Data Privacy Day is led by the National Cyber Security Alliance (NCSA) in the United States. According to NCSA:
"Data Privacy Day commemorates the 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Launched in Europe and adopted in North America in 2008, Data Privacy Day brings together businesses and private citizens to share the best strategies for protecting consumers' private information."
We know about the NCSA leads National Cyber Security Awareness Month (NCSAM) in October – a month dedicated to awareness of protecting ourselves, our property and our information. Data Privacy Day is a singular day set aside to recognize the importance of controlling access to our personal information and keeping it private.
For an indication of how important privacy is to individuals, look no further than the General Data Protection Regulation that will be enforced starting May 25, 2018. This regulation, led by the EU, will impact not just European organizations, but any entity doing business there. And the fines for non-compliance shouldn't be ignored.
"Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement."
If you're a company outside of Europe, but you have customers in the EU and do business there, you should be addressing compliance with GDRP.
Where to Start?
As with NCSAM, there is a wealth of information on the NCSA website about Data Privacy Day, but I'd like to highlight and expand on the guidance offered for businesses when it comes to your customers and the privacy of their personal information. (Please note: Simply implementing the below guidance doesn't put you in compliance with GDPR.)
If you collect it, protect it. This is a great example of how data privacy goes hand-in-hand with security. As a collector of privileged and personally identifiable information, you must take measures to protect that data, including controlling who can access it.
Be open and honest about how you collect, use and share consumers' personal information. First off, being anything but transparent and honest about what you do with customers' private, personal info, will only get you into trouble. Think about what your customers expect you to reasonably do with their data, and then make sure it's done by default.
Build trust. Communicate what privacy means to your organization, how important it is and what you're doing to achieve and maintain privacy.
Create a culture of privacy in your organization. Make sure your employees understand the importance of keeping customer and employee information private and protecting it – and the impact of what would happen if that information was compromised.
Go beyond the privacy notice to educate consumers about your data privacy practices. Use additional notices and alerts such as opt-in options vs. opt-out requirements.
Conduct due diligence and maintain oversight of partners and vendors. This is one that is easy to overlook. Think about the Target breach of 2013, and the countless others that have followed, where a third-party opened the access route for bad actors to infiltrate a system and compromise private data.
ZZ Servers recognizes the importance of keeping any private data we collect ourselves or on behalf of our customers just that – private. We strive to be a trusted partner in your business and will work to help ensure the privacy and security of personal data.
This Jan. 28, spend some time reflecting on how your organization is handling your customers' personal information and if you're being transparent, building trust, creating a culture of privacy and doing due diligence with partners and vendors. Think about this over breakfast of a blueberry pancakes.