October 24, 2020
Data Privacy and Data Security: GDPR and CCPA compliance and beyond
by Anastasiya Parkhomenko | 6 min read
October 24, 2020
by Anastasiya Parkhomenko | 6 min read
Aside from employees, data is the fundamental asset in most successful organisations today. But the opportunities stemming from making data-driven decisions come at a cost: the responsibility to keep employees’, customers’ and partners’ data protected and secure.
With GDPR (General Data Protection Regulation) more than two years old and CCPA (California Consumer Privacy Act) now in effect, it’s now more important than ever for organisations to understand the difference between data privacy and data security, how they work and what they mean in the context of daily business operations.
Data privacy is the aspect of data security that deals with how a piece of information, or data, is handled in an organisation. It addresses the ways of collecting, disseminating and using data, as well as maintaining compliance.
Data security relates to access to data and their protection from unauthorised parties through different forms of authentication, key management and anonymisation methods such as encryption, tokenisation, blurring, etc.
In recent years it became evident that user trust and data security go hand in hand with long term success. Gartner warns that in addition to increasing regulatory legislation, consumers are beginning to evaluate and select organisations based on these policies. It also expects companies that are digitally trustworthy to generate 20% more online profit than those that aren’t.
Without proper measures in place for data security, a variety of negative, yet avoidable, scenarios may occur, including data breaches and violations of regulatory compliance.
In today’s hyper-connected world, data breaches continuously dominate headlines. A data breach is one of the greatest concerns for an organisation with the average cost estimated to $3.92 million, a 12% rise over the last five years, according to the 2019 Cost of a Data Breach Report from IBM Security and the Ponemon Institute. This includes a combination of direct and indirect costs related to compromised reputation, legal ramifications, costs of containing the breach, compensating affected customers, realizing a decreased share value and amplified security costs. Due to the highly sensitive nature of data, the health and financial sectors unsurprisingly bear the largest costs per breached record: up to $429 in healthcare and $210 in finance.
One of the biggest data breaches in the 21st century happened to the Marriott hotel chain when 500 million customers’ data were stolen including passport numbers and some credit card details. Although the breach initially occurred in 2014, the hackers remained in the system and were not discovered until September 2018.
Another famous data breach incident occurred in late 2016, when attackers had gotten the details of 57 million Uber app users, as well as the driver’s license numbers of more than half a million drivers. The weak point was Uber’s GitHub account, where attackers found the credentials to Uber’s Amazon Web Services account. After Uber finally went public with a breach a year later, its valuation had dropped from $68 billion to $48 billion by the end of 2017.
Not only big companies have reasons to be concerned about data security: the majority of cyberattacks happen to small and midsize businesses. Smaller businesses also face disproportionately larger costs relative to larger organisations. Furthermore, the joint Vistage and Cisco report states that 60% of SMBs close within six months of a cyber attack.
In order to reduce the risk of data breach, organisations should establish solid DataOps practices to automate data anonymisation, prevent unauthorised use and continuously track data assets.
With the introduction of GDPR and similar legislation all over the world, companies oftentimes need to rely on external advice or hire compliance experts, which makes regulatory compliance a cost itself. In the US alone there are 52 different state privacy laws making it difficult to find people with expertise in each of them. Yet, without putting effort in keeping employee or customer data private, businesses may face extensive fines and customer churn.
For example, just a year after the aforementioned 2018 data breach, the Marriott hotel chain fell short of GDPR compliance and was issued a $124 million fine by the UK’s data protection authority. A similar fine was issued to the British Airways the same week.
In January 2019, Google was fined $57 million for not properly adjusting their data collection policies with the new GDPR regulations. While the fine may seem “immaterial” for a giant like Google, it shows that even the biggest of companies are still struggling with incorporating the right security and compliance measures within their business ecosystems.
With the EU’s GDPR now in place, businesses need to protect the “personal data and privacy of EU citizens for transactions that occur within the EU”. Under GDPR compliance, companies need to use the same level of data security for both stored personally identifiable information such as fiscal codes, as well as cookies. Even though the GDPR applies to the EU, it also applies to anyone that deals with the EU.
The CCPA took effect in January of 2020 and it gives residents the right to determine how their data are stored and shared as well as to know when and to whom their data are being sold with the possibility to opt-out. Even though this might seem like something similar to GDPR, there is a significant difference concerning how the EU and US look at identification information.
To recall, data security focuses on the technology and tools required to keep cybercriminals from unauthorised access to corporate data such as ID numbers, credit cards, account credentials, etc. Data privacy means complying with local and international laws to ensure the information and processes behind collecting and using it are law abiding.
Both are incredibly important, and involve not only the IT or legal departments, rather the entire organisation should strive for creating an ethical data-driven culture by raising data handling standards and letting consumers decide their usage limits.