Take a moment to remember all the information you have exchanged online… (your home address, your contact information, credit card and transaction details). What if there was a breach and your data got exposed? Who would be held accountable?
Beyond your home network, you trust organisations with your data so that they can provide a tailor-made experience that delivers only best-fit service for you. Financial organisations, insurance companies and even medical professionals have access to your personal data, from your alias to your Face ID! As the world bolts towards a closely approaching digital reality, this information is rapidly migrating online. Businesses undergo digital transformation at lightning speed, requiring them to digitalise their processes and remain agile. When storing information, the cloud is often ‘first pick,’ since it affords businesses a wealth of cost, security and scalability advantages.
When evaluating how businesses can safeguard consumer privacy by regulating personally identifiable information (PII), it is important to understand the value and cost to the business. According to Henry, the cost depends on the size of the business, what infrastructure already exists and the nature of business. It is assumed, for instance, that a marketing business will handle more PII than a construction company. Safeguarding data also takes into consideration whether the business decides to store on premise or migrate data to the cloud.
Personal data is a commodity… a modern currency! Wherever your data is stored, there should be laws that govern its safety and prevent misuse. Referred to as the CIA triad, confidentiality, integrity and availability are the core principles of data security. These principles govern how your data is stored to ensure only authorised persons can view it, make alterations, and your data is always available when needed.
It has become increasingly imperative to evaluate the state of the global landscape in regards to data privacy. Where does the Caribbean fall? Do regulations exist? Are they adequate?
According to Roldane Henry, Infrastructure Services Lead at MC Systems, the General Data Protection Regulation (GDPR) is the global standard and strongest attempt at ensuring data privacy remains a top priority for states, businesses and customers. By definition, the regulation “lays down rules relating to the protection of natural persons with regard to the processing of personal data, the free movement of personal data and protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”
Nation-states such as China are still leaping towards structured regulation, passing their own data protection law, the Personal Information Protection Law (PIPL) on August 20, 2021. China’s law also applies to foreign organisations that process personal data overseas when providing service to China. The law requires consent from individuals pertaining to the transfer of their personal information. It still remains unclear how the security assessment will be handled, however, this move provides evidence that data privacy regulations are here to stay.
Many countries in the Caribbean have started to adopt the global mind-set and have embraced GDPR, and are establishing their own regulations. The Jamaican Parliament passed the Data Protection Act (2020) (DPA). The law takes a deeper dive, beyond contact and basic demographic information to include biometric data and DNA/genetic data. The DPA imposes obligations on all handlers of information aiming to protect the data subject. The act defines a data subject as “a named or otherwise identifiable individual who is the subject of personal data” and a data controller as the entity that determines the purposes for which and the manner in which any personal data should be processed.
Data regulation is necessary
According to Henry, the legislation prevents misuse of information and, if widely adopted, can present cases for accountability on all controllers who handle personal data. It imposes the duty of reporting all breaches and begins the conversation on consequences for misuse, even in court. With the world of business becoming more decentralised by the second, what technologies protect data and ensure that controllers maintain maximum levels of privacy, from anywhere? With data migrating to the cloud, someone from the Caribbean could have their information being stored on servers in Singapore. Can it truly be protected?
Current technologies that support data privacy and protection regulations include access control and encryption. Access control allows only predefined users or user groups to be given access to specific confidential information. On the other hand, encryption converts the data into an unreadable format that only those who have the secret key can decrypt. There are free encryption tools, such as HP Drive Encryption (HPDE) and Microsoft’s BitLocker, which assist businesses to safeguard their data. These methods help to mitigate the illicit access and sharing of data from unauthorised users or attacks. Henry also mentioned third party tools, such as SecureLink, which is a remote support platform that allows organisations to provide secure access to their vendors and users who need to access sensitive systems and data. This platform, which is used and delivered by MC Systems, provides end to end encryption, and a high definition audit trail for the connected session that helps to bolster compliance. This is also evident in MC Systems’ future-fit core banking solution, Phoenix International, which the organisation provides remote support using SecureLink.
Imagine a scenario where a software engineer is tasked with remotely troubleshooting issues on a customer’s server that also stores personal identifiable information (PII). How can your business ensure the customer only accesses task-specific data and does not go beyond the parameters established? In addition to access controls, some applications provide an audit trail that shares a log of all the engineer’s activities. Using a tool, such as SecureLink means you are able to view a high definition video log of the engineer’s session which shows a recording of all the files accessed, commands inputted and data shared. As such, there is concrete evidence of any unauthorised activities during the engineer’s session.
Another means of safeguarding data is by implementing endpoint protection, securing your network and, ultimately, business from malicious attacks from hackers and malwares, such as ransomware. With endpoint protection, files entering your network, or being stored or executed on your computers are examined to prevent disguised files (such as trojans) from being introduced into your network. Endpoint protection platforms (EPP) also guard against ransomware by using machine learning to study behaviours, in order to be better able to proactively detect attacks.
However, detecting a threat might not be enough in some instances, and, therefore, a response is also needed. This is where Endpoint Detection & Response (EDR) technologies come into play, as the new paradigm for endpoint protection. With an EDR, threats can be identified and stopped before they begin to corrupt your system. Similar to EPPs, EDR uses machine learning to detect threats, but it also uses advanced features such as artificial intelligence (AI), and cyber threat intelligence (CTI), which requires the collection and analysis of large data points to give the best possible results.
The value of data protection regulation is easily understood. As life becomes more centred on our digital identities and activities, a pathway to integrating security, privacy and governance into business processes must be established. Policy frameworks such as COBIT and ITIL 1 and standards such as ISO 27001, allow businesses to spearhead change management processes to include cyber awareness training for all staff members. These measures help businesses ensure financial information, intellectual property, employee details or information entrusted by third parties are secure.
Data is the future. The future is now! The introduction of the data privacy and protection laws across the Caribbean and the globe allows businesses to take greater responsibility for the data they control, and affords customers greater peace of mind, knowing that their information is being safeguarded, leading to greater confidence in business. The future is protected!
Send feedback on this article to firstname.lastname@example.org