Happy Data Privacy Day! Created by the Council of Europe in 2006, Data Protection Day is celebrated every year to promote data protection best practices and raise awareness on the importance of data privacy. Globally, it is recognized as Data Privacy Day.
For businesses, data is a valuable entity and it is therefore vital to protect it for ensuring business continuity and compliance with the regulation. In the spirit of data privacy and all things data protection, we share with you some useful tips for keeping your business data safe and secure this year.
Ensuring Compliance in Artificial Intelligence (AI)
Nearly all AI-based products and services rely on the collection of large amounts of data, including personal data, to understand user behaviour and make intelligent decisions. Data is therefore vital in powering AI, but it also poses new challenges for data privacy. In December 2018, an Amazon customer in Germany was mistakenly sent about 1,700 audio files from someone else’s Amazon Echo device – a mistake attributed to human error. In July last year, it was reported that Amazon responded to a letter sent by a US Senator confirming that it maintained Alexa recordings indefinitely (unless a user manually comes in and deletes them).
Incidents such as this highlight the importance of data protection and ensuring compliance in AI.
Legislation in Europe and the US is picking up momentum with the European Commission looking to implement an “appropriate” ethical and legal framework for the development of AI aimed at boosting innovation while making individuals’ rights a priority.
A piloting phase which ran until December 2019 was based on draft Ethics guidelines describing trustworthy AI as:
- lawful – respecting all applicable laws and regulations
- ethical – respecting ethical principles and values
- robust – both from a technical perspective while taking into account its social environment
The General Data Protection Regulation (GDPR) includes ‘privacy by design’, encouraging businesses to develop products with built-in privacy standards from the start. This will certainly hold for AI-driven technology and products which will need to factor in privacy and consent.
Recognizing GDPR as an Opportunity
Speaking of the GDPR, it has been over a year and a half since the regulation came into force and it continues to drive the way businesses collect and use customer data. More customers are also becoming wary about how their personal data is collected and used for business purposes.
For businesses, GDPR is no longer just about compliance, there is also a tremendous business opportunity in a data-driven economy. In a world brimming with data, businesses can stand out by leveraging GDPR best practice to maintain up-to-date data lists and boost their reputation as a responsible, reliable partner and committed to deepening digital trust with its customer base.
Remember to:
- Audit your data periodically – Ensure that your customer data is up-to-date and your customers are engaged with your business.
- Implement a strict retention policy – If you are holding data on customers who haven’t engaged with you in a while, maybe it’s time to review if you need that data. You can erase or anonymize the data you no longer need.
- Aim for ‘privacy by design’ – Make sure you have performed a Data Protection Impact Assessment (DPIA) to identify and reduce the data protection risks your business could face and allow members of staff to fix any problems before a breach occurs.
- Review your privacy policy – Ensure that your privacy policy clearly states your business identity, how long you intend to use your customer data, your legal basis for processing data, any data retention periods and the customers the right to complain to the ICO.
Evaluating Your Password Policy
A 2019 survey by the National Cyber Security Centre (NCSC) found that “12345” and “password” remain amongst the top five common passwords accessed in global breaches. Liverpool was the most common Premier League football team used in passwords, with Superman the most popular fictional character.
Making good password choices is vital for protecting individual and professional business data. For businesses, this means continually reviewing and enforcing robust password policy.
Key ingredients of a comprehensive password policy:
- Reset Password – Passwords must be reset every set number of days to ensure users are changing passwords periodically.
- Password history – Discourage users from recycling the same password again with a minimum of 10 previous passwords remembered.
- Maximum password age – Determine how long users can keep their password before they have to change it, forcing users to change their passwords regularly.
- Password complexity – Rules to ensure users aren’t using their first or last name as password, as well as using a mix of character types such as lower case, upper case, numbers, and symbols.
Staying Safe Online
Social engineering continues to pose one of the biggest security risks to businesses. Cybercriminals often target employees using deception with the intent of gaining confidential information for fraudulent purposes. These techniques include phishing and baiting and could also include links to fake website pages, emails from doctored addresses, or communications that appear to come from government or official sources.
Social engineering also works on manipulation in the digital world, profiling, and misuse of personal information.
Steps to take to protect your business from social engineering:
- Regularly update your company antivirus software.
- Secure your business network with a robust firewall.
- Make sure employees are aware of responding to an email from unknown persons especially those containing links or attachments.
- Train employees to recognize doctored email addresses from fraudulent sources.
- Make sure employees never give out financial or sensitive information over the phone or electronically without encryption.
Mitigating the Risks of Human Error
A report by Kaspersky Lab revealed that about 90% of data breaches are caused by human error.
Many businesses suffer data breaches because their employees inadvertently created an entry-point to the systems, whether it is from opening unsafe email attachments or clicking on suspicious website links to downloading unsafe files.
Cybercriminals count on human flaws to circumvent the most robust security software. It all comes down to a lack of awareness which can put your employees at risk of making errors in judgment, resulting in data and security breaches, company downtime, or financial loss.
Invest in Awareness Training
Investing in a thorough employee training program is a vital ingredient in any organization’s data protection policy. Raising awareness ensures that employees understand the regulatory obligations for businesses and understand the implications of non-compliance. Realizing the value of sensitive information if breached can also help employees to act with caution and make the right decisions to keep business data safe and protected.
Make sure your employee training program includes a comprehensive overview of key topics such as data protection, GDPR, and information security. We also recommend keeping employees up to date with microlearning courses for refreshing and reinforcing key learning messages over time.
How Can We Help?
At DeltaNet International, we are firm believers in leveraging the power of awareness training to reduce the impact of human error. Without raising awareness, you may be putting your business at risk of non-compliance with data protection and privacy laws. Don’t get caught out by the regulators, invest in awareness training for your staff. Find out how we can help with our range of Data Protection Online Training.