Since 2008, every Jan. 28—which comes around again this Sunday—has been designed as the official “Data Privacy Day,” or “Data Privvacy Day,” as pronounced in the UK.
Data Privacy Day (known in Europe as Data Protection Day) is an international event whose purpose is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, India and 47 European countries. The day commemorates the Jan. 28, 1981 signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
Designating a day like this is a good thing, because people need to be reminded about how best to keep their online data secure at least once a year, even though they should be aware of doing this every day on the calendar. It also is a day that storage and data protection professionals should recognize as a professional national holiday (okay, maybe take the day off on Monday, Jan. 29 this year).
As eWEEK's Sean Michael Kerner wrote two years ago: "Data privacy isn't just about encryption and tracking, it's about individual users. Vigilance is key."
“We are glad that Data Privacy Day exists,” NordVPN Chief Marketing Officer Marty Kamden said in a media advisory. “However, Privacy Day should be every day. There are simple things that are easy to maintain every day in order to avoid major hacks, system crashes, data loss and various snoopers.”
Here are some simple online privacy rules for each of us as internet users, as suggested by NordVPN:
Always update the software. Software manufacturers constantly find new bugs and fix them with each new update, but users need to keep their systems up to date. Bugged software might cause data leaks, putting user’s privacy at risk.
Be cautious about what you share on social media. Have in mind that what you post online, stays online. If you are going on vacation, it’s wiser to post vacation photos after you come back; otherwise, thieves might know your house is empty. Also, don’t share any personal details, addresses or phone numbers.
Switch to an encrypted email provider, such as ProtonMail. ProtonMail is a free encrypted email service provider, offering end-to-end encryption, meaning even the provider itself cannot decrypt and read subscribers’ emails. No personal information is required to create accounts, and the basic account service is offered free of charge. Other secure email providers include Tutanota and Countermail.
Use strong passwords and a password manager. Perhaps the most basic requirement for any online account setup is using strong passwords (meaning longer and more complex than “qwerty123,” etc.) and choosing different passwords for different accounts. Weak passwords make it simple for hackers to break into an account. A reliable password has a minimum of 12 characters and includes a strong mix of letters, numbers and characters. It’s not easy to remember strong passwords for each site, so it’s recommended to use a password manager, though some, such as LastPass, have also experienced security breaches. In any case, password managers are still recommended for safety and security, such as truekey.com and 1Password.
Turn on multi-factor authentication. Multi-factor authentication is a security system that requires a user to log in with their username and password and then take the second step of authentication: either through a fingerprint scan or by sending a code via text. Most sites, including email providers, already offer multi-factor authentication as an option.
Use a VPN. AVPN encrypts all traffic between a user’s computer and a VPN server, adding privacy and security to their Internet browsing experience. The only information visible to anyone in between the user’s computer and VPN server is the fact they are connected to VPN, and nothing else. All other information is private as it is encrypted by the VPN’s security protocol.
Enterprise Data Protection, Privacy is a Whole Other Ballgame
eWEEK checked with some other data privacy folks about the enterprise side of this. One of them, Rob Perry, Vice-President of Product Marketing at Naples, Fla.-based workspaces and content management solution provider ASG Technologies, was asked how can enterprises keep personal financial information completely private and still comply with the upcoming GDPR (the EU’s General Data Protection Regulation).
A lot of companies are concerned about this because the new regulation goes into effect May 25, and its repercussions will be global.
“It’s worth noting that GDPR doesn’t require complete privacy,” Perry said. “GDPR compliance can be demonstrated without exposing personal data by showing how processes and tooling protects private data, and by demonstrating the ability to respond to EU residents’ requests in a timely fashion.”
What are some good tools enterprises can use to ensure users' personal information is secure? Perry was asked.
“Before assessing which tools are best for ensuring information security, it’s important to understand what data is under management and how it’s being used,” Perry said. “There are tools on the market (like ASG’s Data Intelligence) that can identify personal data throughout the data estate and trace how it is used. This provides a map of where to focus on securing data access.”
Data Not in Use Also Should Be Considered
Tools can also identify data that is no longer in use so it can be deleted, providing the ultimate security, Perry said.
“Information management tools also can provide means to limit access to personal data. Redaction, while not as secure as full deletion, can mask personal data in content such as account statements, applications and invoices, protecting it from unauthorized users,” Perry said. “Content services (such as ASG’s Mobius) can also apply privacy policies when content is ingested into the archive, and these policies can be triggered by events such as a protected individual requesting to be forgotten. In a case like that, the policy could trigger the deletion of that data, provided there were no legitimate reasons to refuse deletion (such as outstanding balances or current open accounts).”
Perry offered another perspective on this for eWEEK readers.
“Automation of data governance and understanding is the key here,” Perry said. “Tracking data and compliance manually will end up being too costly. While there are certain tasks that will need to be done manually–such as training and examining applications for minimal use of data–the ongoing data understanding and knowledge of changes is best provided through automated solutions.
“Having a solid GDPR compliance program provides a great foundation for other data compliance programs (many organizations have to deal with multiple parallel initiatives). Using the three-phased approach ‘assess, support, sustain’ guides organizations to protect personal data all while laying the foundation of data understanding and trust that provides value above and beyond simple risk-avoidance.”