Data privacy has drastically changed in the past year. Massive regulation fines were served and privacy culture rapidly evolved during the COVID-19 pandemic. We asked cybersecurity and data privacy experts for their take on the state of data privacy and what we should expect in the year ahead in this expert insights series for #DataPrivacyDay 2021.
In this feature Q&A we sat down with two experts from Trustwave, a leader in managed threat detection and response.
Nick Ellsmore, Global Head of Strategy, Consulting and Professional Services at Trustwave
Darren Van Booven, Lead Principal Consultant at Trustwave and former CISO of the U.S. House of Representatives
What recent data privacy legislation changes do you believe will have the biggest impact in the upcoming 1-2 years?
“As with so many things – e.g., anti-terrorism legislation – the biggest question is whether the COVID related legislation authorizing data access, and mandating data collection, gets wound back at some point in the near future. There is always a tendency to say, “Let’s just keep it… just in case”. The other question is how effective data destruction legislation is, in the context of COVID. Who is going to make sure that all these personal records we’ve just created, are genuinely destroyed when they are no longer needed?” – Nick
“In terms of US law, I think the largest impact will still come from the California Consumer Privacy Act (CCPA). The CCPA has undergone multiple revisions since it originally passed, and it is likely going to be revised again in the next year or two. It has a significant impact on businesses doing business where California resident PII is involved. GDPR will still have a major impact as European regulators continue to levy hefty fines on companies for violating various GDPR provisions. The heavy fines, many of which are in the $10s of millions, are sending a clear message about the importance of following the privacy law.” – Darren
What do companies need to keep top of mind with regards to privacy this year?
“If you don’t have the data, you can’t lose the data. My presentation at AusCERT last year was on back burning your data environment -- and the whole premise was that organizations have built up these enormous stockpiles of data that they probably don’t need. It introduces a significant risk, and in many cases is likely to be out of line with privacy requirements in many jurisdictions. Companies need to really start focusing on getting rid of data that they no longer need.” – Nick
“The most critical first step, which many companies still haven’t taken, is to ensure there is a comprehensive privacy policy in place. Privacy policies should provide a clear and complete description of what information is collected from customers, what PII is bought and sold and from where, how information is stored and protected, how information is used, and how customers can request an opt-out to any of those things. Awareness of applicable compliance requirements like GDPR, HIPAA Privacy Rule, CCPA, etc. is critical to ensure there isn’t a large financial risk being taken due to compliance gaps. Lastly, a privacy program depends entirely on a company’s ability to know what data it has. Making sure to understand what data exists, where it comes from, and details around its own lifecycle within the company’s possession is very important.”– Darren
What advice do you have for privacy-minded consumers?
“Be conscious of what information you’re giving out, who you’ve giving it to, and just internally ask yourself a question about whether or not it seems reasonable and necessary. If it doesn’t, and if you are in a position where you can “vote with your feet” and go somewhere else, do it. Ultimately it’s the market that is going to have the greatest impact here.” – Nick
“The first thing all consumers should do is realize that their personal information is an asset to companies in the commercial sector. Consumers need to ensure they scrutinize all cases where information is provided to a business, so they are aware of what information is being provided. If necessary or the consumer feels uncomfortable, they should not hesitate to ask questions about how their data is used, why it is collected, and how it is protected. Making this a habit will ensure a level of continuous hygiene that will always benefit the consumer in the long run.” – Darren
####