The importance of Data Privacy Day and what it means for your organization

A total of 5.07 billion people around the world use the internet today – equivalent to 63.5 percent of the world's total population. As internet users continue to grow the there is still education and work to be done in the realm of data protection. January 28th is celebrated as Data Privacy Day across the world and since 2021, initially started by the Council of Europe in 2007, more than 50 countries across the world now observe Data Privacy Day and showcase for an entire week why Data Privacy is of paramount importance. In 2023 experts have chosen a theme to increase awareness around ‘Protecting Personal Data at Home and Work’.

The goal of Data Privacy Day is twofold – every user should understand that they have the right and power to protect and manage their personal data, while organizations understand why it is important to protect and safeguard their customers data and Personally Identifiable Information (PII).

In India PII is classified as any data that could potentially be used to identify a particular person. Examples include the full name, PAN card, driver's licence number, bank account number, passport number and email address.

Key Steps To Protect and Secure Data

There cannot be any data privacy without good data security. Therefore, below is a quick checklist that organizations should implement to help protect and secure data.

1. Implement a Security Strategy Focused on a Platform Approach

The first step in protecting data is ensuring that any Personally Identifiable Information (PII) data your organization accesses is secured from the moment it enters to the moment it leaves your network. This includes applying security measures and policies that can seamlessly identify, follow, and secure data as it moves between network domains and devices, including across multi-cloud or SD-WAN environments, as well as across the extended network. In addition, zero-trust access is vital. As users continue to work-from-anywhere and Internet-of-Things (IoT) devices flood networks and operational environments, continuous verification of all users and devices is crucial as they access corporate network resources, especially data.

Security plays a critical role in securing every bit of data as well as managing who and what has access to it. A cybersecurity mesh platform allows all security components to see other devices, share and correlate information between them, and participate in a coordinated threat response. It must be woven into and across every aspect of the evolving network to enable things like unified policy creation, centralized orchestration, and consistent enforcement. This mesh approach allows organizations to extend visibility deep into the infrastructure to see every device, track every application and workflow, and more importantly, see and secure all data. It also allows organizations to demonstrate compliance with regard to protected privacy requirements and the verification of its secure storage, use, and removal.

2. Change What and How You Collect PII Data

Privacy laws such as the General Data Protection Regulation (GDPR) define individuals as the sole owners of their data, not businesses or institutions. As a result, these individuals must be able to withdraw their consent to the collection of their data as quickly and easily as it was given. This requires organizations to collect only the minimum amount of data needed for a specific purpose and to then be able to completely remove it when it is no longer needed.

3. Ensure PII Can Be Easily Identified, Flagged, and Deleted

Organizations need to be prepared to demonstrate how to prevent specific data from being shared or sold to third parties and how to remove all instantiations of an individual's PII regardless of where it is being stored or used. For example, the GDPR’s “right to be forgotten” (RTBF) means that data needs to be found and removed quickly and easily, rather than relying on humans to hunt for each instance of personal information scattered across a distributed network.

4. Encrypt PII To Ensure Less Risk

Consider encrypting data in transit and at rest in the network, as encryption negates the value of data if it is compromised. That said, encrypting large volumes of data is no easy task. Because of this, organizations should consider what is a priority based on the ability of encryption performance and any associated degradation of performance.

5. Training and Education Are Important

Encourage cybersecurity training for all employees and follow up with practice and drills. Good password hygiene along with multi-factor authentication (MFA) should be requirements to help add extra protection.

Data privacy legislation reflects concern about the protection and personal ownership of PII. Data Privacy Day is a reminder that every organization that accesses personal data needs to evaluate its IT security infrastructure and ask itself:  

• Are IT security solutions able to effectively communicate, regardless of where they have been deployed, to optimally protect data and provide network-wide visibility?
• Does the network include sophisticated data protection measures such as threat prevention and detection, pseudonymization of PII, and internal segmentation to isolate and track customer and employee data?
• Is there a documented and tested data breach response plan?

Today’s organizations need to be able to answer “yes” to these questions to be prepared for existing data privacy regulations or others on the near horizon.

By Vishak Raman, Vice President of Sales, India, SAARC and southeast Asia at Fortinet