Make Privacy A Default Practice, Not An Add-On


Rebecca Herold throws light on the current state of data privacy and security in organisations and the missing elements from GDPR and CCPA

“Organisational shifts require understanding by executive management, starting with the CEO and the board members. With this support, data can then be collected that will reveal weaknesses within the organisation, pointing to such situations as where policies and procedures need to be updated or established,” said Rebecca Herold, CEO and Founder, Privacy & Security Brainiacs.

With over 25 years of privacy experience, Herold hosts a podcast, Data Security & Privacy, with the Privacy Professor. Previously, Herold, author of 20 books, was an adjunct professor at  Norwich University.

In this interview, Herold talks about the shift in consumer attitude towards privacy, organisational shift towards data-driven decision making and security protocols within the workforce, and how technology can enhance consumer trust. Additionally, she elaborates on the missing key features of the privacy laws that exist today.

Excerpts from the interview

How has consumer attitudes towards data privacy shifted in the last two years?

Consumer attitudes about privacy have certainly been on an interesting path of evolution over the past couple of decades. In the past two years, people have been sheltered in place and working from home, reading and seeing more news about privacy breaches and invasions, surveillance and other issues. Privacy rights are being established through many new and recent laws and regulations, such as the GDPR and the CCPA.

These privacy attitudes involve increased awareness, which is good in many ways. But, it also has resulted in many incorrect beliefs about privacy for legal rights, privacy for different types of IoT devices, privacy in online sites, and social media apps privacy problems. Ultimately, the privacy attitude has shifted to higher awareness of privacy issues and the desire by consumers to have more control over how their own personal information is protected, used, shared and retained.

How can companies create an organisational shift towards data-driven decision making and security protocols within the workforce?

Such shifts require understanding by executive management, starting with the CEO and the board members. Those highest level executives must then strongly and visibly support privacy initiatives, make workers responsible for following privacy and security policies and provide regular privacy and security training and frequent reminders.

With this support, data can be collected that will reveal weaknesses within the organisation, pointing to such situations as where policies and procedures need to be updated or established, where additional types of training needs to be provided, where security and privacy vulnerabilities exist, and where contracted third parties and supply chain weaknesses are putting the organisation at risk.

How can technology play a role in enhancing consumer trust?

When technology is truly used to the benefit of the consumers involved, instead of for the profit, including marketing, of the organisations collecting and deriving the personal information, that will build consumer trust.

Organisations must use technology to protect consumers. For example, they should strongly encrypt consumer information by default and not wait for consumers to ask for encryption or make it an option that consumers are expected to know how to activate. Many consumers now assume that their personal information is being encrypted by default since it is an obvious and effective security and privacy protection.

Basic security and privacy protections should all be implemented by default for any service or product. Making security and privacy technology protections a default instead of an add-on will help to build consumer trust.

What are some of the key features still missing from data privacy guidelines, including GDPR and CCPA?

There are several key features missing from the GDPR and the CCPA. They do not require all types of entities to protect the personal information to which they have any kind of access.

GDPR does not apply to “competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” It also does not apply to “processing of personal data by the Union institutions, bodies, offices and agencies.” For the latter, some may argue that other laws apply, which is generally true. But those other laws are not providing the same types of privacy protections and individual rights that GDPR provides.

GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data, which form part of a filing system or are intended to form part of a filing system. This leaves out a lot of personal information that can be breached and misused through visual, audible, and other forms of access.

CCPA has even more exemptions for compliance than GDPR. CCPA only applies to for-profit businesses in California and meet any of the following: Have a gross annual revenue of over $25 million; buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or derive 50 per cent or more of their annual revenue from selling California residents’ personal information.

This leaves out millions of organisations that also collect and derive personal information for California residents.

There are many rights that GDPR and CCPA do not provide to individuals. For example, these laws do not provide protection to individuals after death. This is often very important, for a wide range of reasons, for the surviving family members. In contrast, the US Health Insurance Portability and Accountability Act (HIPAA) covers protected health information (PHI) for 50 years after death (it originally applied forever).

There are other key protections that are not covered in both regulations to cover emerging technologies and for being worded in ways that are technology agnostic.

Are you currently writing a book? What’s it about?

I’m currently finishing two books. Security & Privacy when Working from Home and Travelling will be published by the end of 2022 or early 2023. It includes lessons for how a wide range of organisations, in different industries, are addressing the challenges, problems, incidents, breaches and compliance areas of work from home, mobile working and hybrid work.

Cybersecurity for Grandparents, and Everyone Else! Q1 2022 Edition: IoT Security and Privacy, which will be published on Amazon by the end of March 2022. Organisations and their employees can use it as a supporting part of the new privacy and security brainiacs SaaS-based training modules. And it will also be made available to be purchased directly by the general public, so they can also benefit by using the same types of security and privacy practices when using the same types of IoT technologies within their personal lives.

If you liked reading this, you might like our other stories

Is There A Growing Crisis Of Trust With Legacy IT Vendors?
GDPR: What You Should Know