Are GDPR and Other Privacy Regulations Enough?
Two years ago, the General Data Protection Regulation (GDPR) was introduced and hailed as the most important change in data privacy regulation in two decades. Originating in the EU, GDPR empowered consumers to not only have a right to know what their data will be used for and giving them the right to be forgotten, while imposing significant fines on organizations that do not comply.
While the U.S. does not currently have an overarching privacy law, we are seeing individual states making progress in this regard. Earlier this year, for example, the well-publicized California Consumer Privacy Act (CCPA) went into effect. Nevada and Maine have also passed privacy regulations, while Connecticut, Louisiana, Massachusetts, North Dakota and Texas have privacy task forces in place. Many other states are in the process of considering laws that protect consumer privacy.
While this march toward more stringent laws represents tremendous momentum and brings the importance of privacy to the forefront, they are not enough. Privacy regulations do not specify how the data is to be protected; they simply lay out required next steps and potential consequences of a breach.
Like any law, privacy regulations set a baseline for behavior; a minimum for what organizations should be doing to protect their customers and employees. By solely focusing on “what’s required,” organizations can easily find themselves ping-ponging between compliance rules. And as history has proven, just checking compliance boxes is not a strategy that eliminates breaches.
Thinking Beyond Compliance
What is truly needed to protect sensitive data is a shift in motivation and perspective. Instead of focusing on compliance and defending against litigation and fines, more organizations are now viewing security and privacy as the cornerstone of its most valuable customer commodity: trust. These companies are learning that security is a competitive differentiator, which is a positive for building trust equity with customers, and not a necessary evil.
To support the facilitation of trust, organizations should partner with security providers that share the same dedication to privacy. Just a few years ago, half — yes, half — of all organizations experienced a data breach because of a business vendor or associate. Partners should be able to offer data protection solutions with features that ensure data is never in the clear, such as:
- Data tokenization: Substituting an element of sensitive data with a non-sensitive data equivalent that is stored. Tokens are available to allow authorized users to decrypt the data.
- Anonymization: Permanently altering personal data in such a way that it is untraceable to an identifiable person. Anonymization or data de identification is like tokenization, but without the token.
- Masking: Replacing sensitive data with “decoy” data that looks authentic. For example, replacing a patient’s Social Security number (SSN) with a “fake” SSN in case data is exposed or stolen. Only authorized users have access to the real data.
- Homomorphic encryption: Allowing any user to utilize and apply functions to encrypted data without revealing sensitive values of the data.
- Multi-party computation: Lets multiple contributors work on data simultaneously without revealing sensitive data.
Data is often referred to as the new oil, as it has almost limitless data, but it could also be seen as the new asbestos: if companies don’t use the data responsibly, the consequences can be devastating. While we welcome the expansion of data privacy laws similar to GDPR, it’s not just about compliance anymore, but rather a philosophy that treats data with extreme care, elicits trust and ensures the prevention of data exposure.
Portions of this article appeared in Forbes.