There is little doubt that, over the last few years, people have taken a greater interest in who has access to their data, and how it’s used. Despite the fact that data breaches are happening with disturbing regularity, they still make headline news.
The existence of legislative measures such as GDPR in the EU and the actions of agencies such as the SEC in the USA mean that the fines imposed on the organizations that allow breaches to happen also make the news.
But there is more that can be done, and initiatives such as Data Privacy Week are important in raising consumer awareness around data privacy. Not just in terms of the measures that they can take, but the very definition – and how it’s different from data security.
That’s an important priority, because all too often, the two terms are used interchangeably. And while they are interlinked, it’s critical to understand the difference. Simply put, security is all about putting walls around your data and protecting it. Privacy is controlling who can then access your data within those walls.
Addressing the challenges
As digitalization increases across the globe, and individuals place more importance on both of these tenets, it raises challenges for businesses, not least of which the apparent dichotomy presented by the situation. Consumers expect the very highest levels of security and governance around their data; but they also demand more control over their personal information.
This goes beyond simply setting and controlling access levels. It’s vital that businesses not only understand what personal data they are holding, but the value of it. For their customers, that value will be very high, given that it represents their digital identities – something that is reflected in the severity of the fines levied against organizations who allow data breaches to take place.
And it also extends to the manner of data collection: it’s not enough to just assume that it’s for marketing purposes. If a business is remiss in getting informed consent from the user, it may find itself violating data privacy requirements, even though the actual data security is watertight. That’s assuming it is, of course. Many businesses use cookies as a security technology – for device recognition, for example.
But cookies are also used for tracking purposes, often by the same businesses. That blurs the lines.
The cost of getting it wrong
What happens when data privacy goes awry? A business in this situation could find itself in a very difficult situation indeed. Businesses in Europe have been hit with astonishingly high fines for GDPR violations, including a record-breaking single fine of over $880 million in 2021.
It’s a trend that’s set to grow globally and in fact, it’s already doing so. In the US, the SEC are cracking down heavily on organizations that allow data breaches, in the form of seven-figure fines.
There are few things that can damage an organization’s reputation and credibility as much as a data breach or a highly publicized case of data privacy violation.
The extent of the fines imposed reflects the seriousness of the problem. Every single case of Account Takeover Fraud (ATO) that follows a data breach weighs heavily on both the customer and the business. ATO is a very unpleasant situation for any customer, and often one that’s far from easy to resolve. Doing so takes up time and resources for both the customer and the business.
For the business, that’s expensive. And of course, the money aspect is only one part of the problem. Digital trust is a critical factor for any business looking to attract and retain customers. It’s hard won, and easily lost. And there are few things that can damage an organization’s reputation and credibility as much as a data breach or a highly publicized case of data privacy violation.
Changing the viewpoint
Those caveats should be reason enough for any business to get its house in order. But there is limited mileage in adopting a purely reactive stance. What’s really needed is a proactive approach – a mindset shift in the perceptions around customer data.
It’s easy to view privacy as a necessary inconvenience, a regulation to abide by, but the danger here is that the understanding of privacy can tail off at the point of data collection. Businesses need to take the critical step of holding themselves accountable for the protection of ever-increasing amounts of personal data they store for their customers.
Privacy under the microscope
There is no doubt that Data Privacy Week puts data privacy firmly in the spotlight. But it’s more than an annual time of reflection; consumer interest in data privacy is not going to fade.
One of the first questions that any customer asks after a case of ATO is ‘How did they get my data?’ And it’s a valid question. All too often, the subsequent investigations find that data breaches were avoidable.
So for businesses, the pressure is increasing to ensure that they get data privacy right the first time, and every time. For many, that is going to entail fundamentally altering their current privacy strategies and baking them into all their products and services.
And it’s important to remember that this has to happen alongside maintaining robust data security; once again, this is not an either/or situation.
It’s not without its challenges, but the payoffs are clear. As well as closing off attack vectors for ATO, it also firms up an organization’s defense against a huge range of malicious activity, from SIM swaps to scams.
And for any business, it’s the building block of that elusive digital trust that will ensure consumers feel confident using their products and services.
