 January 2022). Austrian DPA’s Google Analytics decision could have ‘far-reaching implications’. IAPP.

(11 February 2022). IAB Europe to Appeal Belgian Data Protection Authority Ruling. IAB Europe.

When it comes to personal data, individuals and governments alike are becoming more privacy conscious, and it’s not hard to see why. Cyber attacks ensnaring government and private organizations, such as those launched against SolarWinds and Colonial Pipeline, are becoming more frequent. Meanwhile, organizations are increasingly storing data in the cloud, where potential hackers have more opportunities to steal it. (Since 2020, about half of all corporate data has transitioned to cloud storage, a trend that is expected to accelerate, according to the statistics portal Statista). Furthermore, many websites and apps secretly collect users’ data. According to Pew Research, 79% of U.S. consumers say they are worried about how organizations are using their information, such as sharing it with advertisers and other third-parties without their knowledge.

Regulators Are Taking Action

In Europe, the General Data Protection Regulation (GDPR) now dictates how governments must protect their citizens’ privacy and hands greater control of personal data over to individuals. While there is no federal law in the U.S. that protects data privacy, a number of states have begun hammering out their own laws to fill the void. As of last year, the California Consumer Privacy Act requires organizations to give Californians greater control over their personal data. In March, Virginia passed a similar law dubbed the Consumer Data Protection Act. Other states have passed similar measures. (See the full list here).

A group of U.S. senators recently proposed a bill to protect consumer data privacy, signaling that the country may soon pass federal legislation affecting all 50 states. If passed, the Social Media Privacy Protection and Consumer Rights Act would require websites to give users greater control over their data and let them opt out of data tracking and collection. It would also require companies to list their terms of service in easy to understand language. They would also be obligated to notify users within 72 hours if their data is hacked.

“This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information,” Senator Amy Klobuchar, one of the bill’s sponsors, told The Verge in a statement.

How Can Your Organization Prepare for Data Privacy Regulations?

Knowing that data privacy regulations are on the horizon, some major technology companies are already shifting their privacy models. Last month, Apple announced the release of a new option for iPhone users that lets them opt out of being tracked across apps. Only about 3% of users chose to be tracked, revealing that data privacy is valuable to a vast majority of users. Similarly, Google recently announced new privacy controls that include allowing users to erase the last fifteen minutes of their search history and reminders for mobile users that their location is being tracked.

While data privacy laws are evolving, there are measures organizations can start taking now to prepare:

Make sure your organization is complying with all applicable industry regulations concerning data privacy and communicate to your users how you are doing this.
Proactively communicate with your users. If there is an issue or breach affecting their data, immediately explain the problem. The explanation should include all details related to the incident, as well as any steps users need to take to resolve the issue. To provide additional reassurance, explain how your organization plans to avoid such issues going forward.
Give your users greater control over their data. For example, adopting client-side encryption–where data is encrypted on the user’s device–is a way to help keep personal data private. Additionally, if your organization experiences a major security breach, the intruders will not be unable to decipher client-side encrypted data. Not only will this help protect users’ privacy, it will also maintain their trust.

It’s no longer a question of whether data privacy laws are coming, but when. By taking steps to protect users’ privacy and giving them greater control over their data now, your organization can quickly adapt to regulations and build loyalty among users.

Data Privacy Training for Your Organization

As privacy grows in importance, the need for technical professionals to possess strong knowledge in the area also grows.

Resources

Magnuson, Beth. (29 May 2021). Data privacy vs. innovation: The new rules of the road. Venture Beat.

Kelly, Makena. (20 May 2021). Senators roll out bipartisan data privacy bill. The Verge.

Taylor, Josh. (19 May 2021). ‘Privacy by design’: Google to give people more power over their personal data. The Guardian.

Carder, James. (17 May 2021). Data Protection in a Post-COVID World: How Organizations Can Prepare For a Security-First Future. CPO Magazine.