Data Privacy Day: 5 data privacy practices every business should know
Increasing and evolving cyber threats and data privacy regulations such as General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) are prompting businesses to pay greater attention on data privacy, a subset of data protection that deals with the proper and correct handling of data with a strong focus on compliance with data protection regulations.
According to a January 2023 report by the United Nations Conference on Trade and Development (UNCTAD), in 2022, 137 out of 194 countries have passed legislation to secure data and privacy protection. Of them, 15% still do not have a legislation and only 9% have a drafted legislation.
Despite more business activities taking place online, a lack of awareness and technical insight into data privacy remains a core concern for several industry thought leaders as organisations become increasingly exposed to data privacy concerns and regulations. With that said, here are some pointers from experts that could help organisations make progress on their own data privacy initiatives.
Having a transparent privacy policy
One of the most important step in this direction is to have a transparent data privacy policy - a document that explains how an organisation handles any customer, client or employee (data) information gathered in its operations. Technology companies who collect data online must publish a privacy statement to notify users regarding the types and uses of data that is gathered and if data may be left on a user’s computer, such as cookies. “Data privacy policies play a vital role of all business strategies, regardless the size of the company,” said Peter Waters, Senior Vice President, Legal at digital infrastructure firm, Equinix.
He added that the policy should be clear, direct, and easy to understand, with minimum technical jargons. It should comply with privacy laws of one’s own country and also the countries in which the company does business with. Organisations could also adopt compliance verification, such as know your customer (KYC) framework, which helps decrease the amount of data that organisations store.
Checking company's security policy
Security and privacy are inter-related, and weak security policies can inadvertently raise privacy concerns for organisations. “With data becoming the foundation of everything we do, organisations must embed data protection and privacy deeply into their culture and ongoing operations,” said Samir Kumar Mishra, director of security sales, at IT networking firm Cisco India & SAARC.
Moreover, as threats continue to intensify, businesses looking to better protect customer data should consider how well they can validate their security policies, preparedness, and response, he said.
Vishak Raman, Vice President for Sales in India, SAARC and Southeast Asia, at cyber security firm Fortinet, added that it is important for every organisation to have a documented and tested data breach response plan to be prepared for existing data privacy regulations or others on the near horizon.
Using strong passwords
Studies have shown time and again that a sizable number of data breaches were results of easy-to-crack passwords. And not just common users, a whopping number of the world’s CEOs and business owners, according to a report published by NordPass in November 2022 use weak passwords, such as “123456”, “password”, “qwerty” and the like. It is mandatory to use strong passwords of at least 12 characters, with a mix letters, numbers, and special characters that’s unique and difficult for others else to guess. That said, it should still be memorable to you in order to reduce the risk of you writing them down.
Raman said that organisations should use password protection, such as multifactor authentication and password managers, to secure confidential emails and data. Besides, users are moving towards passwordless authentication now, a method of verifying a user's identity without the use of a password such as biometric signatures, a secret token delivered via email or text message, cryptographic keys or PINS to verify users.
Training employees on data privacy
Employees cannot implement customer data privacy best practices if they don't know best practices to handle a breach and hence the importance of training them on the company’s privacy practices. Waters stated that the human factor is often the most vulnerable in the data protection chain and organisations need to ensure employees are well-versed with the compliance regulations and best security practices by providing them with both training and proper guidelines for those who come into contact with the most sensitive data types, whether personal data or not.
Trainings should include updates and refreshers to keep employees aware of data privacy best practices as cyber-attacks evolve, Pooja Kaur, HR consultant at a Hyderabad-based mid-sized IT firm, who added that an employee should also have access to customer information based on their roles and connection to the data and this should be decided by the employer. For example, marketing teams may need demographic data, while customer service teams may need customers' account information.
Drew Bagley, VP & Counsel for Privacy and Cyber Policy, CrowdStrike further said that it is important for organisations to ask what the current risks to their privacy are and how they can mitigate these threats through proper training and use of technologies.
Proactively communicating with customers
Organisations should be transparent with customers about how they use data, so consumers can understand and potentially limit access to their data, said Brian Gin, chief privacy officer, Trellix. For example, GDPR in the European Union and similar policies protect customers based on consent.
“Not just that, businesses should proactively communicate with customers about the way they are utilising their data if they want to build trust and loyalty in them,” he said adding that they need to think of ways to balance upholding privacy concerns without annoying users with privacy notifications and too many restrictions.
Next Article