It’s no longer privacy vs security. Regulations like GDPR and customer data breaches have joined privacy and security efforts at the hip.
The European Union’s far-reaching General Data Protection Regulation (GDPR)goes into effect May 25, Facebook has had to answer to Congress for its ties with Cambridge Analytica, and privacy issues and reports of massive data breaches are in the news on an almost daily basis.
Privacy and security go hand-in-hand, says Shahryar Shaghaghi, national leader of the cybersecurity and privacy practice at CohnReznick LLP. “There is no security implementation without a privacy consideration, and vice-versa,” he says. “If you’re talking about access controls, you’re talking about both topics. If you’re talking about encrypting and protecting data, you’re talking about both topics. If you’re talking about monitoring data, you’re talking about both topics.”
With GDPR, it’s not just for companies doing business in Europe. “Even if their primary market isn’t Europe, many companies are realizing that they’ll have to make some changes,” says Lorrie Cranor, computer science professor at Carnegie Mellon University and director of the CyLab Usable Privacy and Security Laboratory. “Given the potential penalties, that’s where there is awareness. It’s waking them up.”
According to the 2018 Data Threat Report from Thales and 451 Research, only 13 percent of organizations say that they will not be impacted by privacy regulations — a steep drop from 28 percent last year. Even when companies don’t do any business in Europe, they still need to be paying attention to the issue, as other regulators are dealing with the same issues. “I think we will see pieces of GDPR in the United States,” Cranor says.
Meanwhile, GDPR is already having an effect on improving privacy controls for users around the world, since it’s easier for some companies to simply comply with GDPR across the board. “We just did it across the board,” says Michael Fauscette, chief research officer at G2 Crowd, an online software review site. “We have about half a million users, and there are too many pitfalls to the idea that you’d always know that this is a European user, this is a user from China, or whatever.”
According to a survey released by ISACA, security and privacy are at the top of the agenda for companies of all sizes. Executives say that they expect to see several positive outcomes as a result of their preparation for GDPR. The top three were better data security, with 60 percent of respondents, followed by improved business reputations at 49 percent, and marrying data security practices with corporate culture at 43 percent.
In 2016, 30 percent of executives says that the lack of privacy controls was a top issue that kept them up at night, according to a survey released last month by Scale Venture Partners. That went up to 46 percent last year, nearly catching up to hackers at 49 percent.
The survey was conducted before the Cambridge Analytica news broke, says Ariel Tseitlin, partner at Scale Venture Partners. “There’s been a steady stream of breaches over the past few years,” he says. “CISOs have heard the message loud and clear, and boards have been discussing this. But the big changes now are coming from regulations, including GDPR. It’s been the big warning bell ringing, and organizations have been waking up.”