More Dr. Ann Cavoukian: GDPR and Access Control

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD).

In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.”

We also made time to cover GDPR as well as three things organizations can do to demonstrate that they are serious about privacy.

Here are some highlights of our interview:

On User Access Control

You’ve got to have restricted access, to those who have a right to know, meaning there is a business purpose for which their accessing the data.

When I say business purpose, I mean that broadly. But it could be in a hospital, people who are taking care of a patient, in whatever context. It could be in the lab, they go there for testing. So there could be a number of different arms that have a legitimate access to the data.

Those who aren’t taking care of the patient in some broad manner should have restricted access to data. That’s when the snooping, the rogue employee, the curiosity, it distorts the legitimate reasons for the people who should have access to information.

Especially in a hospital context, you want to enable access to people who have a right to know because they are treating you. And then the walls should go up for those who are not treating you in any manner. It’s difficult to do, but you have to do it. Because that’s what patients expect. Patients have no idea that out of curiosity, someone who shouldn’t have access is looking at their file.

Three Things Organizations Can Do

1. When I go to an organization to speak about privacy, I speak to the CEO, Board of Directors, and senior executives, I give them message that they need to be inclusive, you have to have a holistic approach to protecting privacy and it’s got to be top down. If you get that messaging to your front line folks, that you care deeply about your customer’s privacy, that message will emanate.

Also let your customers know that their privacy is highly respected by this company, we go to great lengths to protect your privacy, you want to communicate that to them and then you have to follow up on it. Meaning, we use your information for the purpose intended, that we tell you what we use it for, we collect it for that purpose, and then privacy is the default setting, we won’t use it for anything else without your positive consent after that for secondary uses.

2. I would have at least quarterly meetings with staff. You need to reinforce this message. It needs to be spread across the entire organization.

It can’t be just the Chief Privacy Officer, who is communicating this to a few people. You have to have everyone buy into this. The front line clerk might be low on the totem pole, but they might have the greatest power to breach privacy, so they need to understand just like the highest senior manager, how important privacy is and why and how you can protect it.

Meet with you staff, drive the message home, you’re going to get what I call a privacy payoff, you’re protecting your customer’s privacy, it’s going to yield big returns for your company, it will increase customer confidence and enhance customer trust and it will increase your organization’s bottom line.

3. I would invite a speaker and everyone from your company so that you can have these ideas reinforced. You bring in a speaker who can speak to what happens, when you don’t protect your customer’s privacy.

Last year they called it the year of the data breach, it was rampant, so it really helps to tell the people in your company and help them understand what could happen when you don’t do it right and what the consequences are to the company and to the employee – you could lose your job, the company could go under, you could be facing a class-action lawsuit.

It’s not an all a bad news story, I’ll give the bad news and then I applaud the behavior of the company and what they get is this dual message, this has real consequences when we fail to protect our customer’s privacy, but look at the gains and payoff. It makes them feel really good about themselves about the good job they’re doing and it underscores the importance of protecting privacy.

Learn more about Dr. Cavoukian:


Subscribe Now

Add us to your favorite podcasting app:

Follow the Inside Out Security Show panel on Twitter @infosec_podcast

 

 

The post More Dr. Ann Cavoukian: GDPR and Access Control appeared first on Varonis Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
2695 Followers
About Varonis
Varonis is a pioneer in data security and analytics, fighting a different battle than conventional cybersecurity companies. Varonis focuses on protecting enterprise data on premises and in the cloud: sensitive files and emails; confidential customer, patient and employee data; financial records; strategic and product plans; and other intellectual property. The Varonis Data Security Platform detects insider threats and cyberattacks by analyzing data, account activity and user behavior; prevents and limits disaster by locking down sensitive and stale data; and efficiently sustains a secure state with automation. With a focus on data security, Varonis serves a variety of use cases including governance, compliance, classification, and threat analytics. Varonis started operations in 2005 and, as of December 31, 2017, had approximately 6,250 customers worldwide — comprised of industry leaders in many sectors including technology, consumer, retail, financial services, healthcare, manufacturing, energy, media, and education.
Promoted Content
Varonis Earn & Learn Email Series
Is your CISSP up to date? We’re here to help! Earn Continual Professional Education (CPE) credits with our free CPE track. We’ll send you CPE-credit worthy content each month: earn 2 CPE credits per month, learn from top industry experts, and get real world security content to take your skills to the next level. Enrollment is free – and so is all our great CPE content! This program includes: - On demand webinars that fit your busy schedule - Podcasts from top influencers in security and privacy - Video tutorials with relevant, real world security content to take your skills next level and more!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel