The Data Care Act is the latest privacy bill aiming to require companies that collect personal data from users to take reasonable steps to safeguard that information.
Oftentimes, data security is top of mind for CISOs and enterprise security teams, and perhaps rightfully so given the implications of costly breaches and ongoing news headlines. But as data continues to be important in winning in the digital economy, data privacy is growing exponentially in importance.
“In today’s digital economy, personal data is everywhere, and those who have access to Americans’ sensitive information have a responsibility to protect that information and keep it private,” said Senator Edward Markey (D-Mass.) in a press release. “It is time for Congress to enact comprehensive privacy legislation, and the Data Care Act would be an important part of that effort.”
Under the act, data collectors would be required to reasonably secure individual identifying data, to promptly inform users of data breaches and to not use individual identifying data in a harmful way. These requirements also extend to third parties when disclosing, selling or sharing sensitive user data, and if the bill becomes law, the Federal Trade Commission would be in charge of enforcing this.
While data security and privacy are related as part of broader risk management practices, data privacy oftentimes tends to get left behind. Data security is all about ensuring that only the right people have access to data. It has to do with keeping bad people out and good people in whereas data privacy is all about mitigating inherent risk within the data, in the event humans or systems fail.
CISOs and Chief Data Officers oftentimes don’t have a coherent risk management view of data within their organizations. Only 22 percent of information management professionals are confident in their organization’s approach to privacy, according to a survey conducted by ZL Technologies, Inc.
As data goes into, across and out of companies, understanding what data is being gathered and why, how that information is being conveyed to customers both clearly and transparently as well as empowering consumers to manage that information is critical to mitigating risk.
Internally, companies might not care about their analytics teams getting access to customer purchase data, but they probably would care if that same team got access to customer credit card information. Furthermore, if that customer purchase data were sold off to a marketing firm that has analytics capabilities, that external firm could potentially use that information to produce forward-looking revenue information about the company.
There’s all kinds of ways that sort of information could carry risk when it switched on between internal and external environments. But by in large, if you give access to data to the wrong people, the bigger risks you could encounter involve irreparably damaging your brand and customer loyalty and trust in a way that you may never recover as well as getting hit with massive regulatory fines, especially in the era of GDPR and CCPA.
Unlike security, data privacy is much more about what risk carried within the data itself, independent of who accesses it. Because as data moves, the security controls and the people who have access to it are going to change.
Understanding where data is going and what risk it’s carrying, and what you’re trying to protect is super important.
If you care about data privacy, it’s critical to mask data as it flows out of non-production environments. In order to do that, map out the flow of critical data in your enterprise, including everything that presents risk to your business. Make sure you have an end-to-end view of everywhere the data comes from and everywhere it goes.
From there, optimize the people, process and technology around managing that flow. You’ve got to change culture and the way people think how data moves between systems or between users, and that is the point where risk analysis comes into play. The risk assessment will help you better understand what needs to be done to mitigate risk as it flows out of production.
The biggest challenge is you’ve got to be able to do it in a way to continuously deliver that data and manage change within that data.
Look at your critical data and understand how it’s flowing out of production. Put in the people, process and technology to continuously deliver de-identified data into your non-prod systems, and that’ll radically change your risk profile.
What do you risk not securing sensitive data? You can lose customer loyalty and trust in a way you can’t recover, which in turn diminishes your brand equity and reputation as well as the ability to keep up with the market, chartering a course for a downward spiral.
Data privacy will be one of the major defining characteristics between winners and losers across industries, especially data continues to grow and regulations continue to become forcing functions that demand and require companies to take better handle of consumer data.
Remember, data privacy is not black and white. You can’t just check off a box. You have to figure out ways to lower the risk level from one point to another and accept the fact that you’ll never get to zero risk. What level of investment are you willing to put in to achieve that?
Connect people and data, securely. Learn how the Delphix Data Platform can help you achieve regulatory compliance with an enterprise-wide approach to data virtualization and data masking capabilities that can help deliver your data securely and rapidly.