May 25, 2022, marked the fourth anniversary of the European Union’s General Data Protection Regulation (GDPR), and it might surprise you to learn that in that time, most companies still aren’t compliant, and some have no means to ever become compliant. In my opinion, GDPR and other like-minded data privacy laws have intended to provide a goal and an incentive to do your very best with data handling, transparency to the data owners, and data security to help minimize any potential risk your actions with a company pose to your personal information.
We will continue to see iteration over iteration of GDPR and other data privacy laws and mandates for the next several years, and while things are getting better overall across the board regarding data privacy, it hit me the other day: GDPR is turning four, but digital data has been around for as long as computer networking and systems have. What happened to all that data acquired prior to GDPR?
In addition to this, I was thinking about the various online forms we all fill out that include a checkbox to opt into one thing or out of another. Whether or not you check anything on the page, that company still collects the exact same information as if you hadn’t opted out of anything. If I’m supplying the exact same data regardless but they have no use for it, why is it being collected and what are they doing with it?
Data Is Everywhere
I started running these thoughts past peers in the data privacy industry and all I kept hearing was, “I’ve never actually thought of that,” or, “We secure data the same way regardless of what was opted out,” and even, “Well, we aren’t sure exactly what we have where or what its purpose is, so the best we can do is secure it until legal tells us it’s no longer needed.”
While none of these answers were shocking to me, it did get me thinking about how the front end, user experiences, and data privacy or data handling notices can create a major unmanaged snowball effect the further down the digital pipe it goes.
Let’s say you submit an order form that includes your prefix (Mr., Mrs., Ms., etc.), name, email, phone number, address, credit card, and perhaps an opt-in for a newsletter and a discount program. You also allow the business to store your card for future purchases. That opt-in to the newsletter includes data elements that ensure the organization knows it was you at this time from this location, from this type of device, browser, IP address, potentially including internet service provider. The form even inadvertently captured gender information via prefixes. The intention was merely to know how to best address you in upcoming newsletters or communications. But what the business doesn’t realize is they’ve just captured a data element considered sensitive in the eyes of a GDPR data processing agreement.
Fast forward from there and all this data goes into various analytics, data science efforts, out to third parties for analysis, or potentially even government entities for research purposes. And that’s just scratching the surface. When you signed up for that newsletter or you bought that item from this company, did you expect your data to end up in all these different places? Probably not.
It’s About Minimization
Businesses and the internet both are run by humans who are curious, prone to error, and love to horde data, all of which often leads to data science efforts to squeeze every last bit of value from any data they have. Most of us in the IT or privacy spaces have probably even done some of this ourselves. But it leads me to wonder: If we know that the amount of data will continually grow as the world’s digital footprint expands, how can a company remain aware of what data they have where (and how old it is), and ensure that data is protected to the best of their abilities regardless of where it lives?
Holding on to old data—whether you know you have it or not—causes several problems:
- It’s harder to find the useful data
- You risk having uncontrolled data sprawl
- You’re a broader target for cyber attackers
Folders that haven’t been accessed in years may lack the same access restrictions as newer data folders in part because the better data security practices weren’t in play when those folders were created. And those folders have been there so long, you may not even know they contain sensitive information. It’s important to protect your organization from data overload by identifying, controlling, and then minimizing the amount of sensitive data you have.
That’s where PKWARE comes in. Since the 1980s, PKWARE has been at the forefront of data privacy and security. Now, as data continues to grow and data privacy awareness spikes, PKWARE’s data discovery and protection suite, PK Protect, has expanded to not only be able to discover and protect data stored on endpoints (laptops, desktops, tablets, etc.), but also data stored on-premises in a server, repository, or in any of the numerous clouds available. PK Protect can highlight areas of dark data, data you didn’t realize was there or is still around after its intended deletion date. It can even provide in-depth reporting on all the data as it pertains to a particular person, or be leveraged for data governance / data security to enable one-way data transformation to mask or anonymize data. In short, PK Protect can ensure the organization is continually operating on data the way it is legally supposed to.
PK Protect is purpose-built to support data security, helping ensure organizations take data handling, data awareness, and overall good data practices seriously. See how it works in your organization by requesting your free demo now.