Subscribe

How to step up data privacy in 2022

To take control of data privacy, companies must overcome the challenge of exponential data growth to discover and accurately classify all sensitive and personal data.
Veemal Kalanjee
By Veemal Kalanjee, MD of Infoflow.
Johannesburg, 25 Jan 2022

Data privacy, along with data security, are top priorities for organisations in the face of ramped-up cyber risk, more stringent regulations and an increasingly security-aware public.

It should be noted, however, that while data security and data privacy may overlap, they are not one and the same thing. Data security refers to protection of sensitive data from compromise – usually by external parties – while data privacy relates to the proper collection, storage, sharing and use of confidential and personally-identifiable information.

Data privacy, within a bigger picture of data governance, tends to focus on various levels of risk exposure and access to information within the organisation.

Modern data privacy regulations and their associated penalties and public awareness have driven corporate focus on data privacy. Gartner predicts that by the end of 2023, 75% of the world’s population will have its personal data covered by modern privacy regulations, with spending on data protection and compliance passing $15 billion worldwide. Security and risk management has become a board-level issue globally.

To take control of data privacy, organisations must overcome the challenge of exponential data growth to discover and accurately classify all sensitive and personal data. Most organisations generate more data than they know what to do with.

Identification, classification and cataloguing the key data elements and providing this in an easily accessible mechanism (ie, democratising data) is the first step in finding the sensitive data. Organisations still use manual methods for data discovery, and this is inefficient and often leads to the incorrect data being identified.

Often the approach is to do a mass data discovery across any and all systems. This isn’t the most effective way to aid with identification of sensitive data. Identify the critical systems that would most likely contain the sensitive data, then do a discovery on those specific systems.

For both data discovery and to quantify risk and exposure, automated tools are available to make the process more efficient and accurate.

Allocating cost to a risk exposure then needs to be carried out on those systems and attributes. Determining the cost should be based on the potential penalties that may be applicable due to the exposure, if they are known. Once those are assigned, weighing up the risk versus benefit of access to sensitive data becomes slightly easier.

For both data discovery and to quantify risk and exposure, automated tools are available to make the process more efficient and accurate.

Identifying or discovering the sensitive data is a critical part of data privacy; however, protecting that data is an element that is the next logical phase in data privacy. This involves bringing in the necessary controls to ensure risk mitigation, implementing techniques such as encryption, masking, minimisation, alerting and reporting.

The introduction of new systems, data processes, users and a myriad of other changes can lead to previously defined privacy controls becoming less effective, so regular penetration testing is crucial to ensuring any privacy controls that are in place are effective and still relevant.

Risk, legislation and market conditions are continuously evolving, so organisations need scalable and flexible long-term approaches. Regular vulnerability testing remains key, and linking this to a broader data governance framework will ensure the necessary policies are in place for continuous governance over data privacy, ensuring it is not an ad hoc approach.

Considering the customer role

Customers too have a role to play in ensuring data privacy. With the Protection of Personal Information Act now in place, protection of personal data has gained a lot of focus.

An individual should always trust any entity they are sharing their personal data with. If there is any uncertainty around trust, the better decision would be to avoid further interaction with that entity.

In the same way that organisations need to categorise and classify their sensitive data, individuals’ personal data can also be classified according to the degree of importance, which is always contextual to how it is being shared.

Typical questions that should be asked before sharing such information are: What is the risk versus benefit of sharing the info? What would the repercussions be should the data be exposed? Does the entity have the adequate controls in place to prevent exposure?

These are often overlooked for many of the services that we sign up for currently but should nonetheless cross your mind before hitting the “I agree” button.

With the digital world being global, it is important to understand where your data is being shared.

Would the organisation you have shared your data with be capable of destroying any of the data at your request? Would it be able to trace all the touchpoints for your personal information? Does it have additional mining of data to augment what you have provided and what are the implications of this?

Share