Commemorating data privacy rights and regulations should be a daily habit, not something paid more attention once a year.
With the global drive to digitize and digitalize, everything that can be converted to bits and bytes can now be stored as data for analysis and monetization.
The power of amassing useful data has brought many advantages to industry, but as history has shown, that power is a double-edge sword.
Many organizations have been caught abusing sensitive personal data to wreak subtle control over consumer behavior or gain unfair advantages in their marketing or branding strategies. Slack management of that data has been exploited by cyberattackers looking to gain access to accounts or perpetrate fraudulent, social-engineering and politically-motivated financial crimes.
For readers who are still not clear as to why the world needs to mandate data privacy compliance more vigorously, here is a little FAQ compiled from cyber experts:
Q: Why data privacy (for corporates and consumers) relevant to everyone?
A: When there are options to purchase an item or service, brand reputation is a key element in the selection process. Effectively, the purchaser expects delivery of a quality product, and that the supplier will stand behind its products and stand ready to provide support if required. Since almost every activity nowadays involves personal data—even to the degree of a simple credit card transaction in a shop—businesses that fail to properly manage the data their customers willingly share, will risk damaging their reputation and by extension break the hard-earned trust their customers have placed in them.
Q: What can be done to build trust—or to break it?
A: It is far easier to break trust than to build it, or rebuild it. Trust is effectively a series of small successes that in the aggregate represent the value of a brand. An organization that requests a minimum of data from its customers and only retains it for the minimum time period required to satisfy the customer’s expectations reduces its potential exposure to and within a data breach. After all, the only data contained in a data breach is data that was available to breach, so it stands to reason that an abundance of customer data and profiles increases the interest cybercriminals may have in targeting specific businesses.
Q: How can businesses rebuild trust after an incident or breach?
A: Transparency, simplicity and consistency are keys to restoring trust. Be transparent about the nature of the attack, which weaknesses were exploited, when it occurred and why specific customers may be impacted. The more complex communications are, the more likely some customers will view that complexity as being part of an effort to paint the business in a positive light. Accept and own accountability/responsibility for the breach, and outline the steps taken to prevent similar attacks from being successful in the future. Of course, never change details on the attack without legal and ethical cause. While regulators may require the additional information, they are also positioned to interpret that information within the context of the attack—and often without any biases a customer may have on the situation.
Q: Should organizations be transparent about their data collection and privacy policies, and how?
A: Privacy statements that are written in plain language can detail what information is collected and why it is required. In addition to being transparent, ensure that internal software development teams understand the implications of the privacy statements and how the entire organization must operate in line with the declarations. After all, the last thing a business wants is to have a clear privacy statement, and then have a development team implement software changes in ways that invalidate that statement.
—Contributed by Tim Mackey, Principal Security Consultant, Synopsys Software Integrity Group
Q: How should ordinary people be made aware of their data privacy rights and the need to be vigilant in their day-to-day activities?
A: Data privacy reform has changed global digitalized communities forever. As we begin 2022, organizations face an emboldened world demanding greater accountability and trustworthiness. The recent steps taken by several countries to bolster their consumer privacy rights and processing activities (such as China’s Personal Information Protection Law) will have a far-reaching global impact on privacy rights and data protection practices.
People are more empowered than ever to exercise their rights, submit Subject Rights Requests (SRRs) and reclaim control of their information. They must want to understand how their data is used and to access, correct, delete, and restrict use.
For corporates, to meet these data-intensive demands and overcome a scarcity of resources to support key business activities, they must embrace process automation for SRR response and apply case management tools that best track performance and effectiveness. A well-executed program that delivers a strong experience will be critical to improve customer satisfaction and loyalty.
— contributed by Andy Teichholz, Global Industry Strategist, Compliance & Legal, OpenText