Data breaches have become mainstream security incidents, and each new breach seems to be more serious than the last. The magnitude of recent breaches has made data protection a much-discussed topic in the legislative sphere in recent years, sparking strict regulations like the EU’s General Data Protection Regulation (GDPR) and various others around the world — including the U.K., U.S., Australia, and China.
Details about these incidents are showing people the many different ways their personal information can be used or abused — for profiling, targeted marketing, outright identity theft, and much more. And they are growing more concerned about how companies collect and protect their personal data. Just this past year we’ve seen how companies can be careless with their data storage, lack proper and updated security, and play fast and loose with accessibility so that data is used inappropriately by third parties. This shows that, while most enterprises have developed and advanced their data collection and data use policies, security was not built into their operations.
The state of enterprise data security
The growing number of high-profile privacy incidents, along with the fallout from such attacks, has pushed enterprises to increase their spending on cyber security solutions. According to Gartner, worldwide cyber security spending will reach $96 billion this year, and more than 60 percent of organizations will invest in multiple data security solutions by 2020. Survey respondents shared that the main driving force behind these spending decisions is the risk of data breaches.
But deploying state-of-the-art security is only one facet of an effective and comprehensive data protection plan. Another important part is changing the actual approach to implementing privacy. Instead of being an additional feature, privacy must be top of mind from the outset of any plan or project involving personal data. Enterprises should incorporate privacy principles as early as the design phase of all technologies, processes, and systems — a proactive rather than reactive approach to risk.
How can businesses do better?
Organizations need to embrace the framework of privacy by design, wherein privacy and data protection concerns are anticipated and addressed from the start. Regulators worldwide have already recognized the merits of this approach, as demonstrated in recent regulations like the GDPR. Complying with regulations is a step in the right direction. Not only is GDPR compliance a must for those dealing with EU citizens’ data, but adhering to the rules also sets a good standard for any organization collecting and processing personal data. Enterprises that want to integrate privacy fully into their infrastructure should also take note of important data privacy principles promoted by the GDPR: data minimization and pseudonymization.
Data privacy starts with clearly defining two things: the types of personal data to be collected, and the purpose for the data. Some organizations are collecting more data than they really need, and using it for purposes not clearly outlined for the user. One way to avoid this situation is through data minimization — collecting only what is needed from customers, using the data for only the purposes agreed to by the user, and adhering to appropriate data retention policies or deleting data once the purpose has been served.
Pseudonymizing data, on the other hand, makes personal data incapable of directly identifying an individual. The only way it can be linked to a unique individual is by combining it with other pieces of data stored and protected separately. This means that organizations can still process personal data and continue providing services to customers, while protecting their right to privacy.
Both principles can be implemented as data privacy measures as well as guide decisions throughout the design life cycle.
Committing to privacy by design
To fully employ the idea of privacy by design, enterprises should first categorize the data they are collecting and map its flow. This will help build context in order to design the specific security solutions that need to be set up within the organization. After understanding their data, enterprises should embed privacy controls at each layer of the infrastructure, down to applications used.
Here are some design guidelines to keep organizational and customer data secure:
- Enterprises should enforce strict authentication and authorization mechanisms on devices and applications to verify who can access data. Flaws in these areas are commonly exploited by hackers to steal data, or even access app functionality (in order to bypass PIN codes, inject malicious code, and other attacks).Enterprises should also impose strict access policies. For example, setting up remote access through virtual private network (VPN), putting up firewalls, and ensuring that any libraries or databases connected to apps are secure.
- The enterprise development or Developers teams should build layered privacy into their applications. Teams should strengthen encryption and secure an app’s network connections. Some apps can also benefit from application containerization, where apps are deployed in a contained environment, like virtual machines.