Data Privacy Day
So, January 28th is Data Privacy Day and our marketing department thought it would be a great idea to write a blog on, you guessed it, data privacy. Not really a new thing for us; we’ve written a ton of blogs on the topic and we’ve even been quoted in a book. So, when I was asked to write another blog on this important topic, I thought to myself, “What am I going to say that I haven’t said before. Is there anything new or different in data privacy?”
After several hours of fruitless research on emerging trends in Data Privacy I came up empty. I wasn’t surprised. We’re living in what is essentially The Dark Ages of Data Privacy.
“Dark Age: A period or stage marked by a lack of enlightenment; a period of intellectual darkness.”
Let’s face it, we have the technology, we have best practice, yet regretfully, we also have a wide-spread willingness to turn away from the truth.
It is not that people are ignorant of their responsibilities. The laws are clear.
It’s not that people don’t understand the consequences. You can barely make it through a single week without a major headline about another data breach and another multi-million (and in some cases billion) dollar fine.
And it’s not even that people just don’t know what to do. They know. The absolutely know, and they choose not to engage in the necessary behaviors required to support effective Data Privacy.
Data Privacy Disasters
Recently, I was negotiating a contract, and as I’m am a big fan of all things risk and compliance, I wanted to make sure we, as the First Party, did everything we could to meet the data handling and data privacy requirements of the Second Party. And this is how the conversation went down:
Me: “We agree to handle all your confidential data according to the terms you’ve set forth in your contract, as long as all confidential data is clearly marked as confidential.”
Second Party Lawyer: “There’s no way we’re going to do that. No one’s got time to sit around and classify data here.”
Set data management up for success with data classification.
On another occasion, with another party, there was a contractual requirement for data encryption at rest and in transit. And this is how that conversation went down:
Me: “We are happy to comply with your encryption requirements. Regarding, the requirement for encryption in transit, we want to make sure from a technology perspective we can support your email encryption requirement. What email encryption technology would you prefer us to use.”
Second Party Lawyer: “Whatever you like.”
Me: “I appreciate your flexibility. Let’s make things simple. What email encryption do you use and we’ll use the same one.”
Second Party Lawyer: “Oh, well we don’t actually encrypt our email.”
Me: “So you have a contractual requirement for your vendors to encrypt data in transit, inclusive of email but, your company does not actually encrypt your own email? Do I understand that correctly?”
Second Party Lawyer: Long awkward silence……. “You can strike the encryption requirement.”
5 Data Management Best Practices
I can promise you, both of these regulated companies had “controls” in place to “ensure” data privacy. The fact that data privacy requirements made it to their standard contracts is evidence of that.
And, I’m sure they had no issues showing the auditors that they were holding 3rd parties accountable to data privacy best practices, or educating their staff on data privacy. I bet they both even had a data classification policy that they kept up to date. In fact, they may have had any number of generally accepted, “Fluff” controls in place that appear to be working effectively.
“Take off your plague mask and take a deep breath of reality – You just don’t want to do the hard work of data privacy. Period. Full stop.”
In both cases these companies understood the law, knew the requirements, and they chose not to do the work. Data privacy is not complicated or complex. It doesn’t take expensive technology to comply. What it does take is elbow grease; good old fashion human power. So, the good news is, outstanding data privacy is accessible to any company regardless of size or industry. The bad news is, Data Privacy is not for the lazy. You cannot skip steps. It is not an ala cart menu that you get to choose from. It is an enterprise discipline that every employee must engage in. Until companies learn to accept this, we will continue to remain in the Data Privacy Dark Ages.
