Privacy Regulations – GDPR and CCPA – Day 24 of Cybersecurity Awareness Month

Share on facebook
Share on google
Share on twitter
Share on linkedin
Privacy Regulations GDPR and CCPA - Day 24 Cybersecurity Awareness Month

WATCH Privacy Regulations – GDPR and CCPA – Day 24 of Cybersecurity Awareness Month

Shelly Miller  00:06

Data privacy is on many people’s minds now that Cybersecurity Awareness Month. Personally, I’m concerned about how much data I have online and the implications for my privacy. But should businesses be taken data privacy more seriously? And what are some steps they should take? With us today is Craig Taylor, CEO and co founder of CyberHoot, an online Cybersecurity Awareness platform that helps MSPs and small businesses build their cybersecurity programs quickly and effectively. For Craig, what do business owners and MSPs need to do about data privacy?

Craig Taylor  00:36

It’s a great question. And it’s a very timely topic. The first thing I would I’m going to go through about five different steps that MSPs and SMBs need to do for their businesses to comply with data privacy regulations today, but know this, that there’s a lot and we’ll get into this, there’s a lot of change coming with additional states publishing their own data privacy regulations.

So this is very much in flux. But for today, and for right now, the very first step I would take is to identify for yourself what private data you collect. What’s another word for private data is non public personal information. And it’s usually the combination of a name with something else a full name with an address, or a full name with a credit card or full name with a date of birth or social security number.

That’s private data. And you need to understand what the types of data that you collect that fall under privacy is where it’s stored, how it can be accessed, and by who, who is authorized within your company. To access that data as part of their job function, that’s number one. Number two is to then work on your website and look at your website’s privacy policy.

If you don’t have one, that’s probably an important thing to get resolved. Because today’s day and age, there’s so much legislation, you really ought to have a privacy policy that has been updated in the last you know, decade, I see some that are 20 years old, in my reviews, and that, that privacy policy captures and articulates both the type of data you collect, but also how you need to comply, and how you do comply with things like the general data privacy act in the EU, European Union, or, more importantly, in the US, there’s laws have passed in California, the California Consumer Protection Act, and a couple of other states, Virginia and I believe New York is about to pass something, those privacy policies call out some specific requirements that you need to make in your data privacy policy, how you collect your data, what that data is, and then how an individual this is point number four, how the an individual can request their own data, to see it, to correct it, to delete it, and to prevent it sale to another party.

Those are all parts of the California and most other legislation. When you, Yes, I see now we brought up the slide, if you look at this slide, you’re going to see that there are a number of states that have passed legislation three. And there are so many more that have it in Committee, which means it’s almost ready to be passed.

And when I’ve looked at the three states that have passed, and it’s really all cookie cutter copies of one another with the same prescriptions. Another area that I would recommend is that you appoint a data protection officer and you call that person out in your privacy policy. And here’s another little tip, you have to have two ways of contacting that person you need a phone number most often and an email address and I typically set up DPO data protection officer at your company name, COMM and that inbox is monitored by your team of folks who and your DPO to look at the privacy requests that come in.

The final thing is a very important one, you need to build an authentication process for these data privacy requests. Before you get one. Make sure that that process takes in as many factors as possible. If you happen to collect a phone number or mobile device for an individual alongside their name and their email address. You’re golden because you can do multi factor authentication of an individual making a privacy request, you can email them or check their email. You can also send them a text message with a one time code to validate their identity that can be part of your authentication. Because quite frankly, these privacy legislations can themselves lead to data breaches where people request data under data privacy and they’re not supposed to it could be a hacker trying to game the system.

Shelly Miller  04:41

Okay, so you seem to be implying that data privacy requests could come from hackers or the wrong person.

Craig Taylor  04:47

That’s absolutely right, Shelly, it’s already happened in not necessarily by hackers but security researchers in the UK because the GDPR the the European Union’s GDPR has been published for many years. Now, a security researcher made 150 requests for his spouse’s data, not his own, but his wife’s data under the privacy legislation, and he collected her credit card number, her social security number, home address, school grades, even the hotel she stayed in, all without ever being authorized by his wife, or appropriately authenticated to get that data. So it can be a source of breach data if you’re not careful. That’s why we want you to have your privacy policy and your authentication process nailed down.

Shelly Miller  05:34

Okay, so for businesses know what private data you collect, have an updated privacy policy on your website, appoint a data protection officer and a document authentication process for data privacy requests? Well, what about for individuals? What should they do?

Craig Taylor  05:48

Well, that’s an interesting point. I guess data privacy applies to businesses, but it also applies to individuals. So I’ll give you three tips for individuals worried about their private data, you started by saying shall you are worried about your own private data on the internet. And that’s where I always recommend folks limit what they post on social media and to whom don’t accept all these friend requests from people you don’t know directly, even an acquaintance you might not want to friend because you don’t know what their motivation is for befriending you.

You just want to keep that limit, limit the number of people that you’ve you accept friend requests on social media from and limit what you post. And then when you do have to give out sensitive data to a company or a business, such as a social security number, ask how they handle that data, and be adamant that you you want not to give like a social security number.

It’s a habit for some companies to request that when they don’t really need it. So challenge them and say, Do you absolutely have to have this? A lot of the mobile carriers and the Internet Service Providers used to just collect it as default? I’ve long since said no, I’m not giving it to you. And they go by now we have a special process for people that refuse to give us that.

And that’s fine, you’re limiting the exposure of your sensitive and personal data. So in conclusion, whether you’re an MSP an SMB, or an individual, you need to understand how to protect and accommodate private data, nonpublic personal information, both personally as we’ve just discussed, and professionally as a business. And in so doing, you’re really helping yourself become aware of your obligations, and therefore you’re going to be more secure with your data and your business.

Mike Miller  07:27

So that’s why we need to become more aware to become more secure.

Craig Taylor  07:32

Yes

Shelly Miller

Shelly Miller

Entrepreneur, marketer and social psychologist - I help you make the most of your business with marketing, online and offline.

About Mindwhirl

We help B2B MSPs and IT companies align Sales and Marketing so you can grow faster, with less effort using a proven system that coordinates all your inbound and outbound activities.

Recent Posts

Mindwhirl Introduction

Follow Us On Facebook

Leave a Comment

Your email address will not be published. Required fields are marked *