Does your company need a head of data privacy, a data breach response plan, blockchain technology or something else to keep its data safe? Here are some challenges and recommendations.
I wrote about Data Privacy Day to provide some tips and best practices in January, but it takes more than one day a year to properly focus upon data privacy. As a follow-up to see how things are going, I spoke to a few insiders about the concept.
SEE: Security incident response policy (TechRepublic Premium)
Pressing data privacy challenges in 2021
Rina Shainski, chairwoman and co-founder of Duality Technologies, said the key challenges are those concerning the conflict between the public good and individual privacy. “The salience of such conflicts has grown apparent in the context of the global pandemic, with inter-organizational data collaboration increasingly necessary for researching COVID-19, its spreading patterns, correlations between the severity of symptoms and genomic or other demographic parameters, and the efficacy of vaccines or treatments,” she said.
One particularly difficult aspect of this challenge, she said, is facilitating cross-border data transfers. The “Privacy Shield,” which had provided a legal framework for European Union data to be analyzed in the U.S., was revoked in 2020 after a successful legal challenge (the Schrems II ruling). “This is a very striking manifestation of the current data privacy challenges: As a result of Schrems II, it is now extremely difficult for European organizations or companies to transfer data to U.S. partners to extract value from it,” she said.
Shainski predicted more countries and U.S. states will adopt privacy regulations, leading to a more heterogeneous privacy landscape. However, she cautioned, this will pose another major challenge to the supply chain of the global data economy, especially for multinational organizations, which rely on cross-border data flow in their operations.
“Another example of the conflict between public good and individual privacy is in the financial services industry, where institutions face strict AML (anti money-laundering) and KYC (know your customer) requirements, but are also constrained by GDPR and other privacy and secrecy regulations. Such constraints on data sharing make it particularly challenging for financial institutions to effectively fight international money laundering and fraud,” she said.
SEE: Data privacy laws are constantly changing: Make sure your business is up to date (TechRepublic)
Ralph Nickl, founder of Canopy Data Breach Response software provider pointed out another problem: “Organizations face significant challenges in determining if a ‘reportable’ breach has occurred. This is because stipulations for what classifies a data breach versus an incident vary based on law, location and industry. For example, In Florida, a breach is only considered a ‘breach’ if 500 individuals are affected; Washington State is the only state where tribal IDs are protected under breach notification law; and in Washington, D.C., basic contact information is considered PII and must be reported if compromised.”
Nickl pointed out that as data privacy regulations continue to emerge globally, each with discrepant stipulations, fines and response times, complying with the highly fractured regulatory framework will also be a cumbersome challenge for cyber incident response teams.
“Organizations should adopt purpose-built solutions that not only identify compromised sensitive information but can easily translate fragmented pieces of disparate data into a cohesive list of affected individuals requiring notification under privacy laws relevant to their unique projects,” he said.
Experts recommend addressing data privacy pain points
She emphasized the value of privacy-preserving technologies, which are becoming increasingly market-ready, so that businesses can identify those best suited to their particular challenges. Businesses can launch trials on simple, practical use cases and expand the scope of these technologies as confidence grows, helping to bridge the gap between data privacy and data utility.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Nickl suggested that organizations should strongly consider developing data breach response plans and practice them regularly. He also felt it’s important for businesses to assess the maturity and breadth of their vendors to determine if they are capable of handling incidents and breaches. “Unfortunately, today’s era has proved that data breaches are inevitable regardless of preparedness,” he said.
Stephen Cavey, co-founder of data security organization Ground Labs, said, “We cannot solely rely on the average employee to take care of privacy issues. Many organizations, especially big tech companies, must invest in senior professionals specialized in data privacy and compliance, such as chief compliance officers as well as third-party tools and software to help identify and monitor the ever-increasing repositories of data.”
Torsten Staab, Raytheon Intelligence & Space principal engineering fellow and CTO of Raytheon Blackbird Technologies Inc., said, “On the technology side, distributed, secure ledger technologies such as blockchain lend themselves very well to implement advanced, privacy-preserving data access controls.”