Being aware of data privacy risk is a foundational element for controlling the strength of a cybersecurity program that protects the data of your organization, employees, and customers. In a recent webinar, Ginny Lee, the Americas Privacy Officer at Cisco, explained how increased data privacy concerns influence government regulations, the management of a remote workforce, and new technology adoption. Read on for Lee’s best practices on what IT and non-IT business leaders can do to quickly identify data privacy and security risks across all departments and what’s needed to fill the gaps.
Privacy is one of those terms that has many different definitions. Online privacy, territorial privacy, and bodily privacy are three buckets that fall under the larger privacy umbrella. Each might hold a different weight in terms of value depending on your experience, lifestyle, or goals. For example, younger generations seem to be much more conservative when it comes to bodily privacy versus online privacy.
As social networks grew in popularity, more people began sharing more information about themselves online. Unfortunately, many people don’t understand how much information they are providing, let alone how it is being used, who has access to it, or how it’s being shared. In recent years, this awareness has been growing. However, it’s still crucial for organizations to understand the intent behind their collection of user data – whether from employees or the general public – to ensure their privacy.
Rules and Regulations
The General Data Protection Regulation (GDPR) passed in 2016 has led the way for data protection and privacy regulation. The California Consumer Privacy Act of 2018 was soon to follow, becoming the first comprehensive privacy law by a state in the U.S. Virginia also recently passed a privacy law that will begin to be enforced in 2023. Other states have privacy laws in the works, and California is even implementing additional requirements to CCPA. In the coming years, organizations that have focused on GDPR as a guideline for their privacy foundation should be aware of what to expect as more states follow suit.
Still, there is a void at the federal level in the United States, which doesn’t have comprehensive privacy law. The more states we see introduce and pass these privacy laws, the more they will shape future federal laws in the same area. Canada and Brazil have already passed their own privacy laws as well; it’s only a matter of time for the United States.
No Privacy Without Security
Privacy and cybersecurity go hand in hand. For example, there is so much data going into so many different buckets when it comes to supply chain security and privacy. Even organizations with robust security have experienced incidents that put their data at risk. Unfortunately, we will never be able to protect everything 100% (unless we limit information sharing to zero), so it then becomes a question of enacting and enforcing generally accepted privacy principles.
So, where do we go from here? As user demand grows and more laws become solidified, organizations are best served to follow three pieces of advice.
1. Conduct a data inventory – Determine what types of personal information your organization is collecting and how it is being used. Most organizations aren’t fully aware of what information they have gathered about users and employees, making it challenging to classify data and define its proper usage.
3. Educate everyone about privacy and cybersecurity – Turn your employees into their own cyber defenders and provide training and education on not just the basics of privacy and cybersecurity but any specifics that are most relevant to your organization and the potential risks it faces.
Comprehensive cybersecurity and privacy can be complicated and expensive but it doesn’t have to be. Learn more about how Defendify can help you streamline cybersecurity across people, process, and technology.