Data Privacy Day is nearly here. January 28, 2020 marks the 14th such day since the launch in Europe of Data Protection Day in 2007. Privacy and protection are interchangeably used terms, but both focus on ensuring that data is kept safe. Yet organizations are consistently failing to keep safe the personally identifiable information (PII) they hold about individuals.
For the purposes of simplicity, this research will refer to Data Privacy Day as also including the alternative name Data Protection Day. Marking the day is designed to raise awareness of data privacy and promote good practice to protect information.
Maintaining the privacy of data about individuals is a legal matter, taken seriously by many countries and regions. Beyond GDPR, for example, there is the California Consumer Privacy Act (CCPA) brought into force earlier this month, the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and in Singapore the Personal Data Protection Act. Any breach of the rules can carry a heavy fine or penalty. Aside from the financial implications, company reputation can be held up to scrutiny in case of a breach, especially when the ethical aspects of not taking proper care of the data in an organization's possession comes into the discussion.
Data privacy continues to be a challenge for enterprises. Organizations of all sizes and sectors are struggling – for example in the UK, Dixons Carphone was recently fined £500,000 after a security breach compromised the data of millions of people. The financial penalty could potentially have been much greater if the breach had taken place after GDPR came into effect (up to 4% of annual turnover for a serious breach). A lapse in securing PII was also recently discovered where someone (as yet unidentified) had stored job applications, including passport information, on Amazon Web Services (AWS). AWS has since taken down the offending database but nevertheless, how many more instances of this kind of failure to follow basic privacy rules will be evident across all large-scale, data-driven offerings, particularly those hosted on public clouds?
Organizations must get a handle on instances of PII that have been created, yet they struggle to deal with the information lifecycle (create, process, store, transmit, destroy) and as such there are frequent occasions when data is not managed appropriately. Taking stock of the information footprint (data discovery) is a big task, but an essential first step that should be closely followed by the appropriate classification (cataloging) of discovered information assets. Only then can security controls (using people, process, and technology) be applied to protect data.
Those responsible for data privacy at an organization should provide the same level of protection to the data it holds about individuals as they would expect other organizations to apply to data about themselves. Only then can we be sure that Data Privacy Day is making an impact.