If you do business in the European Union, you are likely very familiar with the concept of privacy and GDPR (General Data Protection Regulation). But even if you don’t have any employees or customers on the other side of the “pond,” privacy issues still impact your company and its physical and cyber security posture.
The Identity Defined Security Alliance (IDSA), recently released a whitepaper, “2023 Trends in Securing Digital Identities,” in which 89 percent of identity and security professionals surveyed said they were somewhat or very concerned that new privacy regulations will impact identity security at their organization.
The whitepaper also found that identity-related incidents continue to be a problem for organizations, with 90 percent reporting one in the last 12 months, a 6 percent increase from last year’s report. Less than half — 49 percent — reported that their leadership teams understand identity and security risks and proactively invest in protection before suffering an incident, and 29 percent only engage and support after an incident.
Some other key highlights from that report include:
- The top two barriers for security teams are identity frameworks being complicated by multiple vendors and different architectures (40 percent) and complex technology environments (39 percent).
- Insufficient budget (30 percent), a lack of expertise (29 percent), standards (26 percent), people (25 percent) and governance (23 percent) were also indicated as barriers.
- 55 percent reported that the adoption of more cloud applications is the main reason for an increase in the number of identities.
- Other critical factors driving identity growth were identified as the rises in remote work (50 percent), mobile device usage (44 percent) and third-party relationships (41 percent).
- 86 percent of respondents say managing and securing identity is one of the top five priorities of their security program.
This whitepaper is not the only recent news discussing new or existing privacy concerns or laws.
In May, the European Data Protection Board reiterated its call for a ban on the use of facial recognition technology in certain cases, and stressed that these tools should only be used in strict compliance with the Law Enforcement Directive.
And here in the U.S., The Federal Trade Commission issued a warning in May about biometric misuse. The warning expressed concerns over data privacy and potential discrimination if the technology is misused. Biometric information refers to data that depict or describe physical, biological or behavioral traits, characteristics or measurements of or relating to an identified or identifiable person’s body.
The policy statement also notes that it will consider several factors in determining whether a business’s use of biometric information or biometric information technology could be unfair in violation of the FTC Act including:
- Failing to assess foreseeable harms to consumers before collecting biometric information.
- Failing to promptly address known or foreseeable risks and identify and implement tools for reducing or eliminating those risks.
- Engaging in surreptitious and unexpected collection or use of biometric information.
- Failing to evaluate the practices and capabilities of third parties, including affiliates, vendors and end users, who will be given access to consumers’ biometric information or will be charged with operating biometric information technologies.
- Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or technologies that use such information.
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale or uses, in connection with biometric information to ensure that the technologies are functioning as anticipated and that the technologies are not likely to harm consumers.
So maybe it is time to take a fresh look at your company’s privacy policies and make sure they are in compliance with the latest guidelines and regulations.