What Is Data Privacy?
Data Privacy, also known as information privacy, is the need to preserve and protect any personal information collected by any organization from being accessed by a third party. It is a part of Information Technology that helps an individual or an organization determine what data within a system can be shared with others and which should be restricted.
Data privacy is the branch of data management that handles personal data in compliance with data protection laws, regulations, and general privacy best practices. Data privacy involves setting access controls to protect information from unauthorized parties, getting consent from data subjects when necessary, and maintaining data integrity. Data privacy needs to be a top priority for businesses. Failure to comply with data privacy regulations can lead to big losses. Think legal action, steep financial penalties, and brand damage. Ensuring data privacy is part of the larger topic of data governance. Data governance requires organizations to know what data they have, where it’s stored, how it flows through their IT systems, and how it’s used. Data governance best practices allow organizations to maintain data integrity and trust in their data.
Types of Data Privacy
Any personal data that could be sensitive or can be used maliciously by someone is included when considering data privacy. These data types include the following:
- Financial Privacy: Any financial information shared online or offline is sensitive as it can be utilized to commit fraud.
- Medical Privacy: Any details of medical treatment and history is privileged information and cannot be disclosed to a third party. There are very stringent laws regarding sharing of medical records.
- Residential and geographic records: sharing of address online can be a potential risk and needs protection from unauthorized access.
- Political Privacy: this has become a growing concern that political preferences should be privileged information.
Principles of Data Privacy
Most data protection laws are built on a set of key principles, which establish the foundation for everything related to data privacy and the protection of personal data. There are seven key data privacy principles that form the fundamental conditions that organizations must follow when processing personal data. Processing personal data in line with these key principles is essential for good data protection. The principles are:
- Lawfulness, fairness and transparency: You should always process personal data in a fair, lawful and transparent manner.
- Purpose limitation: You should only process personal data for a specified and lawful purpose.
- Accuracy: You should ensure personal data is kept up to date, and that necessary measures are in place for correcting and updating inaccurate data.
- Storage limitation: You must not keep personal data for longer than you need it.
- Data minimization: You must ensure you are only processing the personal data that you truly need and nothing more.
- Integrity and confidentiality: You must implement adequate security controls to protect personal data against loss, destruction or damage.
- Accountability: You must have appropriate measures and records in place to be able to demonstrate your compliance.
The Importance of Data Privacy
Privacy is recognized as an absolute fundamental right and in some parts of the world privacy has often been regarded as an element of liberty, the right to be free from intrusions by the state. In most geographies, privacy is a legal concept and not a technology, and so it is the term data protection that deals with the technical framework of keeping the data secure and available.
So why is Data Privacy Important? The answer to this question comes down to business imperatives:
- Business Asset Management: Data is perhaps the most important asset a business owns. We live in a data economy where companies find enormous value in collecting, sharing and using data about customers or users, especially from social media. Transparency in how businesses request consent to keep personal data, abide by their privacy policies, and manage the data that they’ve collected, is vital to building trust with customers who naturally expect privacy as a human right.
- Regulatory Compliance: Managing data to ensure regulatory compliance is arguably even more important. A business may have to meet legal responsibilities about how they collect, store, and process personal data, and non-compliance could lead to a huge fine. If the business becomes the victim to a hack or ransomware, the consequences in terms of lost revenue and lost customer trust could be even worse.
Laws Governing Data Privacy
As technological advances have improved data collection and surveillance capabilities, governments around the world have started passing laws regulating what kind of data can be collected about users, how that data can be used, and how data should be stored and protected. Some of the most important regulatory privacy frameworks to know include:
- General Data Protection Regulation (GDPR): Regulates how the personal data of European Union (EU) data subjects, meaning individuals, can be collected, stored, and processed, and gives data subjects rights to control their personal data (including a right to be forgotten).
- National data protection laws: Many countries, such as Canada, Japan, Australia, Singapore, and others, have comprehensive data protection laws in some form. Some, like Brazil's General Law for the Protection of Personal Data and the UK's Data Protection Act, are quite similar to the GDPR.
- California Consumer Privacy Act (CCPA): Requires that consumers be made aware of what personal data is collected and gives consumers control over their personal data, including a right to tell organizations not to sell their personal data.
There are also industry-specific privacy guidelines in some countries: for instance, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) governs how personal healthcare data should be handled. However, many privacy advocates argue that individuals still do not have sufficient control over what happens to their personal data. Governments around the world may pass additional data privacy laws in the future.
The Global Data Privacy Landscape
U.S. Data Privacy
In the U.S., data privacy is protected under a complex framework of federal and state law. Federal laws protecting personal information are sector-specific, including personal health information, educational information, children’s information, and financial information. These different kinds of personal information are protected under an “alphabet soup” of specific federal laws, including:
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Family Educational Rights and Privacy Act (FERPA)
- The Children’s Online Privacy Protection Act (COPPA)
- The Gramm-Leach-Bliley Act (GLBA)
Each of these laws defines the personal information at issue differently, creates different enforcement mechanisms, and places unique requirements on consent and disclosure. In the U.S., the kind of information that is protected under these laws is often narrowly defined. Many laws treat protected information as someone’s name plus some other piece of identifying information, such a Social Security Number. This way of defining personal information reflects the consumer-protection orientation of U.S. law. Outside of certain specific contexts, such as health and medical information, specific consent is not required for businesses to collect and use personal information.
Federal Data Privacy Law
Within the federal framework, one federal actor stands out as having a significant role in regulating how private organizations behave when it comes to personal information: the Federal Trade Commission (FTC). The FTC is a federal agency with both rulemaking authority and law enforcement authority over most businesses in the United States. While the FTC has some rulemaking authority when it comes to privacy—it can promulgate rules protecting children’s information under COPPA and financial information under the GLBA, for example—its law enforcement authority is perhaps more important. The FTC has broad authority under Section 5 of the FTC Act, which gives it enforcement power over unfair and deceptive commercial acts and practices. Federal courts have determined that this power includes enforcement authority against certain data privacy practices. The FTC has used its Section 5 authority to enter into settlement agreements with a number of companies based on their data privacy and security practices, in particular if a data breach reveals inadequate practices.
State-Level Data Privacy Law
Every state (and the District of Columbia and U.S. territories) has its own set of data privacy laws. Data privacy laws take the form of data breach notification statutes, security regulations, and industry-specific privacy statutes (e.g., privacy laws governing the insurance industry). Some states have unique privacy laws. For example:
Illinois recently passed a Biometric Information Privacy Act that regulates the collection, use, and retention of certain biometric information, such as facial recognition scans or fingerprints. Vermont passed a first-of-its-kind “data broker” law to regulate organizations that aggregate data and then provide it or sell it to other organizations. New York recently passed a set of security regulations aimed at the financial industry. In addition to these laws, state attorney generals have power similar to the FTC to enforce against data privacy practices in the consumer protection context.
Clearly, the complex array of data privacy laws—some of which exist in tension with one another—can be an enormous headache for organizations trying to understand how to create a compliance framework. The questions become more complex when an organization suffers a data incident that affects it across numerous jurisdictions.
International Data Privacy
The U.S. data privacy framework stands in sharp contrast to the European framework. In the European Economic Area, or EEA (the European Union plus Norway, Liechtenstein, and Iceland), a single law governs data privacy: the General Data Protection Regulation (GDPR). The GDPR is a comprehensive regulatory scheme that governs how all personal data is used and transferred within the EEA and from the EEA to non-EEA countries. It defines personal information broadly (for instance, it can include simply someone’s name or IP address) and requires specific legal justification for any use of personal information.
Importantly, the GDPR reflects a human rights orientation to data privacy, as opposed to U.S. law, where data privacy can be best thought of as a compromise between business and consumer interests. In this regard, the GDPR grants affirmative rights to individuals, such as the right to have data corrected or deleted, and demands that before personal information can be collected or processed, there must be a legal basis such as affirmative consent or a specific contract.
The GDPR is important for organizations to understand for at least two reasons. First, it has an extra-territorial scope. That is, if a business in the U.S. is receiving information from EEA residents or does business in the EEA, it will likely be subject to the GDPR. Secondly, because of its extra-territorial reach and its broad protection of personal information, the law has encouraged other countries and businesses (even some U.S. states) to augment their protections of personal information. For example, shortly after the GDPR came into effect, Brazil passed a law similar in important respects to the GDPR. Japan supplemented its privacy protections to make it easier for businesses to transfer personal data from the EEA to Japan. California has also passed the California Consumer Privacy Act (CCPA), creating numerous affirmative data privacy rights similar to the GDPR’s rights.
Data Privacy Vs. Data Protection
Although both data protection and privacy are important and the two often come together, these terms do not represent the same thing.
- One addresses policies, the other mechanisms: Data privacy is focused on defining who has access to data while data protection focuses on applying those restrictions. Data privacy defines the policies that data protection tools and processes employ. Creating data privacy guidelines does not ensure that unauthorized users don’t have access. Likewise, you can restrict access with data protections while still leaving sensitive data vulnerable. Both are needed to ensure that data remains secure.
- Users control privacy, companies ensure protection: Another important distinction between privacy and protection is who is typically in control. For privacy, users can often control how much of their data is shared and with whom. For protection, it is up to the companies handling data to ensure that it remains private. Compliance regulations reflect this difference and are created to help ensure that users’ privacy requests are enacted by companies.
Data Privacy Challenges and Risks
In order to secure a data privacy certification from one of the trusted audit organizations, such as ISO, SOC II, or HIPAA compliance, an organization must show they take data privacy seriously. Some key examples of cloud data privacy challenges can include:
- Vulnerabilities in Web Applications: Any software hosted in the cloud or on the web should be fully vetted and secure before deploying within an otherwise secure organization. Have a data privacy compliance checklist to protect your program before installing something new.
- Lacking Breach Response: An important part of a data privacy compliance program is an incident response plan. Make sure you have a clear plan in place, rehearsed, and that the command line is ready to deploy this plan when any issues arise.
- Inadequate Personal Data Disposal: Personal data should be kept only as long as the relationship with the customer or employee (and related legal obligations) are in effect. Your organization can incur significant fines under the EU’s General Data Protection Regulation (GDPR), if this program does not perform this function.
- Lack of Transparency in Privacy Policies, Terms and Conditions: Ensure every customer, vendor, user or investor can understand your privacy policies, terms and conditions. Ensure they are clear on what they are agreeing to, and on the obligations to which they are subscribing.
- Collection of Unnecessary Data: Collecting data should always be done with a specific purpose for which consent has been received. Most data protection laws and regulations mandate an organization may not collect more data than is required for the transaction. A data privacy consent form can help explain your company’s policies and what the user is consenting to.
- Personal Data Sharing: Be sure to inform all users before any personally identifiable information leaves the database in your organization for which permission has been granted.
- Incorrect or Outdated Personal Data: Individuals have the right to rectify outdated or uncorrected personal data under most data privacy laws and regulations. This is an important update in data privacy protection. Ensure your organization has a specific policy and actionable procedures in place to allow users to exercise this right.
- Session Expiration Problems: When a data subject provides personal information to a web application, session expiration can create risk. If a data subject abandons their session and their data is exposed, the organization may be held liable for this cloud data privacy breach.
- Data transfer Over Insecure Channels: Always use secure channels and protocols (e.g. SFTP, TLS) to transmit sensitive data. When data is exposed through insecure channels (e.g. FTP, HTTP), incidents can occur.
- Extra Credit: Dealing With the Unknown: Ensure your team, procedures, and command line are prepared for unexpected contingencies. The big data privacy challenges of the modern business landscape present new threats and compliance challenges on a regular basis. A healthy program for data governance security and privacy can adapt and adjust to keep your organization compliant and secure.