Within 24 hours of the long-awaited launch of Disney+, the entertainment multinational’s streaming service, it was reported that thousands of accounts had been hacked, with critical data stolen and sold online. As these breaches are so common, we’ve become almost unphased by them. Not a day goes by where our mortgage information, our passwords, and even our old emails aren’t wrapped up in some sort of endpoint security failure that attacks our digital privacy.
About the author
Keith Casey currently serves on the Platform Team at Okta working on Identity and Authentication APIs.
The cynic would suggest this is the new normal, that we have made a Faustian bargain with big tech to choose convenience over security and privacy. While news reports highlight companies behaving badly, change may be on the horizon, both in terms of companies’ attitudes towards customer privacy and in the regulatory compliance landscape. While fines and further legal ramifications should be enough to drive businesses to take customer privacy seriously, customers also need to take responsibility and push change.
Increased regulation, improved privacy
All businesses are aware of General Data Protection Regulation (GDPR), the European Union’s privacy regulation, which launched last May. GDPR arose as a holistic approach to update existing, inconsistent and conflicting laws and regulations across the EU and strengthen the protection of individuals’ personal data. Through the ‘right to be forgotten’ measure, increased controls and the enforcement of severe financial penalties for any mishandling of data have encouraged a rethink of data ownership.
There are many examples of ‘the right to be forgotten’ in action. For instance, in Spain, a citizen demanded that outdated information about his house being repossessed was removed from search listings. His claim was upheld after both the Spanish Court and the EU Court of Justice examined the merits of the case, and the information was removed from the public domain.
The awareness of GDPR is being felt well outside of the EU. It has also paved the way for the California Consumer Privacy Act (CCPA), offering similar protections for Californian consumers, demonstrating the growing importance of regulation globally. The CCPA went into effect on January 1, 2020. The regulation puts guidelines on personal information collection and usage by businesses, giving Californians significant visibility and access to what data is gathered, how it is shared and control over its deletion.
With these new regulations, businesses must be more cautious on the issues of consent and provide stringent enforcement of checks and balances across the stack.
Trust is the gateway to customer privacy
In the case of technology, repeated breaches, both accidental and malicious, have destroyed trust, created legal issues and hurt organisations’ bottom lines. According to the Edelman Trust Barometer, a global survey of consumer trust done annually, only 55 per cent of respondents think technology is performing well in protecting consumer data.
This suggests that privacy is becoming a front and centre issue for businesses and governments alike. But can it be a strategic advantage? According to fingerprint identification company, IDEX Biometrics, 75% of UK consumers are concerned about the security of personal data shared with organisations.
Handling privacy proactively and transparently offers significant upside to businesses of all sizes. This means understanding how to practically think about protecting customers’ data, and there are some broad, simple rules that make data privacy and transparency significantly easier for businesses:
Don’t collect unnecessary data: If you don’t need a user’s credit card number, national insurance number, or any other sensitive information, don’t collect it. If you don’t store the information, it can’t be stolen or even leaked by accident. It’s a prudent, responsible decision that reduces risk for companies, teams, and individual developers.
Don’t share unnecessary data: There are times when you must collect the data but that doesn’t require you to also share it. Data sharing needs to be scoped to both the use case and the user and dynamically shifted when necessary.
Always monitor: Too much mobile app development is developed without input or co-ordination from their Security or Operations teams. Developing a better working relationship to establish a baseline of “normal” and investigating anything beyond it is key to limiting unwanted exploitation of privacy and data. While we won’t always catch an attack in progress, the faster we detect, stop, and fix breaches, the less we will suffer legally, financially, and professionally, and this begins with the business apps we develop.
Be transparent: The same policies and practices that worked in 2010 do not work in 2020. At a policy level, we need better privacy policies with clear language to explain customers’ rights and responsibilities. At a technical level, we need to take proper steps to limit what data we share, how we share it, who we share it with, and how those parties may use it and must protect it.
As is always the case, the devil is in the details. But proactively considering data privacy offers businesses a chance to showcase commitment and transparency to customers in an age of waning trust, in addition to avoiding the regulatory headaches of an increasingly complex compliance. This will help give customers confidence that their details will be secure when they engage with your business, which is increasingly front of their minds.
- Secure your privacy online with the best VPN.