The technology boom of the previous few decades produced a big data economy to which the price of entry was individual personal data. After a seemingly unending series of breaches and scandals around the gross misuse of personal data - the backlash has arrived.
The privacy violations and data mishandling of various business giants have incurred massive public outcry and bottom-line damages. When Facebook was found to have enabled Cambridge Analytica to manipulate personal data in the 2016 US election, the tech giant’s stock fell by over $130 billion.
Consumers want their privacy back. A new Cisco study reveals that 90 percent of consumers wouldn't use products and services that couldn’t protect their data. An overwhelming majority, 91 percent, added that external privacy certifications directly impinged on their buying process.
The market is responding too. When Apple upgraded its iOS in 2021, it gave users the ability to prevent data harvesters from tracking them across the apps they used. That single update sent shockwaves through the digital realm and ultimately cost major social media sites $10 billion in lost revenue.
Perhaps the biggest risk to the financial health of a company when it comes to privacy, however, is the regulator. The last few years have seen regulation pick up steam in new ways. Perhaps the best example is the General Data Protection Regulation (GDPR), The EU’s landmark law sets out baseline requirements for the handling and protection of personal data and threatens large fines for those that don’t comply.
GDPR claims dominion not just over the 32 countries that make up the EU membership, but wherever the data of a European citizen is being processed, giving it a potentially global remit.
Consent
One of the GDPR’s foundational principles is the right to personal privacy and the ability of individuals to control the use and processing of their data via a legal principle called Consent. Specifically, Consent refers to the necessity of data processors getting the clear and unambiguous permission from data subjects to process their data. At any time, the data subject may withdraw that consent and request for it to be deleted. They may also demand that their data be altered or inquire as to what data is being held on them and for what purpose it is being processed.
Many of the GDPR’s largest fines have been issued around consent violations. In August 2021, Amazon was handed the largest fine ever of €746 million, after regulators decided that the online retail giant’s advertising practices didn’t conform with GDPR’s consent requirements. Earlier this year, French regulators fined Facebook and Google €60 million and €150 million respectively for failing to attain proper consent in their cookie issuance processes. In March, Swedish regulators fined dating app Grindr €6.5 million for selling user data without their consent.
Data protection regulation has accelerated around the world. There are now significant data protection regulations passing through over 100 countries in the world - many of them are based on, or mirror, the GDPR.
The Australian Privacy Act, for example, states that compliant organisations have to ensure that they can track, store, protect, produce and alter personal information upon request. Those who violate compliance can be fined up to 10 million Australian Dollars.
China’s 2021 Data Security Law (DSL) has its own consent provisions in which the data subject may demand the deletion of their data and can refuse their data being handed over to third parties. Severe non compliance can result in fines of up to $1.5 million and even criminal penalties.
The Singapore Personal Data Protection Act was passed in 2012, and has since undergone significant amendments. The law mirrors many of the requirements of the GDPR - including requirements for adequate protection of personal data and the attainment and alteration of personal data on request of the personal data subject. Much like its global counterparts - it also threatens significant fines.
These are just a few examples of the privacy regulations that are sweeping - if not already present - around the world. In a global economy, many enterprises will have to comply with at least one of them.
Although they vary in details - many share the same focus on personal privacy and personal agency in data handling. Complying with them necessarily requires a command over data that many cannot meet.
For many, mounting regulatory regimes requires a thorough uprooting of the way businesses and other organisations handle data. The question is how to take this chaotic pile of data - that could be stored in all manner of ways - in images, documents, and emails among others - and make sense of it.
Organisations need a solution which can firstly find their data, organise it and help them make sense of it. Only then can they start complying with the rising tide of privacy regulation.
Data Discovery
Discovery is the first process that complying organisations will have to undergo. This stage allows organisations to understand where their data lies and what types they possess. Discovery starts with the establishment of a particular goal. That may be compliance - but could also cover a variety of resilience and security purposes.
Organisations will then have to start to understand where and how their data is stored - on premises, on third party servers or in the cloud. While they might already know the location of structured data such as a primary customer database store, unstructured data will have to be hunted down too - such as in stray files and emails. This process will produce new insights as to the nature of that data and critically, help you build its risk profile.
Data Classification
Once an organisation’s data has been discovered it can then be categorised across a variety of metrics. Those metrics could be organised according to the sensitivity of data or its level of potential personal identification.
Many compliance regimes explicitly list those distinctions and complying organisations should keep them at the centre of their focus. For example - low risk data will likely already be available to the public - such as job postings or a marketing brochure. Meanwhile Medium risk data will refer to internally circulated data which - if it were leaked - would potentially cause a low degree of harm upon the organisation that uses it such as a confidential price list.
High risk data - on the other hand - is data that will either cause a high degree of harm to the organisation or materially damage the personal privacy of those whose data is held by that organisation. It’s this kind of data which needs extensive protection such as anonymisation and encryption.
That classification process will allow you to properly allocate resources to protect sensitive information where it lies, and mitigate privacy and compliance endangering risks. This should be the first step in a continuing process of data discovery and classification which will help to verify whether your organisation is storing its data in a secure and compliant manner.
Privacy can no longer be a reactive afterthought. The market is more than willing to punish those who think of it that way and consumers are making it a fundamental basic requirement in their purchasing choices. If that’s not enough, regulators are forcing companies to respect personal privacy with a variety of laws which threaten significant fines and, in some cases, criminal charges. Privacy needs to be paid attention to, because if companies don’t then markets and regulators will.