Three “Hard Truths” that will Greatly Reduce Organizations' Data Privacy Risks
As a result of the exponential growth of data and the growing number of Data Privacy regulations, organizations worldwide have the daunting task of trying to manage it all. However, what if I told you three “hard truths” that can help anyone “cut to the chase” and paint a picture that not only can be understood by people at all levels of any organization but these truths will also help organizations pinpoint their gaps and develop a plan of attack? Here are the three “hard truths” that will greatly reduce organizations' Data Privacy risk.
#1 Hard Truth: Organizations that collect too much data collect evidence against themselves.
That’s right, I said it! In the digital age, there is a data trail left everywhere. Is your organization dropping cookies on people’s devices without the proper consent? Are you collecting biometrics data of individuals without proper notice or data retention practices? Are you hoarding data in back rooms or the cloud without a purpose in hopes that one day you will need it for “something”? If your organization is doing any of the things listed above, watch out because you will be caught with evidence in hand. Fancy explanations and high-brow arguments will not help you dance around the fact that “yes, you did it”!
So how do organizations remedy this situation? Do not take it for granted that just because everything “works,” your data practices do not need a tune-up. Look at what data you have, ask people who know the data, ask questions about why data is being collected and create a plan that follows the data throughout the whole data lifecycle. Your Data Privacy risks will be greatly reduced once you have a solid living data plan instead of just collecting and keeping everything.
#2 Hard Truth: Privacy is a data problem that has legal implications, not a legal problem that has data implications.
This is probably my most quoted quote! Companies have data problems before they develop legal troubles. The data and how it is handled create risks before it ever becomes a legal issue. Organizations that want to get serious about reducing risks and minimizing legal problems must start with the data. Often in the media, when you hear of organizations being fined for Data Privacy violations, like the recent news about Sephora (Check out this Forbes article by "The Data Diva" Talks Privacy podcast guest for episode 102, Tom Chavez, Co-founder, and CEO of Ketch, called “SEPHORA’s $1.2 Million Fine Proves Customer Privacy Is An Innovation Imperative.”). Data Privacy fines like those leveled against Sephora do not happen because organizations lack good legal counsel or were unaware of the regulatory requirements. The problem is that, most often, organizations cannot find a way to change the operations of their business in how they handle data. Organizations get fined for what they DO, not what they say they do. Actions matter more than words with data. Talk to the data folks, and find out what you need to DO to change your data operations before you lose trust with your customers and before a regulator comes knocking.
#3 Hard Truth: Low business value data has a high Data Privacy and Cybersecurity risk.
Data perceived to have a high business value is often the most highly protected data in organizations. Organizations go to great lengths to protect this highly valuable data. However, what happens when this high-value data loses its luster and usefulness? This lower-value data often languishes in organizations, being shuffled and moved to slower storage, less secure systems, and often the knowledge about this once valuable data can leave the organization through natural employee turnover. Think about data about former customers, as was the case with the T-Mobile data breach. Those lists of potential customers may have been very valuable at one time, but after some time, when that data had a low value within the organization, cybercriminals were salivating to get at this low-value data because this data is a high value for cyber criminals who have hit the jackpot and will create millions of dollars worth of fraud. Don’t fall for this trick. If data has low business value, it needs to be assessed and moved through the data lifecycle to its end of data life. This is not the sexiest work, but chasing data to the end of its useful life is vital to reducing Data Privacy risks for organizations. When organizations can learn from these three “hard truths,” they can reduce risks for their organization and make Data Privacy a Business Advantage.
