How NIST, GDPR and Other Privacy Frameworks Can Help
What are some common privacy violations across industries?
Data privacy and industry are two concepts that seem to be intrinsically linked, but not always in a good way. Ever since the concept of digital privacy hit the headlines with the Snowden scandal back in 2014, revelations of privacy violations have continued unabated.
Organizations across the world are still getting to grips with what adhering to data privacy is all about. Unfortunately, this gap in understanding often results in major fines and loss of customer trust.
A recent example is the $5 billion fine issued by the Federal Trade Commission (FTC) to Facebook, stating that: “Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers’ choices.”
In this blog article, we’ll talk about what a privacy violation is and give examples of privacy violations across industries. We will also provide guidance about how organizations can make sure that they don’t end up in the crosshairs of the FTC and similar bodies, e.g. by implementing privacy frameworks such as NIST or the GDPR.
Privacy violations come in all shapes and sizes. The following example can perhaps show how easy it is to misuse personal data.
Twitter recently came under fire because they were found to be misusing mobile phone numbers or email addresses, provided for two-factor authentication use only. Instead, Twitter allowed these channels to be shared to display targeted marketing campaigns to individuals. Twitter said it was a mistake. However, this demonstrates how important it is to have a clear view of what constitutes a privacy violation.
Of course, mistakes happen but we need to keep in mind that someone has to pay for mistakes, usually the consumer.
Privacy violations, when taken to a conclusion, become privacy harms. The question in the minds of many is whether privacy violations need to go as far as harming an individual to matter? Ultimately, it is a matter of risk management, where the probability of the violation becoming a harm has to be weighed up. Many would argue that any violation should be deemed as a high risk.
Related Post: Is Cybersecurity the Same as Data Privacy?
To create a picture of the scope of privacy violations, that can and do become privacy harms, we have outlined three examples below.
Of course, there are many others…
Biometrics are becoming increasingly popular to verify and authenticate an individual. The biometric market growth demonstrates this popularity well, with a predicted global value of over $59 billion by 2025.
In a recent data breach impacting Suprema, over 1 million fingerprint records were exposed. If a password is exposed, you can change it – you can’t easily change a fingerprint.
Biometrics are given extra diligence in privacy-focused regulations like the General Data Protection Regulation (GDPR) for good reason.
Data minimization is good for both the service and the customer. The more data you collect, the more security and privacy measures you need to apply.
If you don't need a piece of data, it is good practice not to collect it. Many systems now take data without thought or due diligence. Whilst regulations such as the California Consumer Privacy Act (CCPA) do not mandate data minimization, regulations like GDPR do.
However, the practice of data minimization is all part of delivering services that are focused on creating good customer relations and trust.
Generally poor security measures impact privacy.
Although privacy is not just about security, good security is the backbone of a privacy respectful service. All too often, data breaches include the loss of passwords and other personal data because the data was simply not stored in a secure manner.
Building a privacy-enhanced service (or implementing a “Privacy be Design” practice) is not easy. To help in this endeavor, several frameworks and regulations have been developed that offer guidelines and measures to prevent violations, including:
The NIST Privacy Framework is at the final consultation stage in readiness for publication. The Privacy Framework focuses on risk management of privacy across a service. It offers a tool that you can work from when developing data management within a system. The framework can be used with the existing NIST Cybersecurity Framework to help you navigate the implementation of good privacy measures.
Related Post: The NIST Privacy Framework: An Introduction
The EU’s General Data Protection Regulation (GDPR) is an evolution from earlier legislation to reflect the changing needs of consumers in an internet-centric world. It covers a number of data subject rights, including areas such as data access, data deletion, and data portability. Importantly, it mandates the use of Privacy by Design and Default when creating online services that process personal data.
Related Post: One Year After GDPR: Lessons Learned
The Information Technology Industry Council (ITI) is the voice of the technology sector. The ITI has developed a Framework to Advance Interoperable Rules (FAIR) on Privacy. The framework has an emphasis on the use of personal data in a responsible way and provides structures for user-centric control of data.
The framework is described as a “business model-neutral approach” and should be accessible by any business wishing to understand the areas that need to be addressed when creating privacy enhanced services.
Data privacy is now (or should be) firmly part of our business culture. The services that we provide to our customers and clients should have privacy woven in as a default condition. Attention to privacy is win-win. It is good for business as it helps to create an environment of trust which, in turn, builds better relationships, and it is a win for customers in a climate where data breaches are common.
Privacy does not need to be something businesses fear. Instead, attention to privacy can be a true add-value for any organization that embraces the ethos.
However, ensuring that you build services to a Privacy by Design remit, ensuring regulations are adhered to, requires a specialist skillset. This is where frameworks and strategic privacy practices can really help. These offer guidance in the areas you need to cover when ensuring privacy expectations are met. Specialist firms that offer privacy services can ensure that your systems meet privacy remits, whilst aligning with your business goals.
If you would like to know more about our privacy services, please click down below.