“Data is the new Oil” – An over-used quote in today’s times, but unfortunately is true and resonates with the underlying philosophy for any information security implementation.
The push towards digitization across the globe means that various industries like retail, healthcare, F&B, etc. have moved a significant amount of their business/services to online mode. This requires consumers to share their personal or sensitive data (e.g. Card Numbers, SSN Numbers, Health Records, Identification data, etc.) on these online channels. All this sensitive data attracts hackers and malicious users like bees to honey since a database containing sensitive data sells for a lot of money on the darknet.
So, protecting and maintaining the privacy of this data becomes a primary responsibility of any organization. This responsibility is defined by the industry as a single term known as “Data Privacy”.
Considering the criticality and sensitivity of Data Privacy, governments across the world have provided guidelines to regulate the handling and protection of this data by the organizations under their respective jurisdictions. Following are some of the well-known privacy acts across the globe:
- Philippines – Data Privacy Act of 2012
- Singapore – Personal Data Protection Act 2012 (PDPA)
- Europe – General Data Protection Regulation (GDPR)
- UK – Data Protection Act
- US – HIPAA
- India – Personal Data Protection Bill 2019 (not a law yet)
In US, along with HIPAA, state-wise privacy acts like California Consumer Protection Act (CCPA) Nevada SB 220, Massachusetts Data Protection Law, etc. are additionally imposed.
All these regulations are very extensive and require Subject Matter Experts like ControlCase to help navigate through the implementation and maintenance. However, the following best practices can be used as a ready reckoner by any organization to start their journey of “Maintaining Data Privacy”
- Accept and Store the information only which is mandatorily required for completion of the respective business operations. Avoid taking unnecessary additional personal information.
- Ensure that the data privacy system’s architecture and implementation are finalized after engaging Subject Matter Experts to identify the best approach for respective organizations. Approach for every organization may vary based on the number of records, the extent of exposure, the likelihood of attacks, etc.
- Ensure Consumer consent is acquired prior to the storage of any personal or sensitive information.
- Ensure procedures are in place to remove all the data of any consumer who choose their “Right to Forget”
- Ensure that site has a section that describes the control posture utilized and regulations adhered to protect personal data as a consumer assurance.
- Run a company-wide data discovery scan to identify known and unknown locations where sensitive/personal data is stored.
- Ensure encryption controls are present for transmission and storage of sensitive or personal information with strong key management methods.
- Security best-practices like role-based access control, two-factor authentication to access production systems, IDS/IPS monitoring, system hardening & updating latest patches, removing obsolete system components, etc. should be followed.
- Conduct annual third-party assessments/audits with SME audit companies like ControlCase, to validate the data privacy and security posture of the organization against the applicable data privacy regulations, to confirm its adherence.
- In case of gaps or vulnerabilities take assistance from the SME’s to come up with a Corrective Action Plan.
The above basic implementations should be a top priority as a breach resulting due to non-adherence of the regulations would lead to:
- Bad Press & Loss of Reputation to the Organization
- Heavy Sanctions ranging to approximately millions of dollars.
So, start with the basics of our ready reckoner and engage with an SME to work on your Data Privacy Journey. Because, as our tagline says – “It’s All Private!!!!”
This concludes our first part in this series, please stay tuned with us for the next articles in this series which will dissect Data Privacy further in common English.