The 21st century presents a series of transformations in the business environment and in people’s lives in relation to the 20th century. The concentration of people in large urban centers, difficulties of locomotion, and social interaction, the need for agility and availability of communication, and not to say, promote physical and mental health in an environment in which the speed of interaction becomes increasingly necessary.
In the 1980s, people and businesses related in a very different way, without the presence of computers and the internet. The business needed a physical presence and direct interaction for its feasibility, that is, everything was done and carried out in a face-to-face manner.
The advent of the Internet and technological innovation have promoted an indisputable revolution in the way people consume products and services. Virtualization in consumer relationships and people’s personal lives has brought much more flexibility, productivity, and ease, however, all this has a price that can sometimes be very high.
Technological evolution has narrowed the gap between those who are far away, and ironically, drove away people who are physically close, to the point of observing people from the same family gathered in the same environment without any social interaction, since they are busy with their smartphones.
The social transformation promoted by technology certainly made people’s lives easier while upsetting the exposure of sensitive information and data, transforming information related to buying and consumption habits, personal data, preferences, and other intimate information into business opportunities for many companies. Not only by this massive exposure of people’s lives, personal information, and that of companies, there is still the risk of criminal actions in cyberspace and an increasing need to enhance security.
The criminal activities that occurred in the physical environment gained virtual modalities with very significant impacts, often leading to fatalities due to the intimacy exposure.
Now, if there is a social transformation perceived and impacted by technology, the sharing of data, and information on the Internet, it would also be natural to imagine that social and individual protection actions could accompany the perceived change in people’s lives. The protection of intellectual property on the Internet, personal data, and the sensitive data of individuals and companies, which have become the object of the desire for cybercriminals, require effective protection and legal support so that the accountability of those who commit virtual crimes, which were not previously properly typified in the traditional legal system, can be identified and punished. However, classifying actions in the cyberspace as criminal actions is not an easy task.
Many trouble-causing agents for many people do not define their actions as criminal and even fraudulent actions. Many, moreover, claim only to pursue a professional activity that depends on mining and sharing (in a remunerated way or for various benefits), and thus, are not causing direct harm to people. The data, for these agents, are only assets that have their relative value, often difficult to be measured, and despite being intangible, can represent a lot to the holder by revealing who they are, their income, their health status, beliefs, habits, sexuality, gender, culture, profession, family structure, work address and housing, gastronomic tastes, etc.. Virtual life has become a “dangerous city”, full of challenges and many risks!
Many laws were contextualized and had a legal interpretation related to the social fact so that its scope could generate certain protection for those who had their data violated in some way. Laws were also created to ensure that fundamental rights, such as privacy could be protected from criminal acts and also from unauthorized and indiscriminate sharing.
In Brazil, there is a legislation called “Civil Framework of the Internet”, Law 12.965/2014, which establishes principles, guarantees, rights, and duties for the use of the Internet, as well as a specific law to ensure the proper use of data, called the General Law for the Protection of Personal Data, Law 13.709/18. In Europe, the GDPR (General Data Protection Regulation) has brought an encouragement so that privacy can be treated responsibly and respectfully for the rights of individuals.
GDPR – “Principles relating to the processing of personal data”, established that:
Personal data must be:
- Lawfully, fairly, and transparently treated with regard to the data subject (lawfulness, fairness, and transparency)
- Collected for specific, explicit, legitimate, and unprocessed purposes in a manner incompatible with those purposes; Further processing for public interest file-building purposes, for scientific or historical research purposes, or for statistical purposes, shall not, in accordance with Article 89(1), be considered incompatible with the initial purposes (limitation of purpose)
- Relevant and limited to what is necessary for the purposes of which they are processed (data minimization)
- Accurate, and if necessary, up-to-date; all reasonable steps shall be taken to ensure that inaccurate personal data, taking into account the purposes for which they are processed, are erased or rectified without delay (accuracy)
- Maintained in a manner that allows the identification of data subjects, for no more than necessary purposes, for which personal data is processed; personal data may be stored for longer periods to the extent that personal data is processed solely for archival purposes of public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedom of the data subject (storage limitation)
- Processed in such a way as to ensure the proper security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality).
The controller must be responsible and be able to demonstrate compliance with the first paragraph (accountability).
Notwithstanding the scope, applicability, and relevance of laws and regulations of each country, it is essential to establish a culture related to responsible personal conduct in relation to your data and the data of others, whether individuals or legal entities, personal or professional data, and why not, whether sensitive or not. For British mathematician Clive Humby: “Data is the new oil” and The Economist in a recent publication defended the premise that: “The world’s most valuable resource is no longer oil, but data.”
If data is a very valuable asset, it can be assumed that it would be correct to claim, have the right of possession, and use properly protected data, and therefore, their owners should keep them safe with the same criterion that they hold other valuable assets safe, such as money, jewelry, or assets, should not they?
In practice, however, people neglect their data and do not align their virtual behavior with the same security behavior they adopt with other valuable assets. The pandemic has increased people’s access and time in virtual environments and has certainly also increased the exposure of their sensitive data.
Referencing the behavior of individuals when trying to identify the impacts of data governance on cybersecurity may seem a misfit or even an inappropriate approach, however, the lack of governance on the part of people, especially in relation to their data, ends up unquestionably exposing people’s fundamental right to cyber-attacks of various natures and forms, of equally diverse and significant impact. Data governance is the factor in exposing assets to cybercrime.
In the business environment, data governance according to Santos (Uma proposal for Data Governance based on a method of enterprise architecture development), emerges as a multidisciplinary action that aims to treat data as an active and tangible resource in the organization. This includes policies, standardizations, processes, and technology, essential elements in data administration.
Complementing the author’s definition, even in a false claim, I dare say that good data governance has a direct impact on the perception of cybersecurity. It is not enough, therefore, to implement governance without minimum criteria that can relate governance actions as practices that strengthen cybersecurity in a way that can protect people and organizations. Good data governance requires a close look at human behavior, whether in the role of the user of organizational applications and software, or in the social interaction performed in personal and corporate social networks.
Good governance should be structured in detailed analysis of the relevant risks, in the assessment of the fact and social phenomenon, in the culture and habits of people, and in the dissemination of good practices (inside and outside) of companies. Guides, standards, and frameworks should be widely disseminated, discussed, interpreted, and applied in companies and people should be developed (both professionally and personally) to take practices that have produced traceable and measurable results and that enable them to increase cybersecurity and protect information and data assets. Structured, timely, pertinent data governance aligned with social reality and due temporality are important allies to promote not only cybersecurity but also promote responsible and transparent interaction between the physical and virtual world.
ISO/IEC 27032 – Information Technology – Security Techniques – Cybersecurity Guidelines is one of the available resources that can help an organization implement a set of best practices capable of increasing cybersecurity. Its use, allied with standards such as ISO/ IEC 27001 – Information Technology – Security Techniques – Information Security Management System, and ISO/IEC 27701 -Security Techniques – Extension of ABNT NBR ISO/ IEC 27001, and ABNT NBR ISO/IEC 27002 for information privacy management – Requirements and guidelines, promote a series of widely used practices with measured and recognized results structure good data governance in an organization. Other ISO standards can serve as support to structure and improve good governance in companies.
In addition, personal and professional development is also an ally for improving data governance and the organization itself as a whole, helping to increase cybersecurity, which is increasingly impactful in people’s lives. PECB – Professional Evaluation and Certification Board, has a wide range of trainings that allow a professional to acquire and develop skills related to Data Governance, Information Security, and Cybersecurity, among others. One of the best ways to promote improvement in people’s lives and markets is to acquire and disseminate relevant knowledge on topics that are crucial to people.