My name is Tony and I spend a lot of time thinking about data protection and privacy- that’s because I am Nexar’s Chief of Information Security. Before joining Nexar, I worked in information security in various fields for both large companies and small startups. I have worked in the field of information security long enough to see how information security has evolved over time. I can say with full confidence this is a particularly interesting and unique time for information security.
From the dawn of the internet, privacy was a topic overlooked and later, often mistreated. As the world adjusted to all things internet, little thought was given to our privacy. Data was usually misused and there was no regulation on which we, the users, could rely. The General Data Privacy Regulation (GDPR) was announced three years ago and is coming to fix these abuses and to return the power to internet users.
Personally, I think the GDPR is one of the most significant improvements to user privacy, even if it’s a few years late.
At the time the GDPR was announced, most organizations were unaware of the implications of this regulation. Companies of all sizes have had at least two years to prepare for this regulation, and this preparation hasn’t been easy. While issues of scale and size can impact how quickly a company can adjust to this regulation, both startups and larger companies face the same fundamental issues: how have they been treating customer data, and how will they be treating it starting May 25th. At Nexar, we set for ourselves one key axiom, the Golden Rule of data protection and privacy — we are treating customer data the same way we would want our own personal data to be treated:
We are also implementing information security as a critical element of every company process, ranging from operations to product design. We have regular BizTech (as we call them internally) meetings where we discuss how fundamental business decisions merge with information security and privacy. Merging these worlds keeps these issues at the forefront and puts the responsibility of information security on everyone at Nexar.
In regards to third party suppliers, we have revamped our vetting process to determine if these partners will value information security as much as we do. We conduct an information security evaluation focused on three core components:
- Integration — What kind of technical integration is required between us and this third party? We look at a few issues, for example: what kind of data is involved? How long will this integration last? How will this third party store and process data? Who will have access? Are we integrating their SDK? The answers to these and other questions are really important in determining if we will work with the third party company.
- Liability — You are entrusting us with your data and this trust needs to guide any decision we make about working with a third party. We answer to you regarding your data, and we need to do everything possible to avoid violating your trust.
- Privacy contract — to what standards does this third party hold itself? If they aren’t stringent, we will not work with them.
To make sure that information security is fully integrated in a company, it’s not enough to harden one system. Instead, we are focusing on testing the whole data flow and the integration of all systems. We are also performing penetration testing and security assessments on a regular basis and purposefully looking for security gaps and hardening our security architecture design in practice.
With or without the GDPR, your data is yours and you have the right to determine how your data will be used. Rest assured, here at Nexar we support your right to privacy and will continue working to ensure it is respected and protected.