A number of new laws – recently passed in Europe, China, the U.S., and Brazil – are presenting an urgent need for organizations to develop data privacy policies. Not only are these laws creating compliance concerns, they are also compelling organizations to start embracing data privacy as a core value.

How Can Organizations Establish Data Privacy Policies As A Core Value?

According to Kevin Shepherdson, CEO and Founder of Straits Interactive, a leading data privacy consultancy in Singapore, transformation around data privacy needs to start with an organization’s leadership. Senior leaders need to clarify that their organizations take data privacy seriously. They should provide the necessary resources to institute a data protection management program (DPMP). This also should include training their staff around such programs.

“We often see data breaches being described as ‘human error’, which is unacceptable to regulators and should not happen where there is sufficient staff training and strong ‘tone at the top,’” Shepherdson writes in CPO Magazine. “As important as initiating the DPMP is sustaining it. The organization must maintain compliance efforts by educating stakeholders about its data protection policies. This includes conducting regular data privacy audits and regular risk assessments.”

How Can Organizations Successfully Implement a Data Privacy Program?

Stu Sjouwerman, founder and CEO of KnowBe4, which develops security awareness training and simulated phishing platforms, offers the following four recommendations for organizations that want to implement a successful data privacy program, which he originally outlined in Security Magazine:

  1. Be inclusive of every department in your organization: Data security impacts every facet of your organization. Each department likely processes data in its own way, so it’s important to include each department, process, and vendor in your data privacy plans.
  2. Track your practices using documentation: Documenting your data privacy practices as you go along will give you valuable perspective into how your practices deliver value and risk. “Map out your entire data lifecycle (using data flow diagrams) and the process each department uses to collect, store, access, use and share consumer data,” writes Sjouwerman. “Outline the organization’s legal and contractual obligations and the process with which end users can manage their privacy rights.”.
  3. Go Beyond Compliance: Organizations have a tendency to see legal and compliance obligations as “a checklist of items that need to be crossed.” According to Sjouwerman, this is a common mistake. Instead, he suggests looking at privacy as your users’ fundamental right. Your organization’s compliance practices must work to uphold this right.
  4. Continuously re-assess your data privacy practices: No organization stays the same. Departments, processes, vendors, products, and people change over time. As such, it’s important to regularly assess your data privacy practices to ensure they are evolving with your organization. According to Sjouwerman, this involves undergoing a Data Protection Impact Assessment. He says this will help “identify risks proactively and reduce the likelihood of any impact to the organization or its customers.”

With data privacy laws becoming more common, privacy policies are no longer a consideration – they are a necessity. Is your organization equipped with the knowledge to implement a successful data privacy program?

Data Privacy by Design

Privacy has emerged to be a critical aspect of our increasingly digitized world. Technological innovations are progressively becoming more intrusive into our personal lives attempting to extract sensitive personal information. This is often detrimental to an individual when any breach or spillage of data leads to a severe impact such as financial loss or identity theft.

Protecting Privacy in the Digital Age, brought to you by IEEE Educational Activities in collaboration with IEEE Digital Privacy, is a four-course program. It provides a framework on how to operationalize privacy in an organizational context. It also covers how to make it usable for end users, and how to address emerging technical challenges to protecting digital privacy. Connect with an IEEE Content Specialist today to learn how to get access to this program for your organization. Interested in access for yourself? Visit the IEEE Learning Network (ILN).

Resources

Sjouwerman, Stu. (22 March 2022). Data privacy in 2022: Four recommendations for businesses and consumers. Security Magazine.

Shepherdson, Kevin. (18 March 2022). Data Privacy in 2022: Navigating the Ever-shifting Terrain. CPO Magazine.

When it comes to personal data, individuals and governments alike are becoming more privacy conscious, and it’s not hard to see why. Cyber attacks ensnaring government and private organizations, such as those launched against SolarWinds and Colonial Pipeline, are becoming more frequent. Meanwhile, organizations are increasingly storing data in the cloud, where potential hackers have more opportunities to steal it. (Since 2020, about half of all corporate data has transitioned to cloud storage, a trend that is expected to accelerate, according to the statistics portal Statista). Furthermore, many websites and apps secretly collect users’ data. According to Pew Research, 79% of U.S. consumers say they are worried about how organizations are using their information, such as sharing it with advertisers and other third-parties without their knowledge. 

Regulators Are Taking Action

In Europe, the General Data Protection Regulation (GDPR) now dictates how governments must protect their citizens’ privacy and hands greater control of personal data over to individuals. While there is no federal law in the U.S. that protects data privacy, a number of states have begun hammering out their own laws to fill the void. As of last year, the California Consumer Privacy Act requires organizations to give Californians greater control over their personal data. In March, Virginia passed a similar law dubbed the Consumer Data Protection Act. Other states have passed similar measures. (See the full list here). 

A group of U.S. senators recently proposed a bill to protect consumer data privacy, signaling that the country may soon pass federal legislation affecting all 50 states. If passed, the Social Media Privacy Protection and Consumer Rights Act would require websites to give users greater control over their data and let them opt out of data tracking and collection. It would also require companies to list their terms of service in easy to understand language. They would also be obligated to notify users within 72 hours if their data is hacked. 

“This legislation will protect and empower consumers by allowing them to make choices about how companies use their data and inform them of how they can protect personal information,” Senator Amy Klobuchar, one of the bill’s sponsors, told The Verge in a statement

How Can Your Organization Prepare for Data Privacy Regulations?

Knowing that data privacy regulations are on the horizon, some major technology companies are already shifting their privacy models. Last month, Apple announced the release of a new option for iPhone users that lets them opt out of being tracked across apps. Only about 3% of users chose to be tracked, revealing that data privacy is valuable to a vast majority of users. Similarly, Google recently announced new privacy controls that include allowing users to erase the last fifteen minutes of their search history and reminders for mobile users that their location is being tracked. 

While data privacy laws are evolving, there are measures organizations can start taking now to prepare:

  • Make sure your organization is complying with all applicable industry regulations concerning data privacy and communicate to your users how you are doing this. 
  • Proactively communicate with your users. If there is an issue or breach affecting their data, immediately explain the problem. The explanation should include all details related to the incident, as well as any steps users need to take to resolve the issue. To provide additional reassurance, explain how your organization plans to avoid such issues going forward. 
  • Give your users greater control over their data. For example, adopting client-side encryption–where data is encrypted on the user’s device–is a way to help keep personal data private. Additionally, if your organization experiences a major security breach, the intruders will not be unable to decipher client-side encrypted data. Not only will this help protect users’ privacy, it will also maintain their trust. 

It’s no longer a question of whether data privacy laws are coming, but when. By taking steps to protect users’ privacy and giving them greater control over their data now, your organization can quickly adapt to regulations and build loyalty among users. 

Data Privacy Training for Your Organization

As privacy grows in importance, the need for technical professionals to possess strong knowledge in the area also grows.

Protecting Privacy in the Digital Age, brought to you by IEEE Educational Activities in collaboration with IEEE Digital Privacy, is a four-course program that provides a framework on how to operationalize privacy in an organizational context, how to make it usable for end users, and how to address emerging technical challenges to protecting digital privacy. Connect with an IEEE Content Specialist today to learn how to get access to this program for your organization. Interested in access for yourself? Visit the IEEE Learning Network (ILN).

Resources

Magnuson, Beth. (29 May 2021). Data privacy vs. innovation: The new rules of the road. Venture Beat. 

Kelly, Makena. (20 May 2021). Senators roll out bipartisan data privacy bill. The Verge. 

Taylor, Josh. (19 May 2021). ‘Privacy by design’: Google to give people more power over their personal data.  The Guardian. 

Carder, James. (17 May 2021). Data Protection in a Post-COVID World: How Organizations Can Prepare For a Security-First Future. CPO Magazine.