Will Canadians and Americans demand that our governments make businesses
offer privacy protections similar to GDPR? New research reveals...
GDPR impact on businesses in Canada and the United States. The is a Cyverity report and a
special edition of Threat Actions This Week. GDPR, of course, is the general
data protection regulation and it went live as of May 25th 2018. OK let's look
at the nine rights that individuals now have in Europe and the businesses need
to comply with in Canada and the United States if you are collecting processing
or otherwise using personal data from Europeans or about Europeans. So let's go
through the nine rights really quickly and then I'll just highlight some of the
real differences that we're seeing. Number one is the right to be informed. To
know what data you have about me. The right to correct my data to rectify any
errors in the data that you have about me. The right to be forgotten to ask you
to delete personal data that you have about me. The right to restrict or limit
how you use my data. The right to be notified. To let me know if you've
corrected deleted or have otherwise complied with my request. The right to
data portability. To allow me to take my data from your business somewhere else.
The right to object. To tell you to stop using my data in the way that you might
be or to stop collecting that data. The right to limit profiling. To not have my
data, the data about me, segmented into buckets based on your algorithms. OK so
what are the really big changes here because some of this we already sort of
have when we look at our own American or Canadian privacy legislation. There are
differences though. The right to be forgotten absolutely a big change and
that could be costly for organizations as you cull through your data to pull
out the historical records of customers and delete those records. The right to
date a portability. This one can't be underestimated. As
you're investing in the relationship between you and your customers that
customer has the right to remove their data from your system and bring it over
to someone else's system. In other words it's their data not your data. So that's
a pretty big change and something again not to underestimate. Now here's one that
hasn't received as much attention as I think it should have. You have the right
to limit profiling now as artificial intelligence gets better and better and
as there's new ways to correlate all different kinds of information there's
all sorts of new business models new trends that haven't even been thought of
yet when we think about how artificial intelligence is going to be
fundamentally reshaping the interaction between business and customers how it's
going to be forming new communities well as an individual in Europe I have the
right to tell you to not profile me in certain ways can the long arm of the law
of the European Union really extend across the ocean and reach my
organization well the short answer is yes a court ruling in the European Union
absolutely can take effect in Canada or the United States will a set of privacy
rights as strong as those in effect for European soon safeguard North Americans
if we take popular opinion as a guide to how lawmakers may react let's find out
what five hundred people from across the continent think this survey was
conducted as of May 23rd 2018 all right here's the question should the United
States government make businesses give you more control of your own private
data like GDP our will for Europeans and that same question was posed for
Canadians about the Canadian government the options they have are yes no or
don't know Canada I'll get to the results in just a minute let's start
with the United States only 12% say no if it wasn't for the big news of
late about Cambridge analytic ah and Facebook I'd find the sentiment
counterintuitive I thought Americans opted for less
government not quite libertarian but not this lowest twelve percent of the
population so how many Americans said yes they do want more legislated privacy
protection 42% of Americans said yes well that leaves 46% a fairly large
percentage that are undecided at this point in time women tended to look
towards government involvement a little more than men interestingly by age
typically as we get older we want more government oversight say for those who
are 18 to 24 year old who stand out is a very important demographic and possibly
a leading indicator of change on the way with the amount of them who are saying
yes I do want government involvement to protect my privacy now in Canada similar
to Americans 14 percent say no thanks to government involvement in making
business protect their personal data but only 33 percent say yes now if I had to
place a bet on the results of this research in advance I would have lost
this one I would have thought Canadians would seek more government intervention
than Americans but the people of spoken another small difference is that men in
Ghana seem to slightly favor added privacy protection from an age
perspective there are some differences to the US but generally speaking the
shape of our sentiment is much the same when we're in the heart of our working
years we vote for less protection but when were younger or when were older
were likely to say look I want more protection very interesting ok so what
are these results mean overall so two things one with a large number of
undecided and number two with the younger population saying that they want
change we could very well see GDP our strength legislation coming to
North America if our politicians are reading these kind of tea leaves so
there are certainly a lot of checklists online where your organization can go to
find out what it should be looking at and the tasks it should be laying out
for itself with respect to GD P R let me highlight some of the key areas that
your organization will want to look at one is don't collect extraneous personal
data well that goes without saying at least it should with respect to existing
privacy legislation delete personal data when no longer needed
same thing know that personal data includes metadata like geolocation data
or IP addresses remember the scandals around the NSA data that was leaked well
that was all about metadata and that can identify who a person is you have to get
consent and this goes beyond what we saw from can spam and from a casul
perspective along the same vein be very clear about privacy and your privacy
policy make that obvious make it clear for individuals really to understand
that know where personal data is this actually may be a little bit of a
challenge for organizations who aren't sure where all the personal data is that
they collect or even if they're collecting data on or about Europeans
conduct a threat risk assessment it's good documentation to have and frankly
it's really the only way to know if your security technologies and processes are
actually working demonstrate strong IT security predominantly gdpr is about
confidentiality of data in other words that that data hasn't been revealed to
people and about the integrity of that data as well in other words that the
data is correct the data hasn't been corrupted but gdpr does also mention
availability and what that means is that if you're collecting personal data you
have a platform that an individual is used to using and now that platform is
offline there could be consequences for that when we look at the fines related
to GDP are however most of those seem to be related to confidentiality and
integrity so we'll have to see how the of
availability peace plays out have an incident response plan that you should
just have anyway but seeing as you only have 72 hours to notify individuals of a
data breach there's no way you'll be able to do that if you don't have a plan
in place next point is to really just document every effort to be compliant
with gdpr write everything down there should be
one of the primary things that you do create a full or part-time Data
Protection Officer you appoint someone who is going to be a data protection
officer and this can be a part-time role depending on the company now it could be
a big deal depending on how much data you collect and this could be a
department of an organization but for a lot of organizations it will be a
part-time job for somebody set workflow to handle complaints and requests know
how websites and other partners handle personal data if they're not compliant
you're not compliant either I'm David said this is a cyber t report and a
special edition of thread actions this week you can catch that podcast on
YouTube iTunes and a number of other platforms thanks for listening and let
us know how we can help you
Không có nhận xét nào:
Đăng nhận xét