Categories
Careers Featured

Why is data privacy so hard

Today morning I woke up to the news of the data breach at Air India- a government owned  airline carrier.

This data breach affected more than 4.5 million user data information including names, date of birth, passport and credit card information. The breach involved data registered between 26 August 2011- 20 February 2021 which is close to 10 years of data. 

This is pretty sensitive data since information like passport details and credit card information can easily be used on the dark web for illegal activities. 

I have travelled through this airline multiple times before and I currently feel vulnerable as to how little control I have over my own data that is provided to multiple such entities and services all across the world. 

What makes me wonder though is that, despite so many years of bad incidents and high profile data breaches, why has the problem of privacy not yet been solved?

Why is data privacy so hard?

Information Security is not a technical challenge, it is a business challenge that must be facilitated by technology.

Organizations continue to fail to protect information because they are not focused on what matters most: their data

Ann Cavoukian while laying down the 7 Foundational Principles of Privacy by Design (PbD) stated in her first and the foremost principle that:

The Privacy by Design approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen.

PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred − it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.

Proactive not Reactive; Preventative not Remedial

It means that the organisation must design their policies in a way to protect the data beforehand instead of reacting to data breaches later.

Business landscapes are evolving and rules of using the data are becoming harder to define. 

Even from the technology perspective, effective data protection requires two or more technology providers to solve all the problems in a given business environment. Different technologies do not integrate well thus hindering their ability to recognize important cross-platform context clues.

In addition to that, the cost of protecting data is extremely high. The cost of not protecting it is also growing.

For instance, if a company gets a request, under the CPRA or GDPR, from a person to delete their data, not only does the company have to comply, it also has to send that data directly to the person

It is not an easy task to hand out such information for a business. According to Okta, the average organization has more than 88 distinct applications. 

It often takes an entire army of people and experts to resolve a single data subject request costing significant time and money. This involves running into high risk of error. 

Can technology solve this problem alone?

Data protection sits at the intersection of identifying data, tracking its movement, and identifying risk patterns in human behavior. Individually, those are complex issues. 

Combining them all into an integrated well-functioning program requires:

  • proper technologies,
  • a proper process to integrate the inputs and outputs, and
  • people with deep expertise in the art and science of data protection.

But technology experts are not enough for such organisations. 

According to the surveys and interviews done by acm.org with app developers, they found that the vast majority of app developers knew little about existing privacy laws or privacy frameworks, what privacy issues they should pay attention to, and how to address them. 

The author of one of the articles written on acm.org summarised this survey saying that the knowledge that a typical developer has about privacy is almost zero.

Thus lawyers play an important role in designing and protecting the privacy of the consumer as much as a developer does while making the technology for a business. 

Organisations are rapidly hiring lawyers to help them align their privacy policies with the existing regulations and also negotiate on behalf of the businesses in case of data breaches and preventing potential downfall of the business. 

This has created a massive demand for lawyers in the data privacy domain. 

Do you want to learn how you can enter the field of data security and privacy management as a lawyer?

What opportunities will this field open up for you if you know the skills of protecting data for big corporations? 

How can you emerge as a leader in this field which is currently waiting to be tapped by lawyers? 

How lawyers, who have no technology background can make it big in this field? 

Join us for a 3-day FREE LIVE online bootcamp on International career opportunities for lawyers in Data Protection, Privacy Management and Technology Law from 29-21 May, 6-9 pm Indian Standard Time.

REGISTER HERE 

During this bootcamp you will learn about the tasks that a privacy lawyer does and what opportunities are currently available if you know those skills. 

By the end of the bootcamp you will learn how to draft a privacy policy for a website and conduct an impact assessment report for a start-up. 

You will also be equipped to create a GDPR project implementation plan and draft data processing contract/addendum. 

BONUS: if you attend this bootcamp on all the 3 days then you will also receive templates of the following documents in the form of PDF: 

Day 1 – Data Processing Agreement/ Addendum

Day 2 – GDPR Compliant Privacy Policy

Day 3 – 10 templates

  1. Personal Data Analysis Form
  2. Personal Data Flow Map
  3. Personal Data Asset Inventory List
  4. List of 3rd Party Processing Providers
  5. GDPR Impact Assessment Report Template
  6. GDPR Project Implementation Plan Template
  7. Cookie Policy
  8. DPO Agreement Template
  9. Checklist of Responsibilities of a DPO
  10. Compliance Checklist under California Consumer Privacy Act

10 templates which include Cookie Policy, Data Protection Officer Agreement Template,Personal Data Flow map and much more.

REGISTER HERE 

Recordings of this bootcamp will not be available later so you have to attend it LIVE to make the most out of these sessions. 

Since there is still one week to go for the bootcamp, I would recommend you to schedule it in your calendar so that you don’t miss it.

Click on one of the links below to add the event to your calendar: 

Add to Google Calendar   Add to Yahoo Calendar

Invite your friends, colleagues and classmates to this bootcamp by sharing this link in your network: https://bit.ly/3f083e7 

If you want to receive more such updates regarding technology law directly to your mobile phone you can join our WhatsApp and Telegram groups listed below: 

Telegram: https://t.me/joinchat/UARS7wxD6w3H3jkK   

WhatsApp: https://chat.whatsapp.com/CAY6trQWLe95gPxn1pkmAq   

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity2

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

2 replies on “Why is data privacy so hard”

The 3-day boot camp on Data Protection was quite insightful. How do I take this forward by enrolling for your Diploma course. How do I process the payment from Nigeria.

Data is a fact or a collection of facts. It can be true or false; it can be a text or a number; it can be a video or an audio. When I put a post on Facebook today morning by just saying “Good morning all”, I had given out a piece of data for all the people on the platform to see and to comment/respond, if they choose to. The question is, who owns that data? Does Facebook owns that data or am I the owner, and if so, to what extent?

Social media platforms are owned by someone and users are using it, without having much realization as to, on what grounds are they providing this service for free! No body is paying to Google for a search just made. Nobody is paying to Instagram for a photo just posted. Nobody is paying Twitter for a tweet just posted. These big technology companies are making use of your data, after all the consent from the users are obtained! Can anyone argue against this?

The breach of data occurred at India’s national airliner, Air India during the past 10 years, is an eye opener for the policy makers to take actions, sooner rather than later. Recently Bookings.com was penalized by Dutch Data Protection Authority (Bookings.com is registered in Nederlands) for a breach of data occurred outside their jurisdiction, in the UAE. (Ref.: https://portswigger.net/daily-swig/booking-com-fined-560-000-for-gdpr-data-breach-violation). This shows how strong the GDPR legislation is and yet, how vulnerable the structure is!

I can leave a thought regarding, how the law can apply to cyberspace. Legal codes, as we read on legal documents, are framed for taking actions, if an event occurs. However, the software codes, as it is coded by technological companies, can prevent such an event from occurring. So, who should be taught the cyber laws? The answer can lead us to find, who is responsible for our data.

Leave a Reply

Your email address will not be published. Required fields are marked *