Businesses need to get a whole lot smarter about how they consume data because greed is not good: it’s risky and uneconomical.

And it’s not like the warning signs weren’t there in the early data gold rush.

It might seem quaint now, but in 2017 when business publications such as The Economist reported “The world’s most valuable resource is no longer oil, but data”, they framed it as a conflict between big tech companies’ apparently unbridled growth versus rising public demand for antitrust and privacy regulations to reign them in.

The next year the EU GDPR (European Union General Data Protection Regulation) became enforceable (May 25, 2018), giving European citizens stronger personal data privacy rights, including the right to restrict processing and the right to delete. GDPR compliance requirements include data minimization as a key principle (see below).

California’s Consumer Privacy Act (CCPA) became law a month later (June 28, 2018) with a similar intent to drive greater protections of personal information, and CCPA compliance became enforceable from July 1, 2020. The CCPA was the first U.S. privacy law with data minimization as a compliance requirement (see below).

Data Minimization Requirements in Privacy Regulations Worldwide

While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:

• Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
• Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
• Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.

Questions to ask about personal data collected by your organization:

• Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
• Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
• Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
• Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
• Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
• Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
• Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?

EU GDPR made data minimization a key principle

The EU’s GDPR set a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.

Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Limited storage periods
• Integrity and confidentiality
• Accountability

The data minimization principle is explained by the European Data Protection Supervisor:

‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’

UK data protection rules on data minimization similar to EU GDPR

The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.

The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).

The data minimization principle is explained by the UK Information Commissioner’s Office:

You must ensure the personal data you are processing is:

• adequate – sufficient to properly fulfil your stated purpose;
• relevant – has a rational link to that purpose; and
• limited to what is necessary – you do not hold more than you need for that purpose.

Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.

So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’

Data minimization rules in CCPA/CPRA

The California Consumer Privacy Act, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.

The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:

• Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
  (Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.)
• Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
• Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

Businesses must also ensure third parties, contractors and commercial partners comply with CCPA/CPRA rules, including data minimization requirements.

The rise of information technology (IT) has changed life as we know it, from the way people work to communication and even the way people think. How data is shared and stored has changed. And as data becomes more powerful, regulators and citizens are more concerned about preserving privacy.

In the past, data was stored manually – making it relatively easy to keep physical documents safe. Businesses could “build walls” around data to secure it and then defend those walls from attacks.

However, in recent years, the rise of cloud databases, email, mobile apps, data centers, and cloud-based systems has greatly increased the risk of an information breach. Thus, there are new challenges for data protection and information security. And a need to develop new approaches to protect data in this new world of IT.

Navigating the New Business Landscape: The Impacts of Technology’s Explosive Growth on Privacy and Public Safety

Decades ago, we didn’t yet know the profound impact IT would have on business or human life. It all started as technology exploded, providing everyone access to powerful tools without the necessary skills or training to manage the data.

Very little data management training is implemented across departments, yet all kinds of employees manage data. And information security teams can hardly keep up with the number of apps and devices people continue to connect to the company network.

As a result, employees unknowingly expose sensitive data – and create massive distrust among company stakeholders.

With advancements in AI, machine learning, and cloud computing, privacy, and security risks have greatly increased. There is no way for companies to contain this information. It all lives outside of the business. That makes protecting it far more complicated.

So much so that some even argue privacy is dead.

As a business, it is only natural to continue to rely on IT to remain competitive. Still, without the proper privacy and security programs in place, businesses are at risk.

It’s time to rethink your approach to data protection and security and move towards a proactive, risk-based approach that will keep your privacy and security program safe. Companies that recognize how IT has created new opportunities and risks regarding privacy and security will be successful.

The appropriate measures should be taken to provide customers and partners or vendors with this important fundamental human right.

Making Privacy a Core Value: How Organizations Can Prioritize Data Protection

With more capacity, capability, and reach, information flows more freely now than ever before. Look at your phone. No matter where you go, this device is sharing your data. Where you move around the globe is being recorded, also known as your geolocation.

Everyone leaves a digital footprint everywhere they go.

This is just one of many examples of how the flow of information is being directed. Yet as information flows freely, customers want businesses to maintain a great sense of privacy for consumers.

So, what is privacy?

When TrustArc’s European consultant Ralph T. O’Brien was asked this question, he viewed it as an inherent social right. Yet, in America, there’s no right to privacy embedded in the Constitution. It’s only an implied right to privacy. With this in mind, how can companies prioritize data protection to make privacy a priority?

Businesses need to understand that privacy is a derived right, and we have privacy laws because there is an assumption that something in privacy is not working. Companies need to weigh the importance of what they need to do and what consumers expect of them.

Organizations need to be more transactional in their communication. For example, instead of saying, “Your privacy is important to us,” consider saying, “You want something, and in order for you to get that, we need to use your data in these ways.”

Not only is this a powerful message, but it also sets expectations realistically regarding privacy and how the company prioritizes it. More transactional messages about how data is used provide a more accurate, clear picture to consumers.

Currently, most privacy policies are too difficult and complicated for consumers to understand.

To successfully make data protection a priority in your organization, it must be viewed as a fundamental right that should be maintained. The importance of privacy should be ingrained in your day-to-day interaction with customers, making it a core value of the brand.

Why Regulation Alone Isn’t Enough: The Need for Continuous Adaptation in Data Protection

While privacy laws are a good deterrent to keep businesses from collecting, processing, and using data unethically, they are not enough. Ultimately, striking the right balance between privacy and the flow of information is the key to an organization’s success. So what can businesses like yours do?

Invest in privacy technology.

The core of the message of privacy and technology has not changed. So what is continuously changing in the privacy world?

The density of data has changed. And the problem is bigger and only continues to grow in the future. The more data you put in one place, the more opportunity there is for nonpersonal data to become a preferential key to personal data. The truth is, it will never be 100% secure. But you can drastically minimize the risks.

Aligning Privacy Strategy with Cybersecurity Strategy

Even the most secure networks can potentially be compromised in this highly connected world.

Legislators worldwide have introduced stricter privacy laws, knowing it’s more about ‘when’ than ‘if’ data security breaches will happen.

Cybersecurity analysts predict that by 2024, at least 75% of the world’s population will be covered under modern privacy regulations, putting more pressure on organizations to prove they have an effective cybersecurity strategy.

As the world’s most wide-reaching privacy legislation – and one of the toughest – the European Union’s General Data Protection Regulation (GDPR) has heightened consumer expectations on how data is handled.

With fines of up to €20 million, there’s additional pressure on your organization to stay one step ahead.

Your preventative measures need to become more sophisticated, with a multi-layered approach to cybersecurity and ongoing risk management.

Roles of the Chief Information Security Officer and Chief Privacy Officer

Many organizations that do not have a dedicated privacy team led by a chief privacy officer (CPO) put the responsibility for managing privacy and GDPR compliance under the watch of the chief information security officer (CISO).

In some organizations, the CPO and CISO roles are filled by the same person. However, while some of the responsibilities are connected, there are some important distinctions:

Chief information security officer – core focus on protecting the organization from information security threats to company-managed networks.

The CISO is responsible for managing the organization’s data governance and the security of its data-related infrastructure.

Chief privacy officer – core focus on protecting the privacy rights of individuals and external entities when their data is collected and stored on company-managed networks, as well as any transmission of that data.

The CPO manages the organization’s legal compliance with data privacy protection regulations such as the GDPR.

This responsibility includes managing data breach response plans to minimize data loss. Under the GDPR, organizations must report major breaches within 72 hours.

Are Cybersecurity and Privacy Controls the Same?

Before the GDPR and other privacy legislation came into effect, organizations’ data protection measures might have focused more on security than privacy – and it’s certainly possible to have strong data security without privacy.

But it’s not possible to have strong data privacy protections without strong cybersecurity.

Cybersecurity controls across the ISO-OSI model

Cybersecurity controls are applied in every layer of data communication managed by an organization, typically defined in the seven layers of the ISO-OSI model (the International Organization of Standardization model for Open System Interconnection):

1. Physical
2. Data link
3. Network
4. Transport
5. Session
6. Presentation
7. Application.

Cybersecurity controls are designed to address threats to the security of data as it moves across a network (and any interfaces with devices) by performing the following functions:

• Monitoring
• Testing
• Detecting
• Analyzing
• Correlating
• Responding
• Reviewing
• Reinforcing
• Defending.

Privacy controls and GDPR compliance

While cybersecurity controls are designed to identify and respond to potential threats to the security of data, privacy controls are firmly focused on protecting personally identifiable information (any data that can be traced back to an individual).

Under the GDPR, privacy controls must also address an individual’s right to informed choice, and consent to the collection of their personal data. It includes controls to support their choices about what personal data they permit organizations to collect and how that data is managed and shared.

The GDPR also includes rules about giving individuals the choice to consent to or block various kinds of data collected in cookies.

Privacy controls include cybersecurity tools to protect personally identifiable information, plus measures to manage the right to informed choice, including:

• Minimization (collection, retention, distribution, manipulation, transfer)
• Obfuscation (encryption, hashing, pseudonymization, anonymization)
• Informed choice (basis for consent, cookies and tracking, cookie wall, legitimate interests)
• Individual data rights (view, access, correct, limit, stop, erase, withdraw consent)
• Privacy by design.

Protecting Data Privacy Under the GDPR

The GDPR gives individuals the right to know if an organization holds any data on them.

If an organization has collected their personal data, the GDPR gives people rights to view, access, correct, limit or stop processing that data, and ask that it be erased or returned.

The GDPR legal text includes nearly 100 references to expectations for organizations to protect the privacy of personal data with “appropriate technical and organizational measures”.

However, these measures are not precisely defined. When planning your organization’s cybersecurity and privacy controls, consider the following:

• Although GDPR data privacy measures are undefined, are our organization’s privacy protections risk-aligned?
• Are our privacy controls proportional to the privacy protection need and the investment?
• Where data privacy controls are lacking, are the compensating controls applied sufficiently to the risk?
• Personal data privacy protection measures can include technical devices, technical processes, staffing, structure, and procedures.

These measures need to address data privacy monitoring, testing, detecting, analyzing, correlating, responding, reviewing, reinforcing and defending; authorized use and behavior; and privacy controls.

Examples of “reasonable measures” to protect the privacy of personal data

Technical measures for privacy control

Reasonableness should apply to:

• Defenses
• Investment in infrastructure
• Monitoring, testing and detecting private data
• Developing protections and responses, including processes and procedures.

Organizational measures for privacy control

Reasonableness should also apply to:

• Adequate staffing to manage privacy control
• Authorization of access and use (dictating who has access to specific data, what they are authorized to do, whether it can be transported, and the protection required).

GDPR Compliance Plan: Seven Recommended Steps

Step 1: Perform an inventory.

To understand what private data your organization holds, you will need to map the networks, systems and tools used to manage data, and identify which records contain private data covered by the GDPR.

Then, you’ll need to create an inventory catalog that includes details about what data is contained in each location, its purpose, who in the organization ‘owns’ the data, who else has access, and what controls are in place to protect access and use (such as license agreements and contracts).

Step 2: Assess gaps in compliance with the GDPR and other data privacy laws.

Perform a gap analysis to find out how the organization’s business processes related to data address compliance with the GDPR and other laws. The information you collect during this analysis will help shape your data privacy risk mitigation plan.

Step 3: Map business processes and movement of data.

Under the GDPR, you need to maintain accurate and up-to-date records of how data is handled across the organization. This map will provide an audit trail identifying which data is personally identifiable information.

A data map also comes with records of when data was collected, where it was collected, how it was/is processed and analyzed, and the purpose for which the data is used.

Step 4: Risk-assess data and system assets.

Not all data is high risk. Your risk assessment needs to consider the risk level for each type of personal data record.

For example, high-risk categories include data on vulnerable populations, data containing financial information, and other sensitive information such as health records.

Other risks to assess include the adequacy of corresponding levels of protection available for low, medium and high-risk data.

Step 5: Evaluate contracts and disclosures.

Review all legally required agreements you have in place for how data is collected, managed and used, including disclosures such as privacy statements and terms of service.

Under the GDPR, individuals have the right to make informed choices about what private data is collected and how it is used.

Step 6: Review data owner choice, privacy rights and controls.

Evaluate the effectiveness of your communications and controls in place to ensure individuals can make informed choices about exercising their data privacy rights.

Under the GDPR, you must inform consumers about your intention to collect personal data and give them options for consenting to and controlling the collection of some (or all) data.

Consumers need to know what your organization plans to do with their data and how their data privacy rights will be protected.

Along with simple tools to exercise their rights such as reversing consent, taking back their data and/or limiting how your organization uses it.

Step 7: Correct deficiencies in data privacy protection and GDPR compliance.

A thorough GDPR compliance assessment by an independent third party can help you identify and correct any gaps in your data protection processes, procedures and policies.

TrustArc GDPR Assessment

Get a GDPR Assessment that’s conduct by expert privacy consultants, with deep expertise in identifying gaps, assessing risks, and designing prioritized step-by-step implantation plans for GDPR compliance.

Our GDPR compliance experts are supported in their work by the powerful TrustArc Privacy Management Platform, which helps ensure the assessment is comprehensive, complete and accurate.

As technology progresses seamlessly into every corner of our daily life, digital security and data privacy are becoming inextricably entwined.

Maintaining security against outside parties’ unwanted attempts to access personal data and protecting privacy from those we don’t consent to share information with have become equally important.

Why are digital data security and privacy management becoming so crucial for companies? How to keep your customers’ data safe?

Join our panel in this webinar as we explore data security and privacy risks and how your company can face them, hence increasing customer trust.

This on-demand webinar reviews:

• Why digital security and data privacy are connected and equally important
• How to reduce digital security and privacy risks while increasing customer trust
• How to achieve impeccable digital data security and privacy management

Both the public and private sectors around the world recognize information security is a valuable priority. As more people than ever are working from home and the world is witnessing Russia invade Ukraine, the need for operational cyber resiliency has increased.

McAfee Enterprise and FireEye released findings in Cybercrime in a Pandemic World: The Impact of COVID-19, revealing that 81% of global organizations experienced increased cyber threats during the pandemic.

79% of those organizations also suffered from downtime during a peak season.

Cyber threats to critical infrastructure can have devastating consequences. Power grids, pipelines, transportation, and healthcare, for example, need continuous activity to provide service to citizens.

Any disruption could end in significant financial loss and the loss of life.

Cyber Resiliency Advisories to Combat Russian Efforts

The Russian government is targeting the infrastructure of Ukraine and Western nations.

Recent publications show Russia is engaging in a cyber war with attempts to steal, disrupt, or otherwise influence elections, healthcare, aviation, and critical manufacturing (not an exhaustive list).

Russian state actors use many different tactics to gain access to targeted networks. Historically, spear-phishing, brute force/password spray attacks, and security vulnerability exploitation have been witnessed.

Lately, the Cybersecurity & Infrastructure Security Agency (CISA) and the FBI have alerted that Russia is using destructive malware to render computer systems completely inoperable.

• January 15, 2022: Microsoft disclosed that malware known as WhisperGate was being used against the government and various organizations within Ukraine to destroy their computer systems.
• February 23, 2022: Russian malware known as HermeticWiper was found to target Windows devices, manipulating the master boot record and resulting in a subsequent boot failure.

Russia’s main intelligence agency, the GRU, has been attributed to some of Russia’s worst cyber operations. These include attacks targeted at spreading disinformation, spying, and destroying cyber capabilities around the world.

In light of Russia’s recent invasion of Ukraine, agencies have been issuing cyber resiliency advisories to combat malicious cyber actors.

What is Cyber Resiliency?

According to NIST, it is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

From a risk management perspective, cyber resiliency is about measuring how robust your cyber defense systems are and taking measures to improve them.

CERTs are issued by various governing bodies as guidance to help improve your overall cyber resiliency (also known as your “posture”). Recently, CISA, the FBI, and NSA have given guidance to combat Russian state-sponsored cyber attacks.

Robust cyber resiliency includes regularly reviewed reporting processes and an updated cyber incident response plan and continuity plan.

Organizations should follow best practices for identity and access management. 

Effective cyber resiliency also requires you to implement protective controls and vulnerability and configuration management, and continuously monitor for new threats.

You might be asking yourself, how do I DO those things?

To effectively respond to a network intrusion, an organization should:

• Build a cybersecurity culture from day one.
• Have a plan detailing how to report potential cyber incidents and to whom they should be reported.
• Assign key points of contact and address their individual roles and responsibilities.
• Assign backup personnel for key points of contact in case someone is unavailable.
• Conduct periodic testing of the plan.
• Follow best practices, such as requiring multi-factor authentication and adopting a zero-trust security model.
• Ensure assets are protected with antivirus/antimalware software and kept up-to-date with the latest security patches.

Cyber Incident Reporting for Critical Infrastructure Act

As of March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law under the Consolidated Appropriations Act 2022.

This act requires critical infrastructure organizations to report cyber incidents to CISA within 72 hours after the incident occurs.

Organizations will then need to keep CISA informed until the incident as closed, including the reporting of ransom payments within 24 hours.

While this new regulation is an effort to improve the nation’s cybersecurity, it’s likely the increasing threat from Russia was on Congress’ mind when passing this law.

Cyber resiliency isn’t just for government, infrastructure, and large enterprises. Any organization can be at risk of an attack. Cyber security and data privacy work together to ensure the safety of your information systems.

Don’t wait until it’s too late to have a privacy program and cyber resiliency plan in place.