Saturday, January 28th is Data Privacy Day. In my last article, I explained what Data Privacy Day is, why privacy is important, and the threats to privacy. In this article, I will focus on the things that each of us as individuals can do to safeguard our privacy, and the things that organizations should do to ensure compliance with privacy laws as well as best privacy practices to be a good corporate citizen.
As individuals, there are many things about privacy that are out of our control, and sometimes it may seem as if there is nothing that we can do. Some people believe that privacy in the Internet era is a myth, and that we have entered the era of George Orwell’s Big Brother. However, while technology may have significantly impacted privacy, there are still several things that each of us can to safeguard our privacy:
· Understand what privacy is, and the types of information that should be safeguarded to ensure our privacy.
· Understand how you share privacy information and with whom you are sharing it.
· Ensure you implement good security practices, especially in regard to passwords and cyber hygiene. One of the biggest things you can do to protect your privacy is to ensure the confidentiality of your privacy data through good password practices: do not reuse passwords, do not share passwords, use only strong passwords, and employ multi-factor authentication whenever possible. Good cyber hygiene practices is also important to protect privacy information, so patch your systems, don’t use untrusted computers, and don’t connect to untrusted networks.
· Understand the privacy settings and security configurations for the services and technologies that you use. Follow the security recommendations provided by the service/product, and revisit the configurations regularly to ensure they are still in alignment with best practices. For example, have you reviewed the guidelines that Facebook provides about privacy, and have you run the Facebook “Privacy Checkup”? Do you know that by default, your mobile phone includes time and geolocation data in the metadata for all photographs taken, and when shared with others, allows them to know exactly where you were at a specific time? You can disable the inclusion of geolocation data in the metadata, but you must alter the device’s configuration to do so.
· Don’t forget about the potential impact to privacy from Internet of Things (IoT) devices. Health monitors, connected scales, networked cameras, home automation devices, and thermostats are all examples of IoT devices that could potentially impact your privacy.
· Learn more about privacy, the threats to your privacy, and the efforts in progress to ensure awareness and legislation to protect it. There are numerous ways in which individuals can learn more about privacy. Here are three specific web sites that you can visit to learn more:
o Epic.org – Electronic Privacy Information Center
o I’d also highly recommend a book written by Bruce Schneier, a well know expert in cryptography and security: “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World”
Organizations have responsibilities to ensure compliance with privacy laws and should strive to be model corporate citizens in regard to safeguarding privacy. These are challenging and difficult tasks, especially given the dynamic nature of the regulatory landscape, the global nature business today, and the significant changes brought about through technological advances. However, there are some high level things that organizations can focus on:
· Does the organization have a policy in regard to privacy?
Organizations should have policies to ensure the privacy of employees and customers.
· Does the organization executive ownership of privacy concerns?
Not every organization is large enough to have a Chief Privacy Officer, however, every organization should have an executive that is responsible for privacy, even if it is a secondary duty. Privacy, as well as security, are now board level issues.
· Has the organization sought advice and guidance in regard to privacy obligations from legal counsel?
There have been significant changes over the past few years in regard to privacy. For example, the Safe Harbor program has been replaced by the Privacy Shield program to ensure companies protect the privacy of EU citizens when that data is transferred to the US.
· Has the organization include privacy obligations as part of the incident response process?
Many jurisdictions now have legal requirements for disclosure, notification, and remediation in the event of a data breach or other security event impacting privacy.
Organizations can learn more about privacy through organizations like the International Association of Privacy Professionals IAPP
Take some time to think about privacy, and the things you can do to safeguard your privacy.