Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/29/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Privacy 2019: We're Not Ready

To facilitate the innovative use of data and unlock the benefits of new technologies, we need privacy not just in the books but also on the ground.

Omer Tene, VP, International Association of Privacy Professionals (IAPP), also contributed to this article.

By any measure, this summer has been a busy time for privacy news. It started with a flurry of enforcement activity in Europe, including announcements from the UK privacy regulator of fines in the amount of $230 million against British Airways and $125 million against Marriott. It continued with a high-stakes standoff in Europe's highest court between Max Schrems (a prominent privacy advocate), Facebook, and the Irish Data Protection Commissioner, which could jeopardize the future of transatlantic data flows. Finally, it ended with a big bang, with news publicly released to the humdrum of a summery Friday afternoon of the FTC's $5 billion fine against Facebook in connection with the Cambridge Analytica scandal.

The message resonated loud and clear in corporate boardrooms from Silicon Valley to London: Privacy has become a first-order media and regulatory concern.

How should businesses respond to this new drumbeat of privacy outcries and enforcement actions? The risks of data mismanagement -- measuring hundreds of millions of dollars and including security breaches, inappropriate information sharing, and "creepy" data uses -- are no longer an acceptable cost of doing business, making it abundantly clear that society cannot experience the full benefits of a digital economy without investing in privacy.

The good news is that the public has recognized the gravity of the problem. Breakthroughs in healthcare, smart traffic, connected communities, and artificial intelligence (AI) confer tremendous societal benefits but, at the same time, create chilling privacy risks. The bad news is that we're hardly ready to address these issues. As Berkeley professors Deirdre Mulligan and Kenneth Bamberger wrote in Privacy on the Ground: Driving Corporate Behavior in the United States and Europe, it's one thing to have privacy "on the books," but it's quite another thing to have privacy "on the ground."

According to research by the International Association of Privacy Professionals (IAPP), more than 500,000 organizations have already registered data protection officers in Europe. Yet only a fraction of those roles can actually be staffed by individuals who are trained on privacy law, technologies, and operations. To rein in data flows across thousands of data systems, sprawling networks of vendors, cloud architectures, and machine learning algorithms, organizations large and small must deploy highly qualified people, technologies, and processes that are still in the early developmental stage.   

First, the people who will serve as foot soldiers of this army of professionals must be modern-day renaissance persons. They have to be well-versed on the technology, engineering, management, law, ethics, and policy of the digital economy. They need to apply lofty principles like privacy, equality, and freedom in day-to-day operational settings to disruptive tech innovations such as facial recognition, consumer genetics, and AI. They need to not only understand the logic underlying black box machine learning processes but also the mechanics of algorithmic decision-making and the social and ethical norms that govern them. Unfortunately, existing academic curricula are siloed in areas such as law, engineering, and management. Government, academic, and accreditation bodies should work to lower the walls between disciplines to ensure that lawyers and ethicists talk not only to each other but also with computer scientists, IT professionals, and engineers.

Second, researchers and entrepreneurs are building a vast array of technologies to help companies and individuals protect privacy and data. Just last week, OneTrust, a privacy tech vendor, raised $200 million at a valuation of $1.3 billion, making it the first privacy tech unicorn merely three years after its launch. Some of these new technologies help organizations better handle their privacy compliance and data management obligations. Others provide consumers with tools to protect and manage their own data through de-identification, encryption, obfuscation, or identity management. Over the next few years, governments and policymakers should give organizations incentives to innovate not only around data analytics and use but also around protection of privacy, identity, and confidentiality.   

Third, organizations should deploy data governance processes and best practices to ensure responsible and accountable data practices. Such processes include privacy impact assessments, consent management platforms, data mapping and inventories, and ongoing accountability audits. With guidance from regulators and frameworks from standard-setting bodies, such as the National Institute of Standards and Technology, procedural best practices will develop for both public and private sector players.

Like so many complex societal issues, privacy concerns require a matrix of responses. We certainly need strong laws and effective enforcement, but organizations should also embrace their stewardship of data and invest in the processes and technologies to better manage their data stores. Importantly, we need to continue to educate and train professionals with the knowledge and skills to make ethical, responsible decisions about how data is handled. To facilitate innovative data uses and unlock the benefits of new technologies, we need privacy not only in the books but also on the ground.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Fuzzing 101: Why Bug-Finders Still Love It After All These Years."

As president and CEO of the International Association of Privacy Professionals (IAPP), J. Trevor Hughes leads the world's largest association of privacy professionals, which promotes, defines and supports the privacy profession globally.  Trevor is widely recognized as a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DHorse2
50%
50%
DHorse2,
User Rank: Strategist
9/5/2019 | 4:15:42 PM
Who get's privacy.
What a good article. I agree with it aside from some issues get skipped. What's ironic is in theory (simple strategies) I can provide a secure personal device or network. To the extent you could detect an active Minux3 backdoor. Which means other people can. Where people can be private and corporations can't we can expect a government response.
Jim_Gordon
50%
50%
Jim_Gordon,
User Rank: Author
9/16/2019 | 5:15:31 PM
Great article. Great perspective.
Promote Intel's approach to privacy ... https://usprivacybill.intel.com/

The world is definitely not ready.  Honestly, most enterprise and government leaders don't even yet know what they are getting ready for.  Great article.  Great perspective.  Intel (my employer) has an approach to privacy worth considering.  Steal with pride, look at it for ideas, participate in the online discussion or even send feedback if you have any.  Do all of that at https://usprivacybill.intel.com/ 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19740
PUBLISHED: 2019-12-12
Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Campaign.Get is vulnerable.
CVE-2019-19746
PUBLISHED: 2019-12-12
make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fault and out-of-bounds write because of an integer overflow via a large arrow type.
CVE-2019-19748
PUBLISHED: 2019-12-12
The Work Time Calendar app before 4.7.1 for Jira allows XSS.
CVE-2017-18640
PUBLISHED: 2019-12-12
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2019-19726
PUBLISHED: 2019-12-12
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from th...