If you read my blogs regularly, you might have noticed that GDPR and data privacy have been a frequent topic over the past year. It’s hard to talk to security professionals or attend security events without data privacy front and center. And now, thanks to the California Consumer Privacy Act and other state-based privacy and protection legislation, it’s going to be something we talk about for a long time.
One thing is clear about these privacy regulations: The idea is to put the consumer in control of their own personal information. But Joseph Carson, chief security scientist at Thycotic, made a comment to me in an email conversation that I found striking. He said:
Unfortunately, many large companies have turned consumers into products rather than selling to them. For many organizations, this is an opportunity to understand the data you collect and really make a change about security to reduce the risks of a cyberattack and ensure that adequate security is in place to protect your most valuable assets.
I never thought about it that way, but Carson is correct. Organizations use customer data like a product. It gets bought and sold and used as a way to manipulate consumer habits. That recognition may do little to actually protect consumer information, but it could go a long way in improving your cybersecurity efforts. It becomes a matter of understanding how you use the data and how it works for you.
To understand your organization’s relationship with data, and to be in compliance with all of these new laws and regulations, Carson suggested that you first perform a Data Impact Assessment in order to get to know the data you collect, what categories it relates to in your business environment, and the current security controls and risks relating to that data. He added:
Once an organization has performed a data impact assessment, they can then determine how the law and regulations apply to them and what they need to do to be compliant. These laws are all about personal data and the risks associated with collecting, storing, processing or passing personal data to third parties beyond the borders of your own countries.
KJ Dearie, a product specialist and privacy consultant for Termly, also pointed out to me that protecting your data means understanding your data, but also knowing how GDPR and CCPA (and other upcoming laws) will work together. The leading areas of overlap between the GDPR and the CCPA, Dearie told me, are user access and user control. We have the right to know what data is collected and have a say in how that data should be treated, Dearie said, adding:
The best way to achieve compliance in these arenas – for both the GDPR and the CCPA – is by offering users a Data Subject Access Request (DSAR) form. Such a form allows users to request to access, edit, transfer, or delete the personal data that has been collected from them. As stipulated in the CCPA, you must advertise your DSAR form through a conspicuous link on your website’s homepage, as well as in your privacy policy.
Bottom line, your customers’ data isn’t your product and it is time to quit treating it like it is a business commodity.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba