Data privacy week: a collective responsibility 

• Data Privacy Week calls for everyone to take control of their data.
  
• Employees can contribute towards data privacy by following some best practices.
• AI will have a strong role to play in data management.
  

The theme for this year’s Data Privacy Week is Take Control of Your Data. Throughout the week, the National Cybersecurity Alliance (NCA) in the US will emphasize the critical significance of digital privacy for both consumers and businesses through a series of educational webinars featuring experts from various industries.

The week builds on the success of Data Privacy Day, which began in the United States and Canada in January 2008 as an extension of Data Protection Day in Europe. Data Protection Day commemorates the January 28, 1981 signing of Convention 108 – the first legally binding international treaty dealing with privacy and data protection.

“Knowing how to safeguard your personal information has never been more important than it is today. Between social media, mobile apps, internet-connected devices and the rise of artificial intelligence, vast amounts of personal data are being gathered constantly, putting individuals’ privacy at risk,” said Lisa Plaggemier, executive director at NCA.

“As innovation continues to outpace regulation, individuals and businesses alike need to make concerted efforts to educate themselves and take a proactive role in preserving the privacy of sensitive data. Through Data Privacy Week we hope to inspire better data stewardship and empower people to reclaim control of their digital footprints, balancing innovation with privacy.”

Today, there is no denying that data privacy is a crucial issue for both individuals and organizations in the digital age. While many feel that businesses should be responsible for their company data, be it their customers or employees, everyone actually has a role to play in ensuring data is not compromised.

As such, this year’s theme calls on everyone to be in control of their data. After all, employees are often considered the weakest link in cybersecurity for any organization. Most data breaches also occur because of employees who were careless in managing their credentials.

Achieving data control

For employees, there are several ways they can achieve data control. But more importantly, it is also their responsibility to ensure their business and customer data is not compromised. Employees can contribute towards data privacy by following some best practices, such as:

• Educating themselves on the importance of protecting personal and sensitive information, and the potential risks associated with online activities.
• Securing their devices with strong passwords, encryption, antivirus software, and firewalls.
• Implementing two-factor authentication (2FA) for accessing online accounts and services.
• Being wary of phishing attempts and other malicious emails that may try to steal their credentials or data.
• Minding their digital footprint and limiting the amount of personal information they share on social media and other platforms.
• Respecting the privacy rights of others and only accessing or using data they are authorized to.
• Following the security policies and guidelines established by their organization, and reporting any privacy concerns or incidents to the appropriate person or team.
• Participating in regular training sessions, simulated phishing exercises, and privacy assessments to enhance their awareness and skills.
• Rewarding and recognizing security-conscious behavior among their peers, and creating a culture of compliance and trust.

These are some of the ways that employees can own online privacy and help their organization safeguard data and maintain trust. But then again, ensuring this still remains a major problem for businesses. For example, insider threats are often caused by unhappy employees or those who are willing to compromise company data.

“The continual evolution of regulations and frameworks, coupled with the increasing value of data and widespread integration of data-driven technologies, necessitates a proactive stance towards identity security. We urge organizations to prioritize robust identity security controls and hygiene practices. Enhancing employee training, using automation, and adopting zero trust solutions are essential to this proactive approach. By doing so, they can mitigate risks, protect customer trust, and thrive in a world where data is the new currency,” commented Lim Teck Wee, area vice president for ASEAN at CyberArk.

Employers can ensure employees adhere to data privacy guidelines by implementing some of the following strategies:

• Establish clear expectations and policies for data protection and compliance, and communicate them to all employees.
• Provide training and development opportunities for employees to enhance their awareness and skills on data privacy best practices.
• Reinforce data privacy compliance consistently and lead by example, by rewarding and recognizing security-conscious behavior and addressing any violations or incidents promptly.
• Maintain open communication and transparency with employees about the purpose and scope of data collection and processing, and respect their privacy rights.
• Provide adequate resources and tools for employees to secure their devices, accounts, and data, such as encryption, antivirus software, firewalls, and two-factor authentication.
• Develop a strategy towards monitoring that puts employee privacy first, and keeps tracking to the minimum amount needed to meet the intended purpose.
• Consider creating an employee privacy policy (or a privacy notice) to inform your employees about your monitoring strategy and how you handle their personal data.
• Update and review privacy policies and practices regularly to ensure they are aligned with the latest laws and regulations.

These are some of the ways that employers can foster a culture of compliance and trust among their employees and protect their data privacy.

Data Privacy Week: employee governance and compliance

According to Ajay Bhatia, global VP & GM of data compliance and governance at Veritas Technologies, businesses need to first realize that data privacy isn’t something that can be achieved in a single day.

“Data privacy is a continual process that requires vigilance 24/7/365. Top of mind this year is the impact AI is having on data privacy. AI-powered data management can help improve data privacy and associated regulatory compliance, yet bad actors are using generative AI to create more sophisticated attacks. Generative AI is also making employees more efficient, but it needs guardrails to help prevent accidentally leaking sensitive information. Considering these and other developments, data privacy in 2024 is more important than ever.”

When it comes to compliance, Bhatia stated that new laws putting guardrails on using personal data in the large language models (LLMs) behind generative AI tools are gaining steam, making data compliance more complex. For example, the California Privacy Protection Agency is already working to update the California Consumer Privacy Act (CCPA) to address generative AI and privacy, including opt-out implications. Bhatia believes this type of legislation, like most other privacy regulations, will differ across continental, country and state borders, making the already complex regulatory environment even harder to navigate without help.

“Whether to implement generative AI isn’t really a question. The value it provides employees to streamline their jobs means it’s almost a foregone conclusion. But that must be balanced with the risks generative AI could pose when proprietary or other potentially sensitive information is fed into these systems.

To ensure they remain compliant with data privacy standards, whether or not regulatory bodies enact AI-specific rules, IT leaders need to provide guardrails to employees that will limit the likelihood that they accidentally expose something they shouldn’t,” explained Bhatia.

At the same time, Bhatia also pointed out that AI is making the cyberthreat landscape more dangerous. Cybercriminals are already using AI to improve their ransomware capabilities and launch more sophisticated attacks that threaten data privacy. There’s always been a technological war between defenders and attackers, but now that war is moving into AI-assisted cyber-combat.

“It’s only going to get harder to defend against these threats without AI-powered resilience that counteracts the evolving landscape of AI-powered attacks,” he concluded.

---

---

---

---