Imagine you place an order for food delivery and shortly after it arrives you receive a text message. The delivery driver is asking you out on a date. This experience is a reality for 33% of surveyed adults (aged 18-34) living in London. Views on the appropriateness of this behavior vary according to the age and sex of the respondents, but the law is clear: it is illegal. As such, it presents a data-related business risk that many organizations may not realize.
Emily Keaney, the Deputy Commissioner of Regulatory Policy at the Information Commissioner’s Office says:
“There may be, amongst some, an outdated notion that to use someone’s personal details given to you in a business context to ask them out is romantic or charming. Put quite simply, it is not – it is against the law.
“If you are running a customer facing business, you have a responsibility to protect the data of your customers, including from your employees misusing it. We are writing to major businesses, including food and parcel delivery, to remind them that there are no excuses, and there can be no looking the other way.”
Another article covering this topic explores the possibility of this behavior triggering fines under the General Data Protection Regulation (GDPR):
“The regulator said it's cracking down on such occurrences, asking victims to come forward, and reaching out to companies to remind them of their data protection responsibilities.
If a company is found not to be following data-protection laws, it can be fined up to £17.5 million ($22.1 million) or 4% of its global turnover.”
This story raises an interesting question in an industry where security analysts often limit their data protection efforts to digital records. Is your organization protected against third parties misusing data and putting you at risk?
Who is responsible for protecting data?
Lawmakers have approached the problem of data protection by assigning various roles and responsibilities for its handling and security. It takes a legal expert to break down the specific details of who is responsible for what, but the GDPR offers a framework that serves as a general guide. Under the GDPR, privacy responsibility roles are divided between data processors and data controllers. A third role, data protection officers, also come into play under certain conditions.
A data controller is “a natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of processing personal data.” Controllers own a repository of personal data and ultimately decide how it is handled and processed. This describes most businesses, who hold a variety of personal data for their own employees, customers, and business contacts.
A data processor is “a natural or legal person, public authority, agency, or other body which processes personal data on behalf of a controller.” Examples of data processors could include cloud service providers, payroll firms, and vendors. Data processors are supposed to work with data controllers to ensure the safety and integrity of personal data throughout its use.
Both roles are responsible for protecting data privacy under GDPR, yet the risks they each face from noncompliance depends on multiple factors. The likelihood of surviving a GDPR fine is influenced by an organization’s size, financial stability, and other economic considerations. It is easier for a multinational organization to weather a $22 million fine (or 4% of total global turnover) than a local small business. Yet, the size, visibility, and impact of large organizations make them a prime target for regulators seeking to set an example.
Fining a random gig worker $22 million will crush them, but is unlikely to affect the rest of the gig economy. However, fining the high-profile business that initially controlled the data is more likely to spur meaningful changes, perhaps throughout the industry. Because large companies attract disproportionate attention from regulators, it is in their best interests to protect their entire data-sharing chain.
The United States does not have a GDPR, but it does have multiple privacy regulations. To get a feel for how data roles are assigned in the US, consider the three classifications designated by US insurers. Transparity Insurance Services divides cloud data responsibilities between customers/users, data owners, and data holders:
- Customer/users are people interacting with or providing information to data owners and holders.
- Data owners refer to businesses or organizations that use data to provide products or services to customers.
- Data holders are third-party cloud services that provide hosting for data owners.
The insurer notes “In a cloud environment, the data owner faces liability for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider).” This statement makes it clear that US organizations are largely responsible for both on-premises and cloud data security. Yet, the complex world we inhabit often challenges the simple definitions we use to assign responsibilities.
As a thought experiment, consider the following scenario:
A small company sells clothing on eBay. A user buys a T-shirt from them and selects PayPal as their payment method. PayPal provides the buyer information to the clothing vendor and eBay. The shipping label, provided by eBay, contains the buyer’s name and address. This is provided to the shipping company. Lastly, a delivery person handles the package, and physically takes it to the destination. Who is the data owner of the buyer’s information in this scenario? If the name, address, and financial data of the buyer is compromised, how many parties in this transaction could be liable?
The point of this thought exercise is to highlight three aspects of data privacy that should concern security leadership:
- The regulatory and legal framework around privacy issues is complex, and may present hidden business risks your organization has not considered or addressed.
- Maintaining strong DLP is crucial, but privacy regulations govern interactions with third parties, and human-based data leaks as well.
- Data owners (in the US) and data controllers (in the EU) are often high-visibility companies. When their partners and independent contractors violate privacy regulations, fining them may have a negligible impact on industry operations. Fining well-known organizations is more likely to gain media attention and promote change within an industry.
Data protection is multidisciplinary
Your organization can benefit by looking at data loss risks from multiple angles. Consider having your IT and legal teams meet to discuss how your organization uses, stores, and shares data. Your cybersecurity team can explain the technical measures in place to protect electronic records. Your legal experts are better equipped to evaluate business risks from employees or third parties divulging protected data. Together, these teams can better identify areas where your organization remains vulnerable to data loss and work on solutions.
Improving your data risk exposure begins with addressing your organization’s existing technical vulnerabilities. Fortunately, DLP technology is continuously improving as vendors develop innovative solutions for monitoring and protecting data. Leading cybersecurity companies are leveraging machine learning (ML)-assisted data classification, OCR, inline and out-of-band data inspection, and other technologies to thwart data breaches. Some are training AI to discover and protect sensitive data in a variety of formats beyond the traditional scope DLP solutions. Finding the right mix of DLP technologies for protecting your organization’s data will take time, but is worth the effort.
However, the strongest DLP solutions cannot overcome people losing or misusing data they can legitimately access. This makes safeguarding your organization’s sensitive data a multidisciplinary problem that extends beyond the IT vertical. Employee training, assessing regulatory responsibilities, and reviewing data sharing policies should also factor into your data protection strategy. Hardening your infrastructure against intrusion keeps digital records safe, but you also need a plan for information you put into human hands.
What to read next