Data Privacy Day, also known as Data Protection Day, is in its 15th year, and commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
With Covid-19 dominating most operations within the past year, and post-Brexit regulations becoming more stringent than ever, it’s vital that businesses consider how they remain compliant while keeping cyber threats at bay.
“There are a million things an organisation should probably consider when it comes to data protection,” said Wim Stoop, CDP customer and product director at Cloudera. “But before they even tackle one of these, business and technical leaders have to ensure their approach to data protection is right.
“Today, many still treat data protection in a reactive rather than proactive manner. The challenge in proactive data management lies in a company’s ability to close the gaps it has in tracking, identifying, and classifying information at scale in real time, as opposed to doing so retroactively. After all, data classification plays a pivotal role in ensuring data protection is upheld.”
Cyber threats have risen since organisations shifted to remote working at the start of the pandemic. This calls for a security strategy that can encompass devices and applications used in homes, and not just in the office.
With this in mind, let’s observe Data Privacy Day by taking a look at what companies need to consider when it comes to data privacy in a post-Covid world, and what measures must be put in place.
Post-Brexit protection by design
The exit of the UK from the EU means that companies across the country that deal with Europe need to take extra steps to ensure correct compliance. According to Rich Vibert, CEO and co-founder of Metomic, this can be aided by considering this aspect at the start of any deployment.
“This Data Privacy Day, we must confront the fact that UK companies aren’t equipped to protect their data now that we’ve Brexited,” said Vibert. “A large proportion of the responsibility for this lies with the UK government, whose failure to deliver guidance during the transition period resulted in businesses adopting a ‘wait and see’ approach.
“Businesses need to take charge; proactively adapting compliance to UK-GDPR and analysing how a lack of adequacy could impact them and their customers. Only by doing so will they avoid the financial and reputational damage caused by non-compliance.
“Regardless of whether the government holds the blame for the current status quo or not, leaders must see this as an opportunity to reset their approach to data protection. This means putting the privacy, compliance and security of data at the heart of their business strategy and using technology to facilitate this.
“Businesses can do this by embedding technical data protection rules into any solution they build and automating the tokenisation and anonymisation of personal information. With a privacy-first approach, leaders will be able to navigate the uncertain post-Brexit waters we’re now in, without compromising their most valuable asset: their customers.”
The UK’s National Data Strategy: an opportunity post-Brexit?
Clearer communication with users
All consumers looking to make purchases from a vendor online will be familiar with regularly seeing pop-ups asking for consent to use their data, in line with GDPR and other data protection laws. These can sometimes cause confusion, which may lead to users being put off the site altogether if options aren’t clearly communicated.
“Today’s application users have a heightened sense of awareness that data protection is something they should care about,” said Steven Furnell, senior member of the IEEE and professor of cyber security at the University of Nottingham.
“The GDPR-inspired consent questionnaires that we are regularly faced with on entry to websites illustrate just how much the providers would like to collect given the chance. Those users that don’t simply select the ‘accept and continue’ option, will have been confronted with a range of approaches to seeking their consent.
“Part of the problem that we face with data protection and privacy is that the related information is traditionally expressed in a language that users cannot readily understand. Not only is it excessively long, but it is phrased in legal, jargon-filled language that most people will not easily interpret in relation to their own use of the service.
“Certain applications have recently made a laudable attempt to communicate things more clearly, with the introduction of ‘privacy labels’ that developers are now required to display alongside the apps they make available. While things are improving in some respects, we still have some way to go in terms of getting people to understand data value and be in a position to more clearly relate it to the sites and services they may be using.”
Data protection and GDPR: what are my legal obligations as a business?
Evolving with remote working practices
To ensure that employees stay safe from cyber threats while working from home, security leaders need to consider all possible sources that host data.
Peter Lefkowitz, chief privacy and digital risk officer at Citrix, explained: “As a result of the abrupt shift to remote working over the past twelve months, sensitive data now exists outside of offices – specifically, in workers’ homes and on their personal devices, traversing untrusted networks and unsanctioned, or at least untrusted, cloud services. Yet unfortunately, most enterprise policies are designed to protect data and apply physical and technical safeguards within the enterprise, not the minimum-security environment of workers’ homes.
“To address the problem, organisations must evolve their capabilities beyond the current model of controlling sensitive data distribution, which is heavily dependent on access rights, workers’ actions (or inactions), and flagging compliance-impacting events after they’ve happened. With IoT and analytics expanding our concept of sensitive data – by type, volume, depth and meaning – the need for a more encompassing approach is more urgent than ever.
“By applying risk-based protection and security analytics, organsations can tailor access to different files and systems based on where somebody is and how they’re working. This should, as always, be coupled with focus on the basics, including minimising collection, minimising data where possible, and managing user personas and credentials.”
Keeping data private and protected when remote working
Protecting credentials
When continuing to evolve while operating remotely, organisations may find that new log-in details are in order for a certain application, not to mention the possibility of existing credentials being forgotten.
According to Ian Pitt, CIO at LogMeIn, keeping such details sufficiently protected from potential invaders means restricting distribution to when it’s absolutely necessary, as well as putting password management protocols in place.
“Attackers can easily compromise shared information so organisations should be limiting information on shared channels,” said Pitt. “When sharing logins or passwords, call co-workers rather than writing it down, or utilise a secure password-sharing application that requires additional verification of a user’s identity before granting access.
“Using enterprise password management and single-sign-on technologies will not only helps reduce potential unauthorised login risks, but also provide the IT team with further visibility into who has access to specific resources. Moreover, organisations are able to integrate their domain, SaaS applications and even customer applications, ensuring every entry point is secured.
“Additionally, virtual meetings can be listened in on, so, always mandate passwords when setting up new meetings and share passwords separately from the invite itself. Most major video conferencing providers now also offer end-to-end encryption for meetings, and utilising this feature adds another layer of security, making it more difficult for anyone outside the meeting to access the conversation.”