How Private is Your Data? How to put privacy back into data?

The world is expected to produce and consume 94 zettabytes of data in 2022 – an amount that will skyrocket to 463 zettabytes per day by 2025. (Raconteur, 2020) It’s an almost unfathomable volume of information to which each Internet user contributes about 1.7 megabytes per second or nearly 147,000 megabytes per day.?

Yet very little of that data is safe from prying eyes and bad actors. By the end of 2022, cybercrime will carry an expected cost of $6 trillion rising to $10.5 trillion by 2025. It doesn’t have to be this way, however. About 80% of data breaches could be prevented with good cyber hygiene practices and education, particularly considering recent findings that about 97% cannot identify a phishing email, leaving 1 in 25 to click on them and open themselves and their data up to cyberattack.?

Leaving things to chance is simply not an option, as cyberattacks have emerged as the fastest growing crime worldwide, led in the U.S. by phishing (38%) and network intrusions (32%). ?

Thus, in the world of data privacy, knowledge is power and regulatory compliance is paramount.

Privacy vs. Security

While data privacy and data security are related, understanding the differences is the imperative first step toward keeping the personally identifiable information (PII) hackers and other bad actors covet safe from harm. ?

Data security is the process by which PII is kept safe from breaches, cyberattacks and other unauthorized access. It refers to the actions taken to ensure data is accurate, reliable, available to authorized users, and safe from accidental or intentional disclosure. Data privacy, on the other hand, refers to governance – the policies and procedures that dictate how data is collected, stored, and shared.?

For example, data security is undertaken with such tools as access management, loss prevention, anti-malware, antivirus, and event management software, while data privacy tools include browser extensions and add-ons, password managers, private browsers and search engines, encrypted messaging, file encryption and advertisement trackers and blockers. ?

An organization can have top-of-the-line security tools and procedures in place, but still be non-compliance with privacy regulations because it fails to obtain required consents to share PII with a business partner. Conversely, it is not possible to achieve data privacy without security.

?

Privacy Regulations

Worldwide, data privacy mandates are piecemeal at best. The United States, for example, does not have federal regulations governing data protections; rather individual states are passing laws to protect its citizens. This creates a complex compliance web for organizations that operate in multiple jurisdictions.?

The European Union (EU), on the other hand, has enacted what many consider to be the toughest and most far-reaching privacy and security laws in the world. The general data protection regulation (GDPR) applies to any company or organization that markets goods and/or services to EU residents regardless of their country of origin. The GDPR is built upon seven key principles – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability – that guide how PII is handled. Failure to comply can result in massive financial penalties, as Amazon?discovered when it was hit with a €746 million (~$776 million) fine for carrying out advertising targeting without proper consent. WhatsApp was hit with a €225 million (~$234 million) fine for transparency violations. ?

China recently enacted its Personal Information Protection Law, which bears a resemblance to the GDPR in that it requires user consent when PII is transferred abroad and requires the receiving party to inform the individual of how their data will be used if it is different from the original purpose. It also authorizes the Chinese government to block any foreign organizations, companies, and individuals from accessing its citizens’ data and provide retaliatory measures in cases where a foreign government does the same. Further, if an entity needs to move PII beyond China’s borders, it must pass a security assessment; be certified for personal information protection; be concluding a contract with a foreign party in accordance with government standards; or meet “other conditions” set by government agencies.

?

ASEAN's progress on data protection regulations has been uniformed. Currently, Singapore, Malaysia, and the Philippines are the only nations with personal data protection legislation. Thailand is the newest member of ASEAN to pass data protection legislation after the parliament approved the Personal Data Protection Act early in 2019 but only enforced from June 1, 2022, after being postponed due to the pandemic. Indonesia is now close to passing its through the legislative process following a massive data breach in May 2021 involving the sale of personal data belonging to 279 million of its citizens. ?

The GDPR that entered into force on May 25, 2018, brings extra-territorial application, higher standards, tighter rules, and harsher penalties to add pressure to companies and governments in the region and globally. ?As ASEAN and EU engage in significant trade, it is crucial for companies to abide by these rules.

Many ASEAN nations are considering their own data privacy legislation as well as reviewing their current laws considering the EU GDPR may create a comparable regulatory structure to safeguard their citizens and allow local enterprises to operate internationally through comity in regulatory approach.

One such framework is the ASEAN Framework on Digital Data Governance, as part of the Master Plan on ASEAN Connectivity 2025 initiative intended to enhance data management, facilitate harmonization of data regulations among ASEAN Member States and promote intra-ASEAN flows of data. This initiative aspires ASEAN Member States to realize the potential benefits in recognizing that the 10 ASEAN Member States are currently at different levels of economic and data governance maturity.

?

Shared Responsibility

While laws and reputations can force companies and other organizations to protect PII, there remains a level of personal responsibility to not only understand risks but to also practice proper cyber hygiene rather than relying on the data privacy and security policies and procedures of others. At its most basic, good cyber hygiene is protecting what you share online, for example not advertising your planned vacation on social media and taking care not to post photos or other private documents that might inadvertently reveal PII. ?

Truly effective cyber hygiene goes beyond what you share to ensure your data is safe regardless of where and how you store it. Understand encryption levels available for personal computers, smartphones, and any other connected device, and devise strong passwords that are changed frequently. Keep software updated, which helps close any security gaps that developers are made aware off.?

The organizations that collect, store, and share PII are equally responsible for data privacy. Regulatory compliance – while important – should be considered the PII protection floor in most cases. It is imperative to gain a comprehensive understanding of an organization’s privacy and security practices before entrusting data to it. ?

For example, while mobile technologies are popular for their ability to deliver contactless security and frictionless access control, they are only as good as their encryption, credentialling and data protection capabilities. According to HID Global’s 2021 State of Physical Access Control Report, 36% of respondents reported using less secure credential technologies; specifically, 125-kHz low-frequency proximity cards, legacy products that offer convenience and reliability but extremely limited security and privacy. Another 40% reported using even older and less secure technology, including 23% that reported using magnetic stripe cards and 17% using barcode technology – continued use of which exposes organizations to the risk of credential spoofing and cloning.?

However, it is not only legacy technology like cards and barcodes that heighten risk. Multi-technology readers that remain enabled to read legacy and dated credentials after the completion of the migration increase risk as well. Thus, it is important to seek out solutions that are based on evolving standards, such as Open Supervised Device Protocol, that are evolving and therefore future proof.

?

Building Data Trust

KPMG shares several recommended actions organizations can take to shore up what it has identified as the four anchors of trusted analytics, which are quality, resilience, effectiveness, and integrity. These are:

·???????Assess trust gaps by performing an initial assessment to see where trusted analytics are most needed and can therefore be the primary focus.

·???????Clarify and align goals so the organization’s purpose for collecting data and running analytics is clear for all involved. An important aspect of this goal setting is to measure performance and impact and sharing that information with users.

·???????Raise awareness of data and analytics to increase internal engagement among users, including creating a team of decision-makers and IT/business leaders for collaboration.

·???????Build organizational expertise in analytics quality assurance.

·???????Improve and encourage transparency by enabling independent assessments by creating cross-functional teams, third-party reviews, peer reviews, and stronger quality assurance processes.

·???????Build ecosystems that eliminate silos and examine the value and risk that data and analytics can bring to the organization and create cross-departmental teams to build data and analytics communities.

·???????Develop a model for innovation and incentivize employees and teams for innovative processes.

?By taking a proactive approach to hardening anchors, organizations can build an environment of trust in its data privacy and security.

?

Function over Form

Ultimately, the most important consideration when determining the privacy and security of PII is just how high a priority it is for any organization that touches data. More user-friendly options are attractive, but they should not outrank system privacy and PII protection.

?Data, especially, personal data, is of enormous value to the organizations who control it. Its protection should be paramount by using the latest encryption tools and techniques. Hence, an encryption technology refresh should be done every 3-5 years to ensure that such data is kept protected. ?Which is why individuals have the right to understand how well it is safeguarded by those to whom it has been entrusted.

?Most importantly, when the organization “borrowing” their data is not sufficiently transparent about its use and protection protocols, the owners have every right to be forgotten – to have their personal data deleted or “erased” upon request – when information on safeguards is not sufficiently transparent.

The best protection to ensure privacy of PII is to be carried by the individual themselves – leaving little to nothing or part to an uncomplete personal profile to the organization. And if that is not possible, the second best is to share with those who place the highest priority, trust and data governance.