You may not have noticed, but it’s Data Privacy Day (DPD) – known in Europe as Data Protection Day – today.
With the best will in the world, these awareness raising initiatives have had limited success in the past. But with issues like the EU General Data Protection Regulation, Safe Harbor, and Microsoft’s legal tussle with the US Department of Justice all coming to a head, privacy has never been more high profile.
So what can we learn about the state of privacy in 2016 as the big day itself kicks off? The event began life as the European Data Protection Day. It was set up by the Council of Europe in 2007 to fall on the day in 1981 when the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature by the Council. The Senate recognized DPD on the same date two years later and the rest is history.
Consumers vs Government
It’s never been more important for consumers to understand the digital footprints they can leave online, and the information being collected about them that they probably don’t even realize.
A new video from the National Cyber Security Alliance – the US non-profit involved with the event – has three handy tips: First, it recommends netizens think about personal info like money. “Be thoughtful about who gets that information and how it is collected,” it says. Next up, it urges consumers to “share with care” – that is, understand that a post can last a lifetime so think clearly about how it may be perceived in the future. And finally: “post only about others as you have them post about you.”
David Gibson, VP of strategy at Varonis, argues that detecting and preventing privacy abuses is a big data challenge. “You can’t manage what you don’t monitor, and it’s impossible to detect the abuse of an asset unless you’re monitoring how it’s being used,” he tells Infosecurity.
“A big part of the problem for most organizations is that looking at unstructured data access has traditionally been a blind spot—many of the platforms that have been and still are used simply don’t provide good ways to monitor access, so it’s left to related auditing, like network logs, to fill that gap. The issue is that no matter how much related data you look at, unless you’re analysing actual data access it’s extremely difficult to detect fraud.”
Jonathan Sander, VP of product strategy at Lieberman Software, argues that most Americans think their privacy is pretty well protected merely if they’re not getting much spam.
“The idea that there’s a whole market for their private data and the idea that the privacy policy they hastily clicked to agree lets their data be sold on the open market never occurs to them,” he tells Infosecurity.
“You can hardly blame citizens for being confused because the government hasn’t really made up their mind, either. There are no comprehensive laws dealing with data privacy enacted, but there are many confusing bits of law that don’t form any rational whole.”
In fact, the US government itself can often play the bad guy when it comes to privacy. It’s currently being taken to court by Microsoft after it served the US giant with a subpoena requesting emails related to a crime suspect, despite these being stored on a server in Ireland.
“The case calls into question all the basics of the privacy question. Who owns an email, the author or the cloud service provider? If the elasticity of the cloud means a document finds itself stored off US soil, does the DOJ have the right to get it without dealing with the other governments involved?” Sander asks.
“Privacy, in the end, is a legal matter. Both the high courts and the legislature have yet to have their full say on privacy. Can we blame the average person if they also have more questions than answers when they attend their local Privacy Day event?”
The European Question
If boardrooms haven’t moved privacy right up on their priorities list yet they soon will, with the EU General Data Protection Regulation about to be ratified. It threatens to levy fines of up to 4% of global annual turnover for serious contravention of the regulation – a fact which will certainly force CEOs to pay attention, according to Jonathan Armstrong, partner at compliance firm Cordery.
“The European authorities have a working template with competition law fines which have raised (on their figures) around €6.5bn in the last five years,” he tells Infosecurity by email.
“Even a fraction of that for data protection violations would get board level attention. In addition tight reporting deadlines for data breaches mean CIOs have to plan ahead more – we are seeing that already in the policies, processes and training we are doing.”
Gemalto data protection CTO, Jason Hart, agrees, arguing firms must start planning now, especially as the GDPR will mandate any serious breaches be notified within 72 hours.“What we will see, as a result of the regulation coming into place, is more people developing an understanding and personal opinion on the regulation as it starts to affect consumers and not just businesses,” he tells Infosecurity.
“The companies that are affected by the change need to make sure they’re ready to answer the consumer’s questions and concerns and take the regulation as seriously as possible to make sure they gain and maintain customer trust and loyalty.”
But Rackspace senior director for legal, Lillian Pang, argues that “the individuals who will be impacted by the new GDPR barely know of its existence, let alone what it says.”
“Although organizations’ opinions may change when the GDPR comes into force, the impacts on individuals may be determined by whether or not firms choose to re-visit their data privacy processes for compliance purposes,” she tells Infosecurity.
“Rightly or wrongly, compliance is a costly investment for any organization and companies will have to weigh up the risks and costs of compliance versus staying afloat or profitability.”
Worth the Effort?
In the end, are awareness raising exercises like Data Protection Day really worth the effort? After all, as we’ve seen, there are plenty of major issues in the news at the moment already raising the profile of data privacy to consumers and businesses.
Privacy consultant, Martin Hoskins, believes that big name data breaches actually do a better job of raising awareness. “If nothing else, the recent TalkTalk breach has reminded C-suite officers that it is they who will be required to deal – often at no notice at all – with media enquiries. It is no longer acceptable to expect more junior employees to media-manage these incidents,” he says.
“Many firms are starting from a pretty low base, but it is encouraging to see an increasing number seeking advice on what good information management practices actually look like”.
But any effort aimed at raising awareness is a bonus, according to Rackspace’s Pang. “Such campaigns need to ensure they target the right audience, particularly individuals rather than the privacy specialists in this field,” she argues.
“Data privacy is in a defining era, especially in respect of the speed of change in technology and how individuals utilize technology. Data is the new currency and individuals need to understand the impact of sharing and protecting that invaluable currency.”