How Private is Your Data?

Prabhuraj Patil, Commercial Director, Physical Access Control Solutions, South Asia, HID Global

The world is expected to produce and consume 94 zettabytes of data in 2022 - an amount that will skyrocket to 463 zettabytes per day by 2025. (Raconteur, 2020). It’s an almost unfathomable volume of information to which each Internet user contributes about 1.7 megabytes per second or nearly 147,000 megabytes per day.

Yet very little of that data is safe from prying eyes and bad actors. By the end of 2022, cybercrime will carry an expected cost of $6 trillion rising to $10.5 trillion by 2025. It doesn’t have to be this way, however. About 80% of data breaches could be prevented with good cyber hygiene practices and education, particularly considering recent findings that about 97% cannot identify a phishing email, leaving 1 in 25 to click on them and open themselves and their data up to cyberattack.

Leaving things to chance is simply not an option, as cyberattacks have emerged as the fastest growing crime worldwide, led in the U.S. by phishing (38%) and network intrusions (32%).

Thus, in the world of data privacy, knowledge is power and regulatory compliance is paramount.

Privacy vs. Security
While data privacy and data security are related, understanding the differences is the imperative first step toward keeping the personally identifiable information (PII) hackers and other bad actors covet safe from harm.

Data security is the process by which PII is kept safe from breaches, cyberattacks and other unauthorized access. It refers to the actions taken to ensure data is accurate, reliable, available to authorized users, and safe from accidental or intentional disclosure. Data privacy, on the other hand, refers to governance – the policies and procedures that dictate how data is collected, stored, and shared.

Privacy Regulations
Worldwide, data privacy mandates are piecemeal at best. The United States, for example, does not have federal regulations governing data protections; rather individual states are passing laws to protect its citizens. This creates a complex compliance web for organizations that operate in multiple jurisdictions. The European Union (EU), on the other hand, has enacted what many consider to be the toughest and most far-reaching privacy and security laws in the world. The general data protection regulation (GDPR) applies to any company or organization that markets goods and/or services to EU residents regardless of their country of origin. The GDPR is built upon seven key principles – lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability – that guide how PII is handled. Failure to comply can result in massive financial penalties, as Amazon discovered when it was hit with a €746 million (~$776 million) fine for carrying out advertising targeting without proper consent. Whatsapp was hit with a €225 million (~$234 million) fine for transparency violations.

Shared Responsibility
While laws and reputations can force companies and other organizations to protect PII, there remains a level of personal responsibility to not only understand risks but to also practice proper cyber hygiene rather than relying on the data privacy and security policies and procedures of others. At its most basic, good cyber hygiene is protecting what you share online, for example not advertising your planned vacation on social media and taking care not to post photos or other documents that might inadvertently reveal PII. Truly effective cyber hygiene goes beyond what you share to ensure your data is safe regardless of where and how you store it. Understand encryption levels available for personal computers, smartphones, and any other connected device, and devise strong passwords that are changed frequently. Keep software updated, which helps close any security gaps that developers are made aware of. The organizations that collect, store, and share PII are equally responsible for data privacy. Regulatory compliance – while important – should be considered the PII protection floor in most cases. It is imperative to gain a comprehensive understanding of an organization’s privacy and security practices before entrusting data to it.

Building Data Trust
KPMG shares several recommended actions organizations can take to shore up what it has identified as the four anchors of trusted analytics, which are quality, resilience, effectiveness, and integrity. These are:
Assess trust gaps by performing an initial assessment to see where trusted analytics are most needed and can therefore be the primary focus.

Clarify and align goals so the organization’s purpose for collecting data and running analytics is clear for all involved. An important aspect of this goal setting is to measure performance and impact and share that information with users.

Raise awareness of data and analytics to increase internal engagement among users, including creating a team of decision-makers and IT/business leaders for collaboration.

Build organizational expertise in analytics quality assurance.

Improve and encourage transparency by enabling independent assessments by creating cross-functional teams, third-party reviews, peer reviews, and stronger quality assurance processes.

Build ecosystems that eliminate silos and examine the value and risk that data and analytics can bring to the organization and create cross-departmental teams to build data and analytics communities.

Develop a model for innovation and incentivize employees and teams for innovative processes.

By taking a proactive approach to hardening anchors, organizations can build an environment of trust in its data privacy and security.

Function over Form
Ultimately, the most important consideration when determining the privacy and security of PII is just how high a priority it is for any organization that touches data. More user-friendly options are attractive, but they should not outrank system privacy and PII protection.
Data, especially, personal data, is of enormous value to the organizations who control it. Its protection should be paramount. Which is why individuals have the right to understand how well it is safeguarded by those to whom it has been entrusted. Most importantly, when the organization “borrowing” their data is not sufficiently transparent about its use and protection protocols, the owners have every right to be forgotten –to have their personal data deleted or “erased” upon request – when information on safeguards is not sufficiently transparent.

The best protection is to ensure PII is shared with only those who place the highest priority on its safety.