Every year on January 28 the world sets its sights on the privacy of individuals and the protection of data. Now celebrated in over 50 countries, the original goal set out over 11 years ago was to raise awareness of what personal data is collected and processed and why, and what an individual’s rights are in respect to that.
The history of Data Privacy Day (aka Data Protection Day)
To give the Council of Europe (aka Conseil de L’Europe) their dues, it was back in 2006 that this human rights organisation reached an agreement to name 28 January as Data Protection Day. It was first run in Europe in 2007 and since then the USA has adopted the event and named January 28 as Data Privacy Day. Over the years the initiative has been supported by governments, national CERT teams, security vendors, consultants and Supervisory Authorities (such as the ICO here in the UK).
Why do we need Data Privacy (and Protection) Day?
The goal of the day is simple. Use it as a springboard to raise awareness and understanding of how personal data is being collected and processed, and why.
As I think of myself as a consumer (we are all consumers after all) I do think about who has access to my personal data. I make decisions based on who is processing my data, what I get in return and how secure my data may be. In 2018 our data footprints are large; just think about data generated by usage of search engines, the emails we exchange, the goods we purchase in online shopping stores, the ride shares we take, the places we visit, who we interact with on social media….the list goes on. Back in 2015 we at Forcepoint Security Labs spoke of a post-privacy society and the realisation that there is little or no expectation of privacy in today’s world.
Being security professionals your colleagues will likely tell you that they value their privacy but are sometimes willing to exchange the notion of privacy for a service – think of that mobile app that wishes to access your Contacts or that smart home device that knows your route to work.
This makes me think that we have an even greater need, and responsibility, to protect people’s data and just how many times do we see organisations, even large enterprises, fail to do that? The good news is that presents us with an opportunity to change.
How are you promoting Data Privacy and Protection?
I am a fan of simple “1, 2, 3 step” approach to invoke change. Here I present my challenge to you on Data Privacy Day:
1. Given this responsibility to make a difference ask your peers in the IT team, the IT security team and your Legal team how your organisation is protecting the privacy and personal data of yourself, your customers and your employees. Put this question to your Senior Manager or Director if you are more comfortable doing that.
2. There are valuable lessons to be learned by reviewing press articles and post-mortem reports of companies that have suffered a data breach. What did they do well? Did they segregate their networks and prevent cross-contamination of a data stealing malware? What did they do poorly? Did they seemingly make up their Incident Response as the event unfolded? Did they not encrypt valuable data? Did they not realise that account credentials were compromised? Did they not stop that obvious data exfiltration event? Don’t be that organisation! Factor in lessons learned into your own processes.
3. With a combined desire to protect our privacy, data and that of others we can surely effect change. Engage with your family members, friends and colleagues on the matter of privacy. Spreading the word is so valuable. Here are a few pointers you can think about and bring up in conversation: Think about how you choose strong passwords and don’t re-use passwords across services. Have you enabled two-factor authentication where you can, even in your personal life, for example, Login Verification on Twitter and 2-Step Verification on Gmail? (According to recent reports only 10% of people have). Do you stop the install of mobile phone apps when they ask for unnecessary data access to your Contacts list or Calendar? Do you think twice before giving your email address to websites? Consider how you think about privacy and data protection differently in the work environment versus your personal life.
The time is now
With upcoming regulations on the horizon such as GDPR it is vital that you put in place the building blocks to be able to understand what data you are processing, how you are monitoring that data moving in and out of your organisation and how you shall handle the “when, not if” data breach.
When I considered the title of this blog I was reluctant to write “and Protection” in parentheses. We should all live and breathe data protection every day recognising it as vitally important as we as organisations seek to maintain access to and integrity of our valuable data while preventing data theft and loss.
No matter the day of the year, make sure that every day is Data Privacy AND Protection Day.
National Cyber Security Alliance’s micro-site (US-based) https://staysafeonline.org/data-privacy-day/
StaySafeOnline’s social media feed: https://twitter.com/DataPrivacyDay
Each year Carnegie Mellon University run a CMU Privacy Day. You can read current research in the field here: http://cups.cs.cmu.edu/privacy-day/2018/
Forcepoint’s GDPR Resource Pack: https://forcepoint.com/GDPR