National Data Privacy Week - Data Privacy Best Practices

January 23, 2023
Data Protection

Celebrate National Data Privacy Week With Data Privacy Best Practices

There seems to be a special day, week, or month for just about anything – from National Sourdough Bread Day (April 1) to National Cell Phone Courtesy Month (July.) Even data privacy has its own week. This year the National Cybersecurity Alliance’s (NCA) National Data Privacy Week runs January 22-28 and is meant to help educate and empower individuals and businesses to respect data privacy, safeguard data and enable trust.

We are Our Data

Data privacy may not seem like a big deal ─ until it’s your data that’s no longer private. We’re not just talking about things like Social Security numbers, credit card information, or medical history. Do you really want someone to know your daily running routes (available through your fitness tracker) or the times of day you’re normally not at home (via home activity sensors)?

Sensors are embedded in many things these days, from automobiles to personal healthcare devices. As a result, each of us generates a lot of data. Increasingly, that data is tightly interwoven with who we are, what we do, and even what we may do in the future. (Yes, there’s a booming industry in predictive data analytics.)

With so much data created daily, it’s difficult to know who’s using it, who’s sharing it, who’s buying it, and what they’re doing with it. Plus, there seems to be no end to the occurrence of data breaches (some we hear about, many we don’t) in which massive amounts of personal information is stolen for nefarious uses or held ransom.

That’s why data privacy is a big deal ─ and why Data Privacy Week serves as a good reminder to be diligent about protecting your data at both the personal and organizational levels.

Your Data Privacy To-do List

There’s plenty of information online about protecting your personal data, and most of us like to think the companies we work for have a solid grasp on keeping data secure as well. Nonetheless, breaches happen. Personal data is exposed or stolen. While there’s no guarantee that data will remain safe, the following best practices can help your organization keep data private.

1. Adopt a privacy framework. Create a culture of privacy in your organization by building privacy into your business. Check out the following frameworks: NIST Privacy Framework, AICPA Privacy Management Framework, ISO/IEC 27701 – International Standard for Privacy Information Management

2. Educate employees. Make sure your employees understand their obligations, as well as those of your organization, to protect personal information. Engage staff by asking them to consider how privacy and data security applies to the work they do on a daily basis. Teach employees how to update their privacy and security settings on work and personal accounts and train them in data security and privacy protocols. Reinforce their training continually.

3. Know the laws and industry standards. GDPR, HIPAA, and PCI are among the big ones, but there are others as well, such as:

The US doesn’t currently have comprehensive federal-level privacy regulation, but various states are enacting consumer data privacy laws. They include Connecticut, Utah, California, Colorado, and Virginia. Other states are expected to follow suit or have already implemented some form of privacy legislation.

4. Assess your data collection practices. Whether you operate locally, nationally, or globally, understand which privacy laws and regulations (see #3) apply to your business. Follow reasonable security measures to keep individuals’ personal information safe from inappropriate and unauthorized access. Make sure the data you collect is processed fairly and only collected for relevant and legitimate purposes. Maintain oversight of partners and vendors as well. If someone provides services on your behalf, you’re also responsible for how they collect and use your data.

5. Follow data retention and destruction requirements. Ensure the secure destruction of old and obsolete data. Inventory all hardware that could house old data and securely dispose of copiers, outdated voicemail systems, and even old fax machines. For data that must be retained, ensure you know how long you’re required to keep it. Choose storage options that employ multi-level security but can still meet your data access needs.

6. Know what data you have and where it resides. You can't protect what you don't know you have. Use data lifecycle management tools to locate and identify data throughout your entire organization, including hidden data which may contain sensitive data that requires special handling. Knowing where your data is, what it contains, who’s using it, and more can be helpful on numerous levels.

7. Encrypt all sensitive data. To protect data in motion outside the firewall, use encryption via a virtual private network and device management to enforce all other desired policies. Encryption is also available for network traffic inside the corporate firewall.

8. Harden all endpoints that access your enterprise systems. Whether your employees use company-supplied devices or their own personal devices, every one of them that can access corporate networks and data should be managed with device management tools that enforce all corporate security policies. Also, keep all firewalls and antivirus software up to date, and apply all patches and software updates immediately. If your IT staff doesn't have time to handle this, consider outsourcing the task.

9. Create and enforce policies that limit access to specific types of data to only those that absolutely need access to do their jobs. Automate access-log entries, so no one who's had access to a data set goes undetected.

10. Use multi-factor authentication for data access. Require users to authenticate their identities by supplying credentials from at least two of the following authentication categories: something they know, such as a username, password, or PIN; something they have, such as a security code sent to a mobile device or accessed via an authentication app; and/or something they are, such as fingerprints, voice recognition, or other biometric indicators.

    For more information on data security and privacy, take advantage of the free resources below from US Signal. Or talk to a US Signal expert. Call 866.2. SIGNAL or email [email protected]