Data Privacy Day
On Sunday, January 28, the United States, Canada, India and 47 European countries will celebrate Data Privacy Day, an international day established to raise awareness of the importance of data protection and to promote privacy and data protection practices. But did you know that the roots of this day didn’t first grow in American soil? The Council of Europe initiated the first European Data Protection Day in 2007. Then, in 2009, the U.S. House of Representatives passed a vote declaring January 28 as National Data Privacy Day annually.
The point of Data Privacy Day is to make individuals and companies aware of who is holding personal data and what are they doing to protect it. For companies, it is an opportunity to promote trust between them and their customers to protect data at all times. While this day isn’t yet as well-known and celebrated as some other major holidays, the message behind it is strong: all business and customer data is important and must be protected.
How does Data Privacy Day affect individuals?
Most individuals aren’t aware of what personal data of theirs is being captured and how it’s being used. Data isn’t exclusive to what people are voluntarily sharing online through social media platforms like Facebook and Twitter. Organizations constantly gather data on their customers (i.e. their shopping habits, airline seating preferences, etc.) and their Personally Identifiable Information (PII) (i.e. social security numbers, tax filing and return information, and medical records) – all of which must be protected continuously.
We all click on User Licenses when we install software or check the mailing list button on a website, but how many of us really know what data is being held and how companies are using it? For individuals, Data Privacy Day is a way to educate everyone on taking responsibility for their own data.
Are there misconceptions about cloud-stored data?
One big misconception is that data in the cloud is not secure. In most cases, data in the cloud is more secure than data outside of it. There is a massive, ongoing shortage of cyber and security resources worldwide so all/every resource available needs to be leveraged as part of an organizations’ security portfolio. Some cloud vendors have the security resources that many IT departments don’t have or can’t afford, creating an extra layer of security to protect the data. That said, not all cloud vendors are created the same, so due diligence needs to be performed.
How can cloud providers make sure data stays safe?
With the onset of General Data Protection Regulation (GDPR) in May 2018, organizations that conduct business in Europe have to take a serious look at how they protect PII and how well that data is secured. They are also required to gain permissions before using data for purposes other than the original intent. As a result, many organizations will have to provide more information about what data they hold and how they protect it.
GDPR will force organizations to enact several improvements in the coming months, including:
- Understanding where PII data is held, how is it processed, how it is protected, and who has access to it
- Encryption of data in all stages (at rest, in use, and in transit)
- Revising internal processes to protect who has access to PII data within a company and ensure it is on a “need to know” basis
- Revising current data retention policies to ensure only the data needed is stored
- Implementing the ability for a customer to be forgotten. This will be a major undertaking for most companies but will result in substantial fines for organizations found in breach of GDPR.
- Providing customer service capabilities to respond to customers who call to ask about their data or to be forgotten. This will be a major cost for companies going forward.
Any recommendations for anyone worried about data privacy and safety?
If you’re worried about your data (what’s being held and how it’s protected), you should first contact the vendor holding the data to ask what is being held. Then, take steps when providing your data either in-person or online – make sure you understand what data is being captured and how it is being used. We don’t have to become lawyers and read every contract, but at least be aware of the collection statements when entering data. When you have to provide data, be careful about what you opt to share and – if possible – share the minimum.
Thoughts on Data Privacy Day
Data Privacy Day is a great awareness tool and sparks much needed conversations both for individuals and organizations. Educating individuals and organizations on how to protect data is the first step in the battle for data privacy. The true data privacy lessons will come from enforcing regulations such as GDPR or when organizations attacked by cyber criminals quickly take action to fix the lack of data security practices. We need to take responsibility as individuals to protect our data. For those of us in IT, we need to think data protection in all that we do.
By Daren Glenister