At the end of September, representatives of the largest technology companies appeared before the Senate Committee on Commerce, Science and Transportation. At about the same time, Facebook announced that a massive data breach had affected nearly 50 million users. This strange coincidence of the moment illustrates the perilous nature of data protection right now.
Due to data breaches on Facebook and countless other large corporations, consumers rightfully distrust the amount of their personal data currently tracked and stored. After the Cambridge Analytica scandal, these fears were exacerbated as it became clear that personal data was used far more than for targeted advertising. Consumers are starting to prioritize and demand better protections, but until recently, big techs controlled the conversation.
The above-mentioned Senate hearing was only the last time companies such as Google and Microsoft had to appear before Congress. Until now, lawmakers have adopted a non-interventionist approach to data protection, but this position is evolving rapidly. As life has evolved more and more online, privacy and data protection issues have become essential to the public good. Congress begins to treat them as such.
In addition, Apple pronounced in favor of the federal data regulation. The company wants to give users the right to control what information is stored, with whom it is shared and why. Considering that consumers, Congress, and now the big techs are all in favor of tighter protections, companies need to start preparing for a cybersecurity and regulatory future that looks radically different from the one in the world. ; aujourd & # 39; hui. Fortunately, an example already exists.
On the trail of the EU
The General Data Protection Regulation entered into force throughout the European Union last spring and represents the first major push for data legislation. The GDPR allows each member country to develop its own data protection rules, but they share the same objectives: to give users a transparent control over their own data.
The rules of the RPGD apply to any company that has consumers or who does business in Europe, which means that a large number of US companies are obliged to comply with it. Some companies are even considering voluntarily adopting these rules – at least in part – to prepare for the imminence of data regulations that are likely to enter America.
California recently passed AB 375, California's Consumer Protection Act of 2018, which gives consumers greater control over their data. Other state regulations (as well as federal laws) are also likely to surface, suggesting that compliance will be a complex problem for any company, regardless of its footprint.
This will also have consequences. The RGPD and other existing rules provide for fines depending on the extent and gravity of the violation. Companies are penalized for each trade-off, which means that large-scale violations can cost millions or even billions of dollars.
There is no clear timetable for the application of national regulations in the United States or what form they will take. It is clear, however, that companies that choose to prepare will now be ahead of their competitors in improving their cybersecurity.
Preparing for an uncertain future
Companies do not wait for new laws before they can start planning compliance. Nor do they need to recruit an army of lawyers. Instead, follow these strategies to prepare for everything that happens locally, regionally, nationally or internationally:
1. Follow the fundamentals. Rather than trying to align your policies with future regulations, commit to fundamental principles such as consent, anonymization, and encryption. Making these your permanent priorities will most likely keep you on the right side of the law.
2. Make your culture evolve. New rules may be imminent and preparation takes time. In addition to new policies and protections, businesses will need to cultivate an up-to-date culture that respects data and privileges confidentiality. These significant changes will not happen quickly or easily, which is why companies should start sooner rather than later.
3. Treat all data as equal. Stop thinking that data is valuable / valuable or secure / insecure. The GDPR and other rules treat all data breaches in the same way, regardless of the type of data compromised. This means that rather than securing some information channels and databases, companies will need to adopt broader approaches to data classification.
4. Practice good governance. A systematic approach is important to prevent violations, but it is equally important after a violation. Data rules usually require companies to disclose a violation in the days that follow. The only way to prepare for the technical, logistical and reputational impacts in such a short time is to put in place policies and plans.
5. Look for opportunities. Compliance is an obligation and an opportunity. Companies that strive to preserve data security tend to build trust with their customers. Treating data protection as an investment rather than a burden facilitates compliance and maintenance of compliance.
We quickly come to a critical point when lax data security is unacceptable to everyone. Now that almost all stakeholders are involved, a radical change is likely. Anyone with data at stake should read what is written on the wall and make data protection their next big thing.