Analysis of the importance of being more careful with the information we are sharing and how security technology challenges current legislation.
by Gigi Agassini, CPP*
You hear a lot about the "protection of personal data" and the care that should be taken, starting with oneself, however, it is a topic that is still taken very lightly and the factors can be many, from ignorance, denial (believing that it will not happen to us or that, if it happens to us, it will not be so serious) or disinterest.
The main problem is that the human being tends to "normalization" in all areas and that of crimes is not different, we know that there are "risks" but we see them that happen so daily and in front of us, that it already seems "normal" that they occur and the truth is that there is nothing "normal" in crimes, when they can, in a certain way, be prevented or decrease their risk.
Personal data is a topic of high relevance, because it is about our identity as a person (physical or moral) of all that information that identifies us as such and that the misuse of these commits us; then it plunges us into a "digital crisis" and this can range from the theft of our identity to the paralysis or total closure of the business, and examples there are many international companies regardless of the size of these or turn to which they are dedicated and is that we continue submerged in "the denial" that these things only happen to large companies, and that is totally and absolutely false!
As users providers of our personal information we give "accept" more than 99% of the time to all those squares that indicate if we already read the "privacy notice" and the contract of "terms and conditions" that, although it seems "they are the same" they are definitely not and it is the obligation of every place (physical or digital) to ensure the "responsible handling" of personal data, since as individuals we have rights and obligations before them.
So here two important responsibilities are opened: ours as a user provider of our personal information, but also of the entity that "will treat" our data, since it is not only about publishing a "privacy notice", but there must be a whole structure behind that supports this "treatment" of data based on the laws that are regulated according to the country and even, of the international treaties to which it is linked, from the person who will receive all the requests of the users who provided their information, the one who "decides" on the processing of the data, to who will respond, and failing that, in front of the authority if so required. And although the processing of personal data seems very "simple", this is one of the many reasons why both parties (user and entity that processes the data) do not give it the seriousness that corresponds.
Let's go to the basics, information has a cycle: data generation or capture, storage, use, disclosure, access and destruction, yes! Destruction, destruction is part of the information cycle, however, there is a process in the case of personal data to destroy the information.
Data protection laws
Depending on each country there is and regulates its legislation and as I mentioned above, the international treaties to which it is a party should also be considered. Take Mexico, for example; everything described above has a legal basis supported by the Federal Law on protection of Personal Data held by Individuals (LFDPPP) and the General Law on the Protection of Personal Data held by Obliged Subjects.
The LFDPPP suggests that the person in charge of the "data processing" is the natural or legal person who processes the personal data in the name and on behalf of the person in charge of the treatment, that is, it is the person in charge of the treatment, but not the one who decides on how the data will be treated; for example, a company that offers cloud computing services and stores databases of a controller, or the one hired by the controller for the destruction of their documents, is considered to be in charge of the treatment.
This law includes certain elements with which entities must comply to "guarantee" the protection of personal data such as the following:
• Consent of the owner of the information
• Inform what customer data will be used for
• Guarantee your ARCO rights (acceptance, rectification, cancellation and opposition)
In order to comply with the Federal Law on the Protection of Personal Data, certain principles are established:
• Legality
• Consent
• Information
• Quality
• Purpose
• Loyalty
• Proportionality
• Responsibility
Without going into detail in the legislation, the question is then: why is it so easy to accept the privacy notices without reading if they tell us what is the treatment they will give to our personal data? Well, it is an extraordinary question of which there are several answers: it saves us time, because what we want is to get out of line or simply use what we need either a website or an application on our phone and we assume that we will not have any problem if we give only "accept", because we "trust" that the data that identifies us as such will not be misused.
Wow! Don't you think it is a VERY high risk to give that confidence to those you do not know? It's like handing over your credit card, savings, and deeds of your home (to mention a few) to the first person who crosses in front of you, or handing over your company's financial statements and stock to a stranger, hadn't you thought about it?
Technological advances, the challenge of legislation
One of the great challenges for all legislation, regardless of the country in which you are located, is the rapid advance in biometric technology, since it implies and brings with it immensely great challenges for its regulation and compliance with the law that allows to continue protecting the most important thing for every person: their identity!
When they violate your email account you can change your password, and that (within the personal security policies) you should change it from time to time, but when they violate your biometric data it is not easy to change your face or your fingerprints or the iris, and this is where there is a lot of concern about the treatment of the data, Well... at least the concern is in the parliaments to generate and regulate legislation strong enough for these technologies and that allows to continue guaranteeing the best treatment and safeguard the identity of people.
Recently the European Parliament called for a ban on the police use of artificial intelligence, since one of the great arguments of the Chamber on technologies such as facial recognition or prediction algorithms and is that "you have to be especially vigilant with these technologies, which must be subject to strict regulations and ultimately must always have human supervision."
And without a doubt, there is a long lack of legislative issues to regulate the treatment of people's biometric data. It is a reality that technology is advancing faster than laws and regulations, but we cannot lose sight of the fact that it is important to comply with the regulations and laws that govern, and, in something as delicate as the processing of personal data, we should not be part of the crime and leave people vulnerable (physical or moral) because we do not want to get involved in legislation, either because of ignorance or by insisting on the denial that this will not happen to us.
So the next time you think about implementing any technology or some visitor management control or any process that involves the collection of personal data or biometrics of users, make sure you comply with the regulation that marks your country and in this way protect the organization, as well as guarantee a good management of user information.
When you have a privacy notice in front of you, think before that it will be mentioned there that they will do with your personal data and it is important for you to know, more important than the rush to jump the line, use an application or continue with a filling of information, your information!
* Gigi Agassini, CPP
International Security Consultant
[email protected]
Leave your comment