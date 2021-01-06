Unless you've been living under a rock, you must have noticed privacy has become a huge buzzword among companies and professionals worldwide.

Regulations such as the General Data Protection Regulation (GDPR) came into effect May 25, 2018 and had far-reaching consequences. It's first victim, Google, was fined US$56.8 million for failure to provide enough information to users about its data consent policies. GDPR was created to ensure adequate protection of customers' personally identifiable data. The basis of this suggests that there should be strong controls around how data is created, stored, used, shared, archived and destroyed within the organisation, their vendors and affiliates.

Importance of having a privacy programme within the organisation

Sophistication has driven technological innovations to the point where they have become intrusive and invasive, leading to increased data risks for businesses and consumers. GDPR and other regulations are now holding companies accountable for adequately securing consumer data that is collected and used. Organisations face an incredibly complex risk portfolio for ensuring that personally identifiable data is protected. Implementing a robust and comprehensive privacy programme within your organisation can help to curtail and mitigate privacy risks.

Common privacy violations

Organisations often unintentionally violate individual privacy rights. Violations occur when data processing is not done in accordance with respective data protection guidelines and the initially intended purpose. Some scenarios include:

- Processing personal data without consent.

Under GDPR, individuals have more control over their data; therefore, consent must be given with a clear, explicit action. Frankly, this means a mechanism should be in place to allow individuals to provide deliberate consent; this disqualifies pre-ticked boxes.

- Not allowing customers to opt out of having their data processed.

Individuals reserve the right to request, without providing any reason, that their data is no longer processed. Therefore, policies and procedures should be created to allow users to withdraw consent which should prompt data owners/controllers to discontinue processing.

- Companies having clients and customers' data accessed without adequate controls.

Organisations whose strategic goals and initiatives revolve around processing large amounts of data sometimes have trouble tracking data during usage or afterwards. For example, files containing sensitive/personal information may be stored on peripheral devices or servers even after being used for intended purposes.

- Third-party data sharing not adequately monitored.

Information is sometimes shared between companies and their third-party partners and vendors. This is sometimes done through removable media or e-mails; the problem with this is that the data controller no longer controls the data once it has left their environment.

- Storing sensitive data in plain text.

GDPR's mandate for “the pseudonymisation and encryption of personal data” is violated if businesses store specific personal data in plain text. It is the responsibility of the data controller to anonymise and mask sensitive data contained in their environments.

Implementing Privacy

To implement privacy within your organisation, you must first determine the extent to which privacy should be incorporated in the business' operations by considering the kind of data you collect and matching it against your company's strategic goals. You must also understand the information privacy laws for the respective jurisdictions in which your clients operate and reside. Organisations can comprehensively assess their procedures and controls by doing a privacy impact assessment.

Conclusion

New and looming data privacy legislation reflect growing public concern about the protection and personal ownership of personal and sensitive information. It is essential for organisations that touch personal data to re-evaluate their IT security infrastructure along with their data privacy and protection policies. Are your IT security solutions able to effectively communicate, regardless of where they have been deployed, to optimally protect data and provide network-wide visibility? Does your network include enough data protection measures such as threat detection and data loss prevention? And finally, have you documented, and more importantly, tested your data-breach response plan?

If you are the data protection officer responsible for your organisation's regulatory compliance, are you prepared to answer yes to the above questions? That is the only way today's organisations will be ready for the new data privacy regulations on the horizon.