Data privacy is no longer a nice-to-have security commodity, but a must-have commodity.
Like it or not, companies need to prepare for the General Data Protection Regulation (GDPR), because their customers and regulators expect it.
GDPR was highlighted as an issue when I spoke with Todd Wright, Global Leader of GDPR for SAS, a software analytics company.
SAS completed a survey of 500 US consumers in late 2018 that gauged how concerned consumers were about GDPR privacy rules.
“We wanted to obtain information about US consumer sentiment about privacy, especially in light of the new California data privacy laws,” said Wright.
Consumer privacy concerns
The California law, as in GDPR, speaks to consumer privacy issues including the right to be informed about what kinds of personal data companies collected and why it was collected; the right to request the deletion of personal information; and the right to opt out of the sale of personal information.
Wright said that SAS’s survey also confirmed consumer privacy concerns. Findings showed:
- 67% of consumers felt that the government should do more to protect data privacy;
- 66% of consumers said they had taken steps to secure their data privacy, such as changing security settings, removing social media accounts and declining terms of agreement; and
- 78% of baby boomers, still a major consumer group, were least willing to provide personal information in exchange for a discount or fewer ads.
“What we learned and what we feel is that minimally from an auditor’s standpoint, it is important to be able to verify that a company knows where all of the personal data that it has on its customers is located, and that the company also has policies in place to protect that data,” said Wright. “This data protection applies to both structured and unstructured data.”
At SAS, Wright continued, management understands that data privacy isn’t limited to technology; it is just as important to create cultural sensitivity in employees about how private information is handled.
“For example, an employee could be carrying personal customer data on his or her laptop,” said Wright. “If that is the case, you don’t want the employee to set the laptop down on a tennis court or in a coffee shop, leaving it unattended and vulnerable to theft. For this reason, we’ve made data privacy an integral part of our culture.”
How to prepare
How can CIOs prepare for GDPR and other similar regulations? See four suggestions below.
1. Aim for GDPR-level compliance
Even if your company is relatively small and never aspires to do business outside of the US, it’s a wise decision to shoot for GDPR-level compliance, because data privacy is no longer a nice-to-have security commodity. Companies must absolutely have it—or risk damage to their brands and reputations if a data privacy breach occurs that imperils their customers.
2. Reassess your current data governance
Data privacy should be incorporated directly into your governance policies and procedures. If it isn’t, do it.
3. Take the new California laws seriously
There is still confusion about how the new California privacy laws will be implemented and regulated. Companies doing business in the US should take these new laws seriously by positioning themselves to meet them.
4. Focus on your internal employee culture
In 2017, nearly 75% of security breaches were created internally in organizations. This makes creating a culture of privacy-sensitized employees imperative. Appointing data privacy champions in different departments is one way to build awareness. Another way is through the creation of data privacy policies that are trained and disseminated to the entire workforce.