When considering your company’s approach to privacy, it is natural for your head to start swimming with legislation and regulations.
No matter where your company is located, if your business relies on storing or processing the data of individuals around the world, you’re likely in scope for compliance with regulations such as GDPR, CCPA, LDPA, PIPEDA, and UK GDPR, to name a few. Thank goodness we have privacy professionals to decipher the worldwide maze of privacy obligations.
What is a privacy program, anyways?
Building a privacy program can be a daunting task. It’s helpful to view it as rebuilding and setting the blueprints of how privacy will be architected into your product and processes. When building a house of data protection obligations, you need to lay foundations of technical security controls to achieve compliance. In a world where every day there is a tornado of news of data breaches, ransomware attacks, and zero-day vulnerabilities, if a storm were to hit your company, it’s your security controls and processes that keep the roof on your customer data.
Typically with data protection laws and regulations, the technical specifics are not defined for how to implement security controls to protect personal information. What is outlined are recommendations on how to be compliant (as well as penalties for noncompliance).
Best practices for your privacy program
Let’s take a look at Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which is particularly relevant to Rewind as we were founded in Ottawa, Canada. The PIPEDA act states that companies have the responsibility to “Protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use or modification.” The Office of the Privacy Commissioner of Canada even conveys that “PIPEDA does not specify particular security safeguards that must be used. Your organization must continually ensure it adequately protects the personal information in its care as technologies evolve and as new risks emerge.”
So, it’s up to your company to determine what is an adequate safeguard, which on the surface seems vague and complex, but this is where security best practices come into play. PIPEDA has fines that can reach up to $100,000 if your organization fails to report a data breach, so you need to be aware of where your data is, who can access the data, and monitor activity through logging and alerting in environments where personal data is stored.
Thankfully, many tools and services are out there to help you meet your compliance goals.
Tools such as Intrusion Detection Systems can alert you to suspicious activity that can help you identify a possible breach. Embracing best practices in Identity Access Management such as only allowing access to sensitive environments utilizing the principle of least privilege and enforcing strong password practices with multi-factor authentication (also sometimes called two-factor authentication) ensures your data is only accessed by those required to by their role and only at the level required to fulfill their duties.
For example, does your Marketing team really need access to your customer’s sensitive data? (Hint: no, they do not.) These are some base examples that can build a fence around sensitive data to help meet requirements to protect it from loss, theft, and unauthorized access.
Encrypt, encrypt, encrypt
Encryption is also a key foundation in security that will help you meet your data compliance goals. Another vague on specifications, but prominent Act that emphasizes this is the California Consumer Privacy Act (CCPA). Under CCPA there are no specific requirements around data encryption or rules on what type of data should be encrypted or by what means. However, there are fines associated with data breaches involving “nonencrypted or nonredacted personal information” – up to $7500 per consumer per incident or actual damages. Since penalties are paid “per consumer,” if you have ten customers affected, that’s a fee of $75 000. Data breaches that affect thousands of customers (which are not uncommon) could easily produce fines in the millions.
So, it’s in a company’s best interest to evaluate what data should be encrypted and how to manage that data.
Another example brings us across the pond to the General Data Protection Regulation (GDPR). Article 32 of GDPR: Security of Processing states: [the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:] “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
Large multinational companies have already been caught not abiding by GDPR rules: in 2020, hotel chain Marriot paid out $23.8 million, and clothing chain H&M was forced to pay €35.3 million, both to the Information Commissioner’s Office (ICO).
Marrying privacy and security
These are prime examples of the marriage of privacy regulation and security. If you process and store customer personal data as part of your company’s services, you should consider using reputable cloud infrastructure providers such as Amazon Web Services (AWS) to host your application or product. AWS comes with a suite of security benefits out of the box such as being able to encrypt data at rest.
So you know that to comply with GDPR, CCPA, and others you must introduce controls to restore your customers’ personal data in the event of a data breach. But how do you do that?
This is where Rewind can help you achieve your balance of security and privacy controls. By investing in backups of your customer data, in the event of an incident where that data may be accidentally or maliciously deleted, Rewind can help you weather the storm and put the roof back on your business by restoring your critical data and help you meet your data privacy obligations. Rewind is the only SOC 2 and GDPR compliant SaaS backup app, and has been trusted by over 100,000 organizations worldwide.
Find out more how Rewind can help you meet your compliance goals: view our security portal, our GDPR policy, or read more about data security at Rewind.