3 Steps to Bolster Privacy
The California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) may signal a coming global standard for data protection. Why? Business. The pressure is ever increasing to protect data, meaning we are likely to see an uptick in individual state data protection laws here in the U.S. and more outside the U.S. and the EU. Here are three practical steps to take toward ensuring stronger data privacy for customers.
No doubt, since May you’ve experienced an influx of emails from every company you’ve ever done business with, letting you know about their updated privacy policies. This was due to GDPR going into effect. These emails varied in their compliance with the new regulation; some did it right by asking for explicit consent for their new policies. Many others just sent emails saying they assumed your implied consent, meaning that if you don’t unsubscribe, they assume you consent. Yet others didn’t even bother to send that kind of noncompliant email.
Data Privacy Law is Evolving
Your organization falls into one of those three groups. Delaying compliance remains a risk, even for businesses with U.S.-only consumers. The California Consumer Privacy Act (CCPA) has already been passed. California law tends to be a harbinger of things to come — in 2003, they passed the nations’ first breach disclosure law. While there is still no federal law on breach disclosures, it mandated the disclosure of breaches involving 500 people or more, and there are more than 40 states with disclosure laws on their books (thanks to federal inaction).
In light of Facebook’s Cambridge Analytica scandal and the large data breaches in the first half of 2018 alone, it’s possible that CCPA and GDPR are just the beginning of what will eventually become a global standard for data protection.
Instead of having to comply with a mishmash of more than 40 inconsistent state laws and GDPR (not to mention other countries’ laws), companies will find it cheaper to comply with one global policy that mimics GDPR. So, despite GDPR applying only to EU residents and CCPA applying only to California residents, the types of restrictions on data acquisition, storage and sharing are likely to become an international business problem, not solely a European one.
The goal of this spate of privacy laws is to help companies be more mindful of what consumer data they have, where they keep it and how they can be more responsible with it. The most obvious result of these privacy laws, however, is encouraging transparency and information about how, when and where data is used and stored.
In fact, according to a study conducted by researchers at the Ruhr-Universität Bochum in Germany and the University of Michigan in the U.S., since GDPR went into effect, the most notable change has been “the rise of cookie consent banners, which now greet European web users on more than half of all websites, informing about the websites’ cookie practices.” They go on to note that “While seemingly positive, the increase in transparency may lead to a false sense of privacy and security for users.”
Moving Toward Stronger Privacy
Giving data over to someone is an act of trust. It’s been an implicit trust until now, when GDPR mandated that it must be explicit. Whenever data is exchanged, it should be kept safe using the strongest measures available – regardless of whatever laws are in place. Consumers today expect and are now demanding nothing less.
Here are three practical steps to take toward ensuring stronger data privacy for customers:
- If you don’t already have one, put up a cookie consent banner. Link this to your privacy policy so that customers and prospects can decide for themselves whether they want to comply.
- Conduct a data audit to understand where in your organization personal data is held, who has access to it and for how long. This is a major step in ensuring you can keep data safe, because first you have to know where it is and how your organization uses it.
As much as possible, store sensitive information on-site, where it remains directly secured by you, with highly controlled access. The cloud (along with cloud-based applications) is an attractive business convenience, but make sure you understand the potential vulnerabilities and be discerning about what data you do and do not upload to the cloud. - Work toward a GDPR- and CCPA-compliant system with policies in place to keep it that way. Since California law is often a precursor to federal law, act as though CCPA applies to you even if it currently doesn’t.
Until a federal law consolidates all the varied requirements, enterprises will need to anticipate stronger data privacy regulations and plan accordingly. To any businesses struggling to comply with GDPR or CCPA, may this encourage you to move forward and protect consumers’ data – the right way and right away.
Arshad Noor is the CTO of StrongKey, a Silicon Valley and Durham, North Carolina-based company focused on securing data through key management, strong authentication, encryption and digital signatures. He has 32 years of experience in the information technology sector, of which, more than 19 were devoted to designing and building key-management infrastructures for dozens of mission-critical environments around the world. He has been published in periodicals and journals, as well as authored XML-based protocols for two Technical Committees at OASIS and represents StrongKey at the FIDO Alliance. He is also a frequent speaker at forums such as RSA, ISACA, OWASP and the ISSE. He can be reached at 
