Data privacy has drastically changed in the past year. Massive regulation fines were served and privacy culture rapidly evolved during the COVID-19 pandemic. We asked cybersecurity and data privacy experts for their take on the state of data privacy and what we should expect in the year ahead in this expert insights series for #DataPrivacyDay 2021.
In this feature Q&A we sat down with two experts from Trustwave, a leader in managed threat detection and response.
Nick Ellsmore, Global Head of Strategy, Consulting and Professional Services at Trustwave
Darren Van Booven, Lead Principal Consultant at Trustwave and former CISO of the U.S. House of Representatives
What recent data privacy legislation changes do you believe will have the biggest impact in the upcoming 1-2 years?
“As with so many things – e.g., anti-terrorism legislation – the biggest question is whether the COVID related legislation authorizing data access, and mandating data collection, gets wound back at some point in the near future. There is always a tendency to say, “Let’s just keep it… just in case”. The other question is how effective data destruction legislation is, in the context of COVID. Who is going to make sure that all these personal records we’ve just created, are genuinely destroyed when they are no longer needed?” – Nick
“In terms of US law, I think the largest impact will still come from the California Consumer Privacy Act (CCPA). The CCPA has undergone multiple revisions since it originally passed, and it is likely going to be revised again in the next year or two. It has a significant impact on businesses doing business where California resident PII is involved. GDPR will still have a major impact as European regulators continue to levy hefty fines on companies for violating various GDPR provisions. The heavy fines, many of which are in the $10s of millions, are sending a clear message about the importance of following the privacy law.” – Darren
What do companies need to keep top of mind with regards to privacy this year?
“If you don’t have the data, you can’t lose the data. My presentation at AusCERT last year was on back burning your data environment -- and the whole premise was that organizations have built up these enormous stockpiles of data that they probably don’t need. It introduces a significant risk, and in many cases is likely to be out of line with privacy requirements in many jurisdictions. Companies need to really start focusing on getting rid of data that they no longer need.” – Nick
What advice do you have for privacy-minded consumers?
“Be conscious of what information you’re giving out, who you’ve giving it to, and just internally ask yourself a question about whether or not it seems reasonable and necessary. If it doesn’t, and if you are in a position where you can “vote with your feet” and go somewhere else, do it. Ultimately it’s the market that is going to have the greatest impact here.” – Nick
“The first thing all consumers should do is realize that their personal information is an asset to companies in the commercial sector. Consumers need to ensure they scrutinize all cases where information is provided to a business, so they are aware of what information is being provided. If necessary or the consumer feels uncomfortable, they should not hesitate to ask questions about how their data is used, why it is collected, and how it is protected. Making this a habit will ensure a level of continuous hygiene that will always benefit the consumer in the long run.” – Darren