Nine industry experts provide sage advice on how to protect your customers’ sensitive data in 2019, as well as some things you should NEVER do
C-suite execs have a lot on their plates when it comes to protecting their customers’ sensitive data in 2019. Please tell us:
1) What’s one sage piece of data privacy management advice or tip to help them in 2019?
2) What’s one thing they should never do, or a pitfall to try to avoid in 2019?
Associate General Counsel and Global Privacy Officer, Intel, Inc.
1) As we move towards a more data-centric economy, understanding what data an organization has, and how it is be used, is critical for both shareholder value and protecting privacy. Organizations need to build the right processes to map where their data is, how they can make innovative use of it, and how they will show they are accountable to the individuals to whom the data pertains.
2) An organization should never rely solely upon third parties to have access to data without showing they will be accountable for how it is used. Upstream and downstream data inventory management will be critical in 2019.
Deputy CTO, SAP Concur
1) Modern enterprises move data through streaming pipelines, where it can be hard to protect provenance and canonicity. Tracing where the data ends up is as essential as protecting the data itself. Once you publish data internally, it can be very hard to control where it goes or how it’s used. Enterprises should implement strong controls and good hygiene in establishing trust and access – and then verify the results.
2) Avoid playing “catch up”; many organizations end up “compliant” at a point in time but gradually fall apart as new software is written or deployed, new people join the organization, etc. Protection is a process that many organizations fail to bake into the upfront architecture of their projects and then scramble towards when it’s too late. It’s too easy to leave holes, pay too much, or find yourself in an impossible situation if privacy is always a bandage applied at the end.
Chief Marketing Officer & VP Operations, Flashpoint
1) Engage in external collaboration and information sharing. There are a number of secure, trusted communities that facilitate these activities among security and privacy practitioners, so if your company isn’t already a member, join one. These communities range from large and industry-specific, such as the various ISACs, to small and vendor-specific, but all exist for the same reasons: to provide like-minded experts with the means to quickly and easily share relevant information with, and seek guidance from, other like-minded experts. Doing so can expose your company to greater resources and expertise that can help you to better protect your customers’ data.
2) Never conflate compliance with security. GDPR, for example, has fueled great progress in how companies address the privacy of customer data, but the standards it enforces are by no means sufficient for securing customer data. This is largely because there are many critical areas of security that GDPR does not regulate, including encryption, security awareness and education, business continuity and penetration testing, and technical and policy controls, to name a few. The same goes for similar compliance bodies such as PCI DSS and HIPAA. Just because a company is deemed compliant does not mean that its customers’ data is fully immune to compromise. Compliant businesses can and do experience data breaches, which is why achieving compliance should be never be viewed as an end goal—but rather as one of many essential components of a comprehensive security strategy.
1) Know where your data is. When I was working in venture capital five years ago and first started researching the data privacy space for investment purposes, I found that the biggest glaring problem was that no one knew what data was where, let alone if they were in compliance with any laws, contracts, or other business obligations. The foundation to complying with any law, whether it’s GDPR or CCPA or any of the other new bills being considered, is to know what data you have.
2) Never assume that your work is done just because you’ve got great policies and procedures in place. A key component to ensuring compliance, or at least defensibility, is the operationalization of those policies and procedures. Being able to audit your data sources to prove compliance with the law is critical to protecting your brand and reputation.
former Senior Advisor for Privacy in the Obama White House
former Chief Privacy Officer of the Federal Trade Commission
Principal, Groman Consulting Group LLC
Adjunct Professor, Georgetown University Law Center
1) Today, data often is a company’s most strategic and valuable asset. Companies must treat it that way, by implementing a comprehensive, enterprise-wide, continuous and risk-based privacy and security program. Step one – know what data you have.
2) Never make assumptions about the data your organization collects, creates and stores. Rely on facts, evidence, and documentation.
1) Privacy will be center stage in 2019, so be proactive and reevaluate your processes to ensure that you not only remain GDPR compliant but also anticipate any future U.S. and global privacy legislation that could be coming in 2019. Start by establishing a cross-functional taskforce to perform an assessment of your current state of compliance. During this process, take the time to understand what’s been successful and where there have been challenges from a business perspective prior to introducing new processes. Once you’ve done that, map new laws and regulations to your existing controls and processes, and determine where you may be required to implement changes. Once implemented, be sure to set a regular cadence for the taskforce to regroup to assess compliance.
2) With new regulations like the California Consumer Privacy Act (CCPA) in the pipeline, be sure you don’t evaluate them in isolation. Build a comprehensive privacy governance framework, which enables you to continually re-assess your compliance with existing privacy regulation like GDPR and emerging ones.
Entrepreneur, Venture Partner, Aspect Ventures
1) Get a handle on employee/contractor off-boarding. Latent privileges are a big, unnecessary risk. Also, automate your process of understanding what sensitive data you have. Most organizations have too much data in too many places for human processes to be reliable or consistent enough to be effective.
2) Don’t stop at Encryption. The most common pitfall I see is when I hear someone’s answer about data security is, “We encrypted our data, so we don’t need to do anything else.” Encryption is good for mostly bulk, mostly static use cases, but tends to fail for data in use.
1) View data protection and data privacy as an opportunity, rather than a burden. There’s a pervasive enterprise perception that consumer controls for data will result in less analysis and insight, or that privacy controls somehow “lock down” data. This misses the bigger picture. Data-driven regulation, such as GDPR and similar mandates, all share the same common requirement of strong, granular control of data at the architectural level. Strong control of data, in turn, has downstream benefits for other proactive data-driven initiatives within the organization. A robust data protection and privacy program, implemented enterprise-wide, has benefits for data quality, coordination of self-service access rights, and building consumer trust. At a high level, data privacy and data protection requirements are a golden opportunity to reconsider and optimize data management architecture and practices.
2) We’ve officially entered the data protection and privacy era, and the enterprise can no longer have a combative attitude towards compliance if it wishes to remain competitively viable. The biggest pitfall is viewing data privacy or data protection requirements as a list of burdensome technical “checkboxes” that need to be ticked off one by one for each new regulation. This view of the individual trees misses the broader forest: the core principles that are shared across regulatory frameworks. Implementing new siloed tools and new processes for each new regulation is not sustainable, economical, or scalable. Instead, organizations need to focus on optimizing underlying data management architecture and workflows from the ground up. Focus on the core commonalities, rather than the differences, between regulations. From there, implement highly-specialized point solutions higher in the stack only when necessary.
Managing Director, Agelight Digital Trust Advisory Group
Founder & Chairman Emeritus, Online Trust Alliance
1) 2018 will likely go down as the year of questionable ethics. From the data sharing and mining practices of Facebook, Google and most recently the Weather Channel’s app, to the abuse of social networks, we all need to be concerned. All too often these entities who were supposedly “stewards of our privacy and trust” appear to have acted unethically. While executives need to be held accountable, one has to also question employees who failed to come forward and follow their own moral compasses. Our industry is at the center of a seismic change with the convergence of big data and artificial intelligence (AI). The oceans of digital information and low-cost computing power are providing endless marketing opportunities. At the same time, we are being confronted with ethical dilemmas challenging users’ digital dignity and redefining privacy norms.
My big focus for 2019 is Data Ethics: the convergence of big data, AI and Ethics. I have been steadfast on the need to move from compliance to stewardship. Ethics is an extension to this in light of the practices and what I call “data laundering,” which is occurring.
The question at hand is: Can industry and governments be trusted to responsibly regulate AI? Second, how can ethical guardrails be developed to help prevent abuse? There is no question AI will have a profound effect on how marketers engage consumers. Done right, consumers will get better and more relevant ads, content and services. This can be a win-win, but only if we get it right and address the ethical unintended consequences in advance.
2) The one thing executives should avoid is remaining silent. They need to question their business and data strategy and not fall silent like so many employees at offending companies have. The question is, are they willing to follow their moral compass and rise above compliance?