A new survey suggests that only 36% of Canadian businesses where their data is coming or going. Probably not comforting for those who value privacy.
When Europe passed the General Data Protection Regulation (GDPR) back in 2018, some people were wondering if it was even necessary at all. After all, such a law was kind of a novel thing especially given the environment of it applying all across Europe. Of course, as time went on, the merits of the law were pretty much proven thanks to an insane number of reports being filed. The debate pretty much shifted from whether or not the law is needed and more about whether the laws enforcement side can even handle such a monumental task of securing people’s personal information. As it turns out, the problem of keeping personal information secure was a much larger problem then anyone even came close to anticipating.
As a result, it really lends credibility to the idea that countries outside of Europe needs an effective privacy law. If the effect of digging into the reality of what the state of privacy is in the private sector in Europe is the equivalent of thinking that someone’s house might be a little messy only to discover that the person was one of those worst case scenario hoarder, then it kind of makes any reasonable person shudder to think about what might be lurking in their own country.
In Canada, there has long been calls for major and sweeping privacy reforms. Indeed, the Cambridge Analytica scandal really only galvanized the movement for such reform. After all, it was evident even as far back as 2018 that Canada really needs privacy reform. After long delays, the Canadian Liberal government introduced Bill C-11, the long awaited Canadian privacy reform bill. At the time, it felt like the Canadian government was finally going to be bothered to fix this dire and long-standing problem of privacy laws being woefully out of date where businesses realize that there is little to no repercussions of losing people’s personal information.
Naturally, businesses in Canada weren’t too happy about the prospect of lifting a finger to protect people’s personal information. So, they unleashed the lobbyists to the donor class listening Liberal party and told them to toss privacy reform into the trash. The Liberals obviously listened to big business and didn’t advance the legislation at all. When people started questioning why the privacy reform bill hadn’t made any progress, the Liberals, through the Innovation Minister, simply blamed the Conservatives for the lack of progress and dusted their hands of this bill. This in spite of the fact that the bill was never moved to committee for the Conservatives to delay in the first place.
The bill ultimately died on the order-paper with the election being called and the Liberals have expressed little interest in bringing the legislation back. As a result, no privacy reform seems to be on the horizon any time soon. As a result, the Liberals basically kicked the can down the road much to the delight of businesses who would rather take some of that hard earned money and put to uses better than protecting people’s personal information like stock buy backs, buying private yachts or islands, or stuff that cash on offshore back accounts, or whatever else they do with their mountains of hoarded cash.
Indeed, the recent Newfoundland healthcare breach really did serve as a wake-up call for better privacy reform, few, if anyone outside of us, took the incident as such and quietly hit the snooze button, rolled over and went back to sleep. So, the momentum behind privacy reform seems to be largely dead at this point even though it really shouldn’t be.
So, in some respects, it’s probably not a surprise that businesses are largely ignoring the state of the data flowing through their businesses to this day. A survey found that a mere 36% of businesses even know where their data is coming or going. In a press release published by PwC Management Services LP, a business advisory organization, a survey is suggesting that the state of data in general is at risk:
Over 80 per cent of Canadian executives say that too much avoidable, unnecessary organizational complexity poses ‘concerning’ cyber and privacy risks. Globally, CEOs tend to be more concerned about cyber and privacy risks arising from complexities in the cloud environment, governance of tech investments and crossover from IT to operational technology (OT). We’ve heard similar concerns from Canadian CEOs and executives.
When Canadian executives were asked to prioritize initiatives aimed at simplifying cyber programs and processes, they displayed a slight preference for adoption of a cloud-technology strategy. The other key initiatives included were: integrated controls across risk disciplines, integrated data governance, technology rationalization and supply chain rationalization.
Data is a chief point of concern. Data governance and data infrastructure are considered to be areas of ‘unnecessary and avoidable’ complexity by a majority of Canadian respondents (80 per cent and 81 per cent, respectively). However, only a third of Canadian respondents report having mature, fully implemented data trust processes in four key areas: governance, discovery, protection and minimization. While nearly one in five Canadian respondents says they have no formal data trust processes in place at all.
Organizations can benefit from setting up a good foundation of data trust. This ensures organizations are using data responsibly, securely, accurately and ethically and therefore is a reliable tool when making business decisions. This year’s data shows that a mere 36 per cent have mapped all their data, meaning they know where it comes from and where it goes. Even fewer (29 per cent) have mature data minimization processes. It is imperative for organizations to mature their data trust practices, especially when compliance regulations arise such as Bill 64 in Quebec and the expected reintroduction of the federal Consumer Privacy Protection Act (Bill C-11).
Organizations can’t secure what they can’t see. And most respondents to this year’s survey seem to have trouble seeing their third-party risks. The risks are obscured by the complexities of their business partnerships and vendor networks. Only 41 per cent of Canadian survey respondents say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter in Canada have little or no understanding at all of these risks, this is a major blind spot of which cyber attackers are well aware and willing to exploit. The organizations that have had the best cyber outcomes over the past two years have consolidated technology vendors as a simplification move. Paring the number of tech and other third parties reduces complexity and increases the ability to know how secure they are.
To be fair, we rarely see any indication of the state of data in the private sector in Canada. Still, the numbers are quite depressing (and maybe a little bit alarming). At the same time, while this organization sounds confident that Bill C-11 is definitely coming back in the new government, we don’t really share that enthusiasm. All indications point to our predictions of the Liberals focusing on the war on the open Internet. You know, because cracking down on speech is obviously a higher priority than the trivial idea of protecting people’s personal information from nefarious third parties.
Still, the lax attitudes towards data of any kind actually does make sense. If there are no laws saying you need to protect, let alone track, where personal data is coming or going throughout your organization, why bother even looking into it in the first place? Sure, there are some executives out there who actually value that sort of thing, but chances are, they are going to fall into two categories: they actually get it and know why it’s important to protect that data or they were the victim of a hack and they have been spooked into trying mitigate the risk in the future (probably lawsuit related fear).
As a result, this lax attitude towards data is partly thanks to the lax attitude from the government surrounding personal information. Things happen, oh well. It’s only a handful of people’s lives being completely ruined, so what’s the big deal? Unless the Canadian government’s attitude changes on this front, then there is little reason to think that businesses are going to actually care at this stage. As usual, in the end, Canadian citizens are the ones that wind up getting royally screwed over in the end.
Drew Wilson on Twitter: @icecube85 and Facebook.