Secure Translations - Privacy reminder on EU Data Protection Day - Part 6 of Many

Today is the European Union Data Protection Day and while there is a lot of GDPR related myth there are definitely good reasons to be alarmed about privacy breaches that apply for now only to European citizens and therefore to any international company dealing with them.

This is the 6th post on my Secure Translation series, and this time I am discussing Privacy breach related threats.

As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.

• Threat: Privacy breach.
• Asset: Any service where customer contacts, vendor information or staff information is stored.
• Vulnerability: Storing more user information than what is actually needed and/or for purposes not agreed by the user.
• Risk: The impact of keeping personal information for longer than needed or for purposes not agreed by the user is high for a business from a monetary perspective and reputation perspective. The likelihood of such breach happening increases with the miss understanding of what GDPR means for corporations. Therefore the risk can be medium or high depending on how truly ready the company is when it comes to GDPR compliance. Some examples shared by the European Commission are: Outbound marketing like Telemarketing and promotional emails can accidentally disclose personal identifiable information (PII), not reporting to the National Data Protection Authority (DPA) within 72 hours of an accidental disclosure, failing to secure user data (One or more European Data Protection Authorities or the European Protection Board itself will investigate your processes in deep), lack of user consent in processes the users did not agree to participate in.
• Safeguard: Use a security plan that adopts an existing well known framework like NIST or a combination of multiple frameworks. Make sure all your service providers including Language Service Providers (LSP) do have a SOC 2 Type II report (only a type II report matters here, do not go for less). Avoid storing any sensible information in marketing related platforms by using segmentation by IDs rather than actual PII. Use Data Minimization up front.

In the next post I analyze the risk related to supporting old browsers.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.