Keeping your data private in five simple steps
Happy Data Privacy Day - May you be content in the knowledge that all your personal data is safe!
Ah yes, that might not be so easy. After all, earlier this month, it was reported that over three quarters of a billion unique e-mail addresses which were used for logging in had been breached with associated passwords that had been compromised.
Inside our company, we recommend people start to strengthen their password approach, by ensuring a unique password for each site and using a password manager. Internally, we also no longer rely on just the username-password, but a second factor too.
This has led to some thoughts about data privacy, particularly in the light of last year’s experiences with the introduction of the biggest Data Privacy legislation in the world - GDPR. Here are a few that might help you:
1. Ask an IT staffer “what is data privacy?” and they will tend to talk about security. Ask a business person and they might talk about policies and procedures. The point is that it is both. Companies that get their IT and business to work together on data privacy will tend to protect data best. I was quite surprised how little terms like Data Processor were understood by legal people, in the context of how client companies actually operated. They would be genuinely grateful if someone technical could show them how to differentiate between Data Processors and other Data Controllers with whom the company shares data - it’s kind of important if you want to be legally compliant to GDPR. Equally, good co-operation between business and IT on policies such as data retention and deletion can result in the best form of data protection – properly deleting what is no longer needed, making it safe from all hackers.
3. Ask whether you have a review date on your policies (Virtual Clarity do). The policies don’t only need to be fresh in people’s minds; they also benefit from being refreshed and continuously improved. It’s rare to get something perfect first time and there was a lot of tactical ‘jamming’ done around GDPR. Take the chance to review and advance - and don’t forget that the threat landscape is constantly changing.
4. Ask again whether you know where the personal data you hold is being kept. New systems come online. The business adopts new services from third parties. Has anything changed in terms of international transfers? Remember, data residency laws to protect personal data are tightening too.
5. Ask about how your company detects security breaches and handles them. I wrote a blog about this last year on the next steps after GDPR. At the risk of self-promotion, I do recommend another look - and if you did read it, I’d love to know if it helped!