Some privacy advocates proclaim: “In a dystopian future, governments and large corporations will track our location, our actions, and our very thoughts via implants embedded in our brains. We’ll lament our inaction during these early days when we could have fought for data privacy.” In contrast, public security advocates paint similarly bleak futures based on not using technology and data to improve public safety, economic equality, or geopolitical stability.
Data privacy is part of a larger data management ecosystem that has many, sometimes conflicting, goals. Data fuels business growth, so we get more devices creating and collecting data. This scale makes it a challenge to identify, analyze and manage data, especially when many organizations prioritize data’s value over people’s privacy.
As an official champion of Data Privacy Day 2020, we feel the goal should not be to solve for data privacy in a vacuum. It should be to understand how to integrate data privacy as part of our overall data management strategy.
Listen in to my discussion of data privacy with Druva CISO Tom Conklin and W. Curtis Preston, Druva’s Chief Technical Evangelist.
Can we identify what data should be private?
Data about you is everywhere. Financial information used for credit scores. Government information like tax records, driver’s licenses, and jury duty. Retail information about your purchases. Medical information with health care providers and insurance. And, of course, the personal information you share on social media such as travel, relationships and more. That’s just the data you know about.
What about the data that you may not be aware of? There are cameras everywhere – in casinos, airports, and even on telephone poles. In the past, we had privacy through obscurity. Most entities had neither the algorithms to identify individuals from video feeds nor the compute power to analyze the vast amount of video data. That has changed, with the cloud-powered AI/ML applications focused on facial and vocal recognition, giving government agencies, casinos, and companies the ability to actively track your activities.
With the volume and variety of data being collected daily, how can you verify that organizations are maintaining your privacy? While the cloud powers the most advanced analytics, most organizations still run their business with on-premises IT. They don’t have enough expertise and compute power to search for and identify personal information stored across their data silos, which puts individual privacy at risk.
Can we control private data?
Even if an organization could identify private data, are they able to control where it’s stored and how it’s used? Different groups inside a company make and store copies for backup, disaster recovery, test and development, and deeper analytics. Some have processes around managing, securing, and anonymizing the copied data. Most don’t.
Furthermore, conflicting rules and regulations can make it difficult to control the retention of users’ private data. Technology evolves more quickly than laws, so regulations are either woefully outdated or painfully vague. For example, a court case may require retaining data past the point that it should be deleted for privacy. Countries and cities may even have conflicting privacy regulations!
Finally, it can be futile to try to clean up data from data protection copies. Most data protection copies cannot be modified. Somebody may identify private data in a backup image. A change in privacy regulations may now classify previously “public” data as “private”. What should organizations do with 7+ years of historical backups? Any approach is prohibitively expensive, complicated, and risky.
Do we even want to control private data?
In an ideal world, we would want absolute privacy. In the real world, however, people are willing to trade off digital privacy for better user experience and physical safety. Social media studies, such as one conducted at Masaryk University indicate that younger users will trade off privacy for better recommendations (movies, products, services), social connections, and responsiveness. Furthermore, in cities like Wayne, NJ, people support city-wide video surveillance to improve public safety.
An unspoken part of the data privacy challenge is that people distrust large corporations, government and law enforcement agencies to manage their privacy. (Even while they send their private information to the most transparent phishing operations – go figure.)
In theory, we want privacy. In reality, people will not trade off user experience and safety for digital privacy that they do not believe in.
What should we do?
Data privacy will not be solved just by passing sweeping legislation or a single magical product. Instead, there’s a journey to follow:
Step 1 – Leverage the power of cloud
The power of cloud has made it easier to put people’s privacy at risk. The same power can help centrally track and manage private data – including all the copies. Find a vendor that will help with a shared responsibility model.
Step 2 – Minimize the tradeoffs
Once in the cloud, organizations can segment and encrypt users’ private data with their own encryption key (e.g. Druva’s envelope encryption). Users can then securely opt-in to services.
Step 3 – Sensible regulations
IT and business need to collaborate with lawmakers to create viable, evolving regulations that provide a sensible baseline for data privacy.
As we face a “Choose Your Own Adventure” of dystopian futures, data privacy is only one of the variables that need to be addressed. Data growth and variety combined with a myriad of regulations around data makes it almost impossible for any organization to implement a sensible data privacy strategy. Even worse, many users have shown disinterest in prioritizing privacy.
Still, we cannot use those as excuses to ignore data privacy. We can create sensible regulations that can be implemented in the cloud without alienating users. Privacy may not be the only issue you face, but it is a critical one. On Data Privacy Day, it’s time to start the journey to a successful data privacy strategy. Start with Step 1. We’ll meet you in the cloud.
Learn more about your data privacy responsibilities under the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).