Are GDPR and Other Privacy Regulations Enough?
Two years ago, the General Data Protection Regulation (GDPR) was introduced and hailed as the most significant change in data privacy regulation in two decades. Originating in the European Union, the GDPR replaced the original data protection directive and further empowered consumers across all EU member states to have a right to know what their data will be used for and give them the right to the erasure of this data. At the same time, the regulation imposes significant fines on organizations that do not comply.
While the U.S. does not currently have an overarching privacy law for data protection like Europe, we are seeing individual states making progress in this regard.
Earlier this year, for example, the well-publicized California Consumer Privacy Act (CCPA) went into effect. Nevada and Maine have also passed data security regulations and safeguards, while Connecticut, Louisiana, Massachusetts, North Dakota, and Texas have privacy task forces in place. Many other states are in the process of considering laws that protect data subject rights.
While The European Parliament’s march toward more stringent laws represents tremendous momentum and brings the importance of security measures to the forefront, they are not enough. Compliance does not always specify how the data subjects are protected; they simply lay out required next steps and potential consequences of a breach.
Like any law or mandate, privacy regulations set a baseline for behavior and decision making, a minimum for what organizations should be doing to protect their customers and employees. By solely focusing on “what’s required,” organizations can easily find themselves ping-ponging between compliance rules. And as history has proven, an organization or DPO just checking compliance boxes is not a strategy that eliminates breaches.
Thinking Beyond GDPR Compliance
What is truly needed to protect the sensitive data of EU Residents is a shift in motivation and perspective. Instead of focusing on being GDPR compliant and defending against litigation and fines from a supervisory authority, more organizations now view security and privacy as the cornerstone of their most valuable customer commodity: trust. These companies are learning that security is a competitive differentiator, which is a positive for building trust equity with customers and not a necessary evil.
To support the facilitation of trust, organizations with or without a data protection officer should partner with cybersecurity solution providers that share the same dedication to privacy. Just a few years ago, half — yes, half — of all organizations experienced a personal data breach because of a business vendor or associate. Partners should be able to offer data protection solutions with features that ensure data is never in the clear, such as:
- Data tokenization: Substituting an element of sensitive data with a non-sensitive data equivalent that is stored. Tokens are available to allow authorized users to decrypt the data.
- Anonymization: Permanently altering personal data in such a way that it is untraceable to an identifiable person. Anonymization or data de-identification is like tokenization, but without the token.
- Masking: Replacing sensitive data with “decoy” data that looks authentic. For example, replacing a patient’s Social Security number (SSN) with a “fake” SSN in case data is exposed or stolen. Only authorized users have access to the real data.
- Homomorphic encryption: Allowing any user to utilize and apply functions to encrypted data without revealing sensitive values of the data.
- Multi-party computation: Lets multiple contributors work on data simultaneously without revealing sensitive data.
Data is often referred to as the new oil, as it has almost limitless data, but it could also be seen as the new asbestos: if companies don’t use the data responsibly, the consequences can be devastating. While we welcome the expansion of data privacy laws similar to GDPR requirements, it’s not just about the legal obligation in the processing of personal data anymore, but rather a philosophy that treats data and information security with extreme care, elicits trust and ensures the prevention of data exposure.
Portions of this article appeared in Forbes.