January 15, 2020
The Do’s and Don’ts of Data: How to Keep Your Company Compliant in Today’s Data-Driven World
Attorney Ambler T. Jackson is a data privacy and protection expert who helps organizations understand and comply with today’s ever-evolving regulatory and compliance requirements. She is a beacon of excellence in a field where black women are few and far between. The scope of her work provides users and consumers with insights that help them to protect their data in the most practical ways possible.
BLACK ENTERPRISE caught up with Jackson to discuss all things data privacy and protection. Here’s what we learned.
BE: What is data privacy and protection and why is it such an important consideration in the context of personal privacy?
AJ: Data privacy and protection are two separate but related concepts. The idea of data privacy, which has significantly evolved over the last four to five years, really refers to an individual’s right to control how their personal data is used and shared. The data protection piece refers to the steps and actions taken, as well as the tools used, to secure personal data and to ensure, to the extent possible, that it is not accessed or used without our consent or the proper authority to do so. It is nearly impossible for an individual to enjoy data privacy if their data is not also secure. Moreover, a business that collects personal data cannot guarantee the privacy or confidentiality of their user or customer data without securing it against unauthorized access or use.
Because you cannot have privacy without security, data privacy and protection go hand-in-hand to accomplish the goal of mitigating risks. An example of the difference between data privacy and protection can be explained using the activity of logging onto a device such as a laptop or iPhone to check email. Your email password may be a phrase that only you know because you have not shared it with anyone. As far as you are concerned it’s private; it’s confidential. A nefarious actor who is skilled in hacking systems and stealing valuable data, however, may be able to access your email account if the system does not have the appropriate security controls in place. If the hacker can access your account using your password, your password is no longer private, and neither your password nor your account is secure. Examples of security controls include encryption, multifactor authentication, or the use of a firewall to name a few.
Data privacy and protection are important because we regularly and readily provide our personal data to enjoy the comforts and conveniences of everyday life. For example, our data-driven economy necessitates that we use our names, home addresses, credit cards, and Social Security numbers to complete basic transactions. Never before has the success of an entire business hinged on the ability to collect and share personal data. Providing our personal information and sharing our data are valuable to the business marketplace—as well as on the black market —as they provide unlimited opportunities to gain gratuitous benefits of the social bargain. Unfortunately, such benefits usually pass without regard to the harm we encounter.
Why should companies be concerned with data privacy and protection?
Companies should concern themselves with data privacy and protection because we live in a data-driven world and their ability to stay in business is directly related to how they collect and use our data. A company that is playing the long game cannot be successful if its business model does not collect, process, or share data. While all data is not personal, collecting, processing, and sharing data often involve the personal data of users or customers. More importantly, if the company does not make data privacy and protection a priority, they invite the attention of regulators.
As we have seen with Facebook, Google, and others, regulators have the potential to levy hefty fines against companies who fall short on compliance. If you’re not Google or Facebook, and instead, a smaller business—perhaps a mom-and-pop shop—a fine and additional compliance requirements from regulators could be the ‘nail in the coffin’ for your enterprise. Short of closure, even the reputational harm resulting from the failure to comply with industry best practices might cause serious damage to the social equity of your brand.
Likewise, users and consumers are becoming more and more aware of their privacy rights and are beginning to demand that companies handle their data more transparently and responsibly. They want assurances that their data will not be used in a manner inconsistent with the reason they provided the data to the company in the first place. Their recourse is to do business with another company having better privacy policies or security controls in place. In short, companies should concern themselves with data privacy and protection if they want to remain in business. The days of not making data privacy and protection a priority are over.
Are there any relevant pieces of legislation that govern this area and that should be prioritized?
Yes, the California Consumer Privacy Act, commonly referred to as CCPA, which protects California residents, became effective in January 2020. This is the most important and broad sweeping privacy law to take effect since the European Union’s General Data Protection Regulation (GDPR). The CCPA introduces strong privacy protections which will require in-scope businesses to focus on user data and provide transparency in how they’re collecting, sharing, and using such data. Privacy experts agree that similar to GDPR, CCPA will have a national and global impact. Other states, such as Nevada have also introduced privacy legislation.
Where will the impact of privacy be the most controversial, especially where individuals are concerned?
I think that in the long-term, artificial intelligence (AI) will impact the privacy of individuals in a way that we cannot fully grasp at present. AI is used in just about every industry. Currently, the AI that most individuals use or have access to is narrow or weak AI, which includes algorithms that perform a specific task (think algorithms that perform facial recognition or an internet search). Eventually, as research progresses and technology advances, AI will become more entrenched in our everyday lives and outperform human capabilities.
Even though AI in and of itself is great—there is a significant amount of research supporting its various benefits—there is also credible research highlighting the unintended biases resulting from its use, especially where marginalized groups are concerned. It is a fact that bad data can contain implicit racial and gender biases. These biases may lead to discrimination. AI-biased systems do, in fact, exist. These systems need to be managed in an ethical manner, not just from a data privacy and protection perspective. Individuals such as myself who can actually identify the bias and communicate exactly what the risks are must work with C-suite leaders and managers at every level to ensure that companies do the right thing with their data in order to mitigate the risks associated with such bias.
What is your best advice for a company trying to protect the data they collect?
My best advice for a company that collects personal data is to first identify a data privacy and protection framework to work within—one that closely aligns with the industry to which you belong. Then take every possible step to identify and categorize the types of data your company collects. In other words, know your data! Take inventory of the different types of data collected, processed and shared. Take the time to perform a data mapping exercise. You cannot secure or protect data that you don’t know about. Lastly, identify the risks associated with the kinds of data that the company owns. Then, to mitigate the risks, continuously monitor all business processes, vulnerabilities and security incidents. That would be a good start.