Governance, Risk & Compliance: GRC
Data Privacy Awareness is Not an Objective
It’s time for organizations to realize awareness is not enough to earn back trust when it comes to data privacy. Only by demonstrating in real-time a commitment to the protection and integrity of customer data – in line with consumer and regulatory expectations – can organizations change the tone of data privacy.
Data Privacy Day (DPD), January 28, has been a fixture on the calendar since 2007. The international event was started by the National Cyber Security Alliance to raise awareness of data privacy and protection. But 13 years on, increased awareness of how companies collect and use data has done little to alleviate concerns over data privacy.
Research conducted by Statista in 2019 showed more than half of people surveyed are more concerned about the privacy of their data than they were a year prior, and 81 percent of online users in the U.S. felt that their data was “very” or “somewhat” vulnerable to hackers.
CNET’s 2019 Data Breach Hall of Shame didn’t just demonstrate the scale and volume of data breaches, but the indiscriminatory nature of them. Social media platforms, insurance companies, hotels, hospitals, fast-food chains, financial institutions, dating apps, mobile games, movie theaters, governments and even cybersecurity firms experienced a breach of some sort, exposing tens of billions of pieces of personal data across them all. Security Magazine followed up that report with the top 10 data breaches of 2020; 36 billion records were exposed. A compilation in 2020 of trends in data protection by Data Privacy Manager showed “positive movements in the privacy awareness of individuals,” particularly in younger generations.
With an estimated 2.5 quintillion – a number followed by 30 zeros – of bytes of digital information being generated every day and set to accelerate as automated cars, sensors, drones and the Internet of Things (IoT) introduce new formats at a rapid-fire pace, consumers are hyper-aware of their data and how it’s being used (or misused). As the most data-generating, most uploaded, most share-crazy humans in all of history, this means we are also the most monitored, the most data-crunched and, definitely, the most exposed.
The net result is businesses and their algorithms know far more about us and what’s in the data stores. Add this vast knowledge and power to the absence of any real give-and-take in the value exchange of information and you have businesses able to set their own terms and rules of engagement.
As the most data-generating, most uploaded, most share-crazy humans in all of history, we’re also the most monitored, the most data-crunched and, definitely, the most exposed.
But since the adoption of Europe’s General Data Protection Regulation (GDPR) – and now with the California Consumer Privacy Act (CCPA) and its follow-on California Privacy Rights Act (CPRA) – and other similar laws coming into play, organizations are being forced to be more transparent and create comprehensive privacy and security practices to protect the fundamental rights and freedoms of persons. Where data privacy education and awareness have proven not enough to curb perceived organizational behavior, will regulatory controls and fines do more to lift consumer scrutiny?
Even with new rules coming into effect, researchers found that many companies need to raise their data privacy bar. While some large companies like Microsoft and Mozilla have taken steps to secure user data – extending the principles of CPPA to customers across the U.S. – scores of others haven’t. In an environment where the pace of regulatory change is as dizzying as the rate of technological innovation, organizations need to move past awareness and adopt relevant business processes and strategies that flex to data protection enforcement.
By approaching customer data in the context of all regulatory and legal obligations, as well as business processes and goals, an organization has a better chance of making system and resource changes that are as suitable and sustainable as they are compliant.
Tackling data protection at the information governance level is essential. It’s not enough to simply look at processes as they are and then change them to tick data protection compliance boxes. Companies need to start thinking about data protection like the airbags of IT; not the most exciting feature of a new car and something you don’t see during a test drive, but an essential lifesaving one.
The key here lies in finding the interconnection between consumer trust and commercial integrity of data collection and management. Sound data privacy planning and implementation can reinforce customers’ trust, help personalize products and services and, by giving consumer control of their data, can also improve data integrity giving new insights into their habits and preferences.
Companies need to start thinking about data protection like the airbags of IT; not the most exciting feature of a new car and something you don’t see during a test drive, but an essential lifesaving one.
Adopting a robust information governance framework to protect personal data and making it part of the fabric of a business with technology controls reinforces operational resilience as well as business continuity. An integrated approach to risk management requires real-time updating of very large data sets. The exponentially growing amount of collected data and complexity of applications utilizing it require new innovations in data management and a second look at policy management tools and workflows relating to data processing.
While organizations may not like the breadth and depth of strict data protection laws, they are beneficial to both their customers and their bottom line, even providing a competitive advantage. Data privacy enforcement – not simply awareness – is a great opportunity to be seen as a market leader. By raising the standard in data privacy and protection, organizations can transform a compliance “check box” into a strong foundation for a more trusting relationship with customers.
Where data is the lifeblood of innovation — artificial intelligence (AI), 5G, quantum computing, automation, robotics, and above all, facial recognition — protecting it at all costs should be an organization’s greatest priority.
Try our free training exercise: SAI Global’s interactive data privacy and protection learning infographic compares the ins and outs of CCPA, GDPR, Lei Geral de Proteção de Dados (LGPD), and Personal Data Protection Act (PDPA).
This blog was updated for Data Privacy Day 2021.
Learn more about our risk management solutions for data privacy, GDPR and CCPA.
Or, contact us to see how SAI Global has helped organizations like yours.