Data privacy has climbed the boardroom agenda in recent years as executives are increasingly alarmed by high-profile examples of companies that have suffered breaches, resulting in exposure of their customers’ sensitive, personally identifiable information.
The last ten years have seen enormous data growth. According to analyst firm IDC, the amount of data in the world more than doubled every two years throughout the decade to reach around 40 trillion gigabytes this year, and the rate of growth will continue to accelerate. During that time, the data organisations hold has become something they add to their balance sheets and leverage to support their overall valuation as a business.
The 2010s was also the decade many companies lost the trust of customers because of the way they handled, or mishandled, their sensitive data. Introduction of the General Data Protection Regulation (GDPR) prompted many people to recognise digital versions of themselves are for sale.
Yet while these issues certainly saw data privacy appear on the board’s radar, organisations still fail to distinguish between data privacy and data security. Companies have been discussing and purchasing solutions to deal with data security for many years now, but understanding the difference between security and data privacy could help them see why, despite their large investments, breaches continue to occur.
“When boards start to discuss what their data privacy programme is, the answer often comes back as data security,” says Kevin Coppins, president and chief executive at Spirion, which provides data discovery and classification tools to help companies protect sensitive personal data.
“Understanding that you can have data security without data privacy is relatively new. Data privacy has to have a strong cultural element to it.
“If somebody breaks into your organisation and steals last week’s lunch menu, nobody cares. If somebody breaks into your organisation and steals all your partners’ and employees’ data, suddenly it makes a headline. Although people have done a pretty decent job at data security, the pace at which external and internal bad actors can steal data has outpaced what you can do from a security standpoint.
“New regulations are now forcing organisations to recognise that some data is different and breaches occur because of the speed at which sensitive data replicates. It doesn’t just live in a particular database; it lives in every nook and cranny of your organisation and is replicated across cloud servers as fast as the eye can blink. The threat surface has grown exponentially and there hasn’t been the same focus on sensitive data components as there has been on building security around the perimeter.”
Approaching data privacy in the right way requires a culture shift driven from the very top of the business. Firstly, there must be a recognition that the true victim of a data breach is not the company; it’s the person whose records were stolen. Breaches can be personally devastating, so the anonymising of victims of data breaches is something that needs to end and the personalisation of breaches needs to begin.
Approaching data privacy in the right way requires a culture shift driven from the very top of the business
Secondly, C‑suite leaders need to shoulder not only the financial responsibility of any data breach, but also the resulting reputational damage and loss of customer trust. That trust, once lost, is very difficult to regain and, if customers are no longer granting access to their data, companies will soon lose their competitive edge. Reputational damage has a far longer-lasting effect than the financial cost of a breach.
“Getting an organisation to understand and personalise data privacy is the responsibility of the C‑suite because that’s who drives culture,” says Coppins. “It needs to be personal. It is the person in the office cube next to you and their kids whose information was stolen, and they will be impacted for the rest of their lives. It isn’t just a process or a technology; it’s a culture of respecting this concept of privacy and understanding digital privacy is the same as personal privacy.
“At Spirion, data privacy is part of who we are, and until C‑suite execs understand the value of reputation and trust, a culture of data privacy is not going to purvey through the organisation and they’ll continue to treat any data as any data. A lot of responsibility lives there and it’s much more important than setting out a policy or buying a few different vendor tools to say we care about privacy. A cultural shift must happen.”
Spirion’s technology enables organisations to discover and validate the location of personal information in their information ecosystem, and then classify and control it according to the data protection mandates they’re subject to, such as the CCPA (California Consumer Privacy Act), GDPR or even specific contracts. This enables companies to get the big picture of how data flows through the organisation, and gain real command and control over that data.
The company enables organisations to meet the requirements of new data protection laws because creating a data inventory is so fundamental to compliance. It’s also central to creating a successful data protection programme. In terms of technical security controls, data classification is foundational to other controls, such as data loss prevention and next-generation firewalls to enforce an organisation’s data protection standards.
“Despite the view that breaches are always a result of bad actors, much of the danger to personal data is simply from organisational insiders who mishandle data and expose it to the world,” says Scott Giordano, vice president and senior counsel, privacy and compliance, at Spirion.
“Data classification is hugely important, not only to identify sensitive data, but also to help companies build the right culture. Unless personal data protection is engrained in the culture, all the money in the world will not help. The old saying about culture eating strategy for breakfast couldn’t be more pertinent.”
For more information please visit spirion.com
