Data Privacy and Protection: Why does it matter for your business?
What is data privacy?
Big Data has reshaped the way people interact, conduct business, and innovate. By managing the volume, velocity, variety, and veracity of data, companies can potentially make data-driven decisions that significantly improve a firm’s efficiency, competitiveness, and profitability. Hence, data is an important asset to any company. Data is not only valuable to companies, but also to cyber criminals. Besides financial loss, stolen valuable data can lead to identity thefts and credit loss, which impose more long-term effects on consumers. In some cases like modified health information, it could even cause life-threatening situations. With the growing numbers in data privacy and security breaches, consumers are becoming more aware of and taking these incidents into account when making a purchase decision. So what are the types of data that companies need to pay attention to?
Under the Europe General Data Protection Regulation (GDPR), personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’)”. The information can be directly identifying (e.g. name, identification number, phone number, etc) or indirect pseudonymous data that cannot be specifically attributed to any data subjects without any additional information (e.g. name replaced with a unique number). Basically, identifiers that are specific to the physical, physiological, genetic, mental, economic, cultural, and/or social identity aspects of a person.
Why is data protection needed?
Penalties are harsh when it comes to violation of the GDPR. It can cost up to $23 million USD or 4% of the company’s annual global revenue, whichever greater. Note that GDPR protects all EU citizens, including those who live abroad. This means that even if a company is not situated within the EU area, its operations are still bound by the GDPR as long as it conducts business with EU citizens. In Canada, there are similar data privacy laws that oversee the collection of personal data in the course of commercial business and one of them is the Personal Information Protection and Electronic Documents Act (PIPEDA). Companies can pay up to $100,000 CAD per violation, i.e. to each individual affected by and not notified about the data breach. Besides fines, depending on the country or region, senior executives can also lose their jobs or even be sentenced to jail time if the violations are deemed intentional.
Brand Name/Competitive Advantage
Complying with data policies is not just a legal requirement, but also a way to maintain a firm’s brand name and competitiveness. In 2018, Facebook’s market value fell by more than $35 billion USD during the Cambridge Analytica scandal, where 87 million user profiles were leaked. Incidents like this have shown that security breaches undoubtedly damage trust and reputation. Later in the year when the GDPR started to take effect, Facebook has lost 3 million European daily active users and upon publishing its financial reports for the quarter, Facebook’s company value dropped by $120 billion USD over the night. Sometimes, it may even take more than just abiding by the privacy laws to maintain customer relationships. According to a Deloitte survey, 86% of global customers are very or fairly likely to cut ties with an organization if the entity used data unethically. The expectations for ethical practices are shifting constantly, so it is essential for firms to continuously seek improvements in protecting consumers’ data.
How to ensure data privacy?
Your applications or vendors should follow the recommendations laid out by the GDPR when it comes to storing and handling data — pseudonymization. The below are a few techniques:
- Encryption: Scramble data into an unreadable form by making use of encryption and decryption keys. Make sure the keys are different (asymmetric encryption) and store them in different places, separate from the pseudonymized data.
- Masking: Hide important parts of data but still provide a certain degree of identification (e.g. credit card numbers like **** **** **** 4242) without modifying the original data.
- Tokenization: Replace sensitive data with non-sensitive data (i.e. surrogate value called a token) and store the information separately.
Measures to take in strengthening security within the company
- Provide training and guidelines: Humans are vulnerable to social engineering and is often one of the major factors causing security breaches. Ensure that employees know what information should be kept within the company and their responsibility in keeping it safe. Prepare a set of guidelines that carefully outlines the best practice of data protection and steps to take to minimize disruption and loss from a security breach.
- Perform regular privacy audits within the company (e.g. certify firewalls, anti-virus software, data accuracy and quality) and track partners and/or vendors’ usage of the company’s data passed on to them, including customers’ personal information.
- Do not store private information like database credentials and API keys in the server (including the source code, database, and environment variables), even if it is encrypted.
- Implement Role Based Access Control: In a system, most users do not need to have administrator authority to carry out their daily tasks. Limiting the users to only gain access to information that pertain to them can significantly lower the chances of the company’s sensitive or confidential information being compromised, especially when the daily user base is large.
- Use Multi-Factor Authentication (MFA): Prompt customer for two or more means of authentication to verify their identity. In comparison to only using a single password, MFA offers a better protection for user credentials and resources that the user has granted access to.
Data security is often overlooked because for most businesses, it is merely a cost centre and the return on investment is hard to justify due to the intangible nature of data security’s role in daily operations. Hence, companies may be motivated to only meet the bare minimum standards as outlined by the law. However, in the long run, data security can pose huge threats on the company’s financials and reputation. Like most other spending, it is impossible to dedicate an infinite amount of budget on security. By doing risk and cost-benefit analyses, you can come up with a strategy that balances between cost and security and can potentially turn that into a competitive advantage!