Data privacy is a set of rules that define who has access to data and what must be done to protect it. Data protection regulations enforce data privacy.
Data privacy must be considered a crucial function and given the proper attention and support in every organization
Data privacy revolves around these areas:
- Location awareness
- Access controls
- Subject consent
- Lifecycle management
- Regulatory compliance
Data privacy-related compliance laws, regulations, and best practices focus on protecting individuals’ sensitive information, typically personal health information (PHI) and personally identifiable information (PII)—in terms of how it is collected, stored, and shared. Requirements for compliance are set forth by organizations (e.g., corporate data privacy policies), governments (e.g., California Consumer Privacy Act or CCPA), and trade groups (e.g., PCI Standards Security Council).
In many countries, data privacy is considered an intrinsic right. It establishes and enforces the rights that individuals have with regard to their personal information.
One of the best-known regulations is the European Union’s General Data Protection Regulation (GDPR), which provides great detail about individual rights concerning personal data and data privacy.
GDPR Eight Rights of Data Subjects
- The right to be informed about the collection and use of their personal data—why it is being collected, how long it will be retained, and with whom it will be shared.
- The right of access means the ability to receive a copy of their personal data and other supplementary information.
- The right to rectification means the ability to have inaccurate personal data corrected or completed if it is incomplete.
- The right to erasure is also known as the right to be forgotten.
- The right to restrict processing can be requested to restrict or suppress personal data as well as limit the way that an organization uses personal data.
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- The right to object allows individuals to stop or prevent the processing of their personal data.
- The right to avoid automated decision-making may or may not involve profiling (e.g., an online decision to award a loan).
Why is Data Privacy Important?
Data privacy provides important guidelines for how data should be collected, stored, accessed, and managed throughout its lifecycle based on its sensitivity and value. It should be top of mind for organizations, especially for departments that work with sensitive information, such as sales, operations, engineering, human resources, and finance.
Data privacy is also important because it helps ensure that sensitive information is only accessible by approved users. A crucial part of overall cybersecurity, it provides another layer of protection between private data and criminals or malicious insiders.
Types of Important Information Protected
The two primary types of content covered by data privacy are personally identifiable information (PII) and personal health information (PHI). Additional types of sensitive information covered by data privacy are:
- Employee data, such as salary
- Academic data, such as grades and enrollment data—as specified under FERPA
- Medical and health data—as specified under HIPAA
- Proprietary or copyrighted data—as specified under DMCA
- Confidential legal or financial data
Data Privacy vs. Data Security
1. Access control
Manage users’ rights to data with tight controls on granting and terminating privileges.
2. Data integrity
Ensure that data is accurate and consistent throughout its lifecycle.
Implement technology and processes to track how data is used and provide reporting capabilities.
- Focuses on defining who has access to data
- Defines the policies
- Users control privacy
- Users determine how data is shared
- Authorizes access to data
- Legal centric
- Focuses on how to collect and process personal data
- Determines what types of personal data may be collected, about whom and what can be done with it
- Enforcement mechanism
- Focuses on applying restrictions to data based on privacy guidelines
- Uses tools and processes to enforce policies
- IT controls protection
- IT ensures that data remains private
- Secures data against unauthorized access
- Technology centric
- Focuses on the processes, tools, and methods to secure personal data
- Determine how best to assure the confidentiality, integrity, availability, and security of personal data
Can data privacy exist without data security, and vice versa? The answer is not really. They each need the other to perform reliably.
Without data security, data cannot be protected; thus, neither can its privacy. And since data security administrators have authorized access to data, they can view private information, which requires protection. Data privacy and data security must be integrated to deliver optimal protection.
Data Privacy Laws and Act
Regulations in the United States
The United States does not have a comprehensive federal law to govern data privacy. Instead, it is regulated by a collection of federal and state laws with varying degrees of specificity, ranging from the broad California Consumer Privacy Act (CCPA) to regulations focused on healthcare data, financial institutions, and marketing.
Here is a sampling of data privacy regulations in the United States:
- Bank Secrecy Act (BSA)
- California Consumer Privacy Act (CCPA)
- California Online Privacy Protection Act (CalOPPA)
- Fair Credit Reporting Act (FCRA)
- Fair and Accurate Credit Transactions Act (FACTA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Payment Card Industry Data Security Standard (PCI DSS)
- SOC 2
- Stop Hacks and Improve Electronic Data Security Act (SHIELD)
- US Privacy Act of 1974
Global data privacy regulations include:
- Argentina’s Personal Data Protection Act of 2000
- Australia’s Privacy Principles (APP)
- Bahrain’s Personal Data Protection Law (PDPL)
- Brazilian Internet Act
- Canada’s Personal Information Protection and Electronic Data Act (PIPEDA)
- Chile’s Act on the Protection of Personal Data
- China’s Cyber Security Law (CCSL)
- Colombia’s Regulatory Decree 1377
- European Union’s General Data Protection Regulation (GDPR)
- Ghana’s Data Protection Act, 2012
- Hong Kong’s Personal Data Ordinance
- Iceland’s Data Protection Act of 2000
- India’s Information Technology Act
- Japan’s Personal Information Protection Act
- Malaysia’s Personal Data Protection Act 2010
- Mexico’s Federal Law for the Protection of Personal Data Possessed by Private Persons
- Morocco’s Data Protection Act
- New Zealand’s Privacy Act of 1993
- Norway’s Personal Data Act
- Philippines’ Republic Act No. 10173
- Russian Federal Act on Data Protection
- Singapore’s Personal Data Protection Act
- South Africa’s Electronic Communications and Transactions Act
- South Korea’s Act on Promotion of Information and Communications Network Utilization and Data Protection
- Switzerland’s Federal Act on Data Protection
- Taiwan’s Computer-Processed Personal Data Protection Law
Data Privacy Best Practices
The most successful data privacy programs start with a commitment to put privacy first and embed it in the organization’s culture. These best practices are rooted in the concept of privacy by design and default, as set forth by GDPR and other regulations.
Best practices for effective data privacy:
- Practice minimal data collection
Data privacy policies should include direction to collect only necessary data. When creating forms, take time to double-check the fields to confirm that extraneous information is not collected. The more data that is collected, the more extensive the threat and risk landscape. This results in increased liability for the organization and burdens the security team. Practicing minimal data collection also reduces costs associated with bandwidth and storage.
- Engage users when developing policies
Being part of the establishment of data privacy policies enhances user engagement. In addition, by bringing users into the process, policies are more likely to fit better into existing workflows. This increases the adoption of data privacy policies and compliance with laws and regulations.
- Know your data
Policies should provide processes for understanding what data is collected, how it is handled, and where it is stored. This is the crux of successful data privacy. In addition, data policies need to define how frequently data is scanned and how it is classified. Data privacy policies should also include processes for auditing data to ensure that directives are applied correctly.
- Ensure that data security mechanisms align with data privacy policies
Privacy policies provide guidance on how data can be shared. Data security provides the underlying solutions to protect the data. Data policies should clearly outline data privacy levels and the required data protection.
- Encourage education and awareness
Successful data privacy depends on a secure-aware organization. Implementing policies will have a limited effect if the entire team, including the company’s business partners, does not understand the importance. Education is crucial in bolstering data privacy effectiveness.
Tips for Implementing Data Privacy Best Practices
Regardless of the type of sensitive information, the following steps are critical when implementing data security systems to support data privacy policies.
- Set security controls based on the sensitivity of the information as set forth in data privacy policies.
- Understand who can access, modify, or delete sensitive information as documented in policies.
- Establish a data privacy classification policy for sensitive information.
- Identify sensitive information that is collected and stored.
- Tag sensitive information according to data privacy classifications on an ongoing basis.
- Conduct regular scans to identify sensitive information and ensure policy adherence.
- Ensure that sensitive information is stored in designated locations with access granted according to data privacy policies.
Data Privacy Compliance
To meet data privacy compliance requirements, care must be taken to put in place robust administrative, technical, and physical security solutions and processes. This ensures the confidentiality, integrity, and availability of sensitive information. Data security also needs to align with data privacy compliance requirements to avoid penalties and reputational damage.
A systematic approach to data privacy compliance expedites implementation and helps achieve consistent and reliable results. Here are a few components of an effective compliance program:
- Comprehensive strategy
Take the time to work with leadership and stakeholders to develop a comprehensive, integrated, measurable, and centralized strategy for achieving data privacy compliance. This should include protocols and documentation that define how personal data and sensitive information will be handled throughout its lifecycle, including how and when to destroy data.handled throughout its lifecycle, including how and when to destroy data.
- Subject matter experts (SMEs)
Assign and train team members to become SMEs for specific regulations and laws as well as become knowledgeable about the data privacy compliance program. These SMEs can provide the oversight needed to effectively meet compliance requirements
- Incident response strategy and plan
In the event of a data breach, a timely response is critical. A data privacy compliance program should have a response component that is integrated with the data security response. Training should be provided to expedite the identification of a breach and to mitigate damage. The plan should also outline steps to be taken to evaluate the cause of the breach and identify changes that can be made to prevent another incident.
- Compliance program documentation
All components of the data privacy compliance program should be documented, including details about people, plans, and processes. The documentation should have an “owner” responsible for maintaining it and managing access to it.
- Proof of compliance
The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and other regulations include a stipulation for audits to confirm that requirements are met. Data privacy compliance programs should have a reporting component. This can be used to meet external requirements as well as to assess compliance to identify gaps in advance of an audit.
Data Privacy Challenges
Data privacy continues to grow as a priority for organizations and regulators around the world. Requirements for data privacy compliance make it not just something that should be done, but something that must be done—or organizations can risk stringent penalties.
In many cases, compliance is compromised not by a lack of interest or understanding, but by a web of complex challenges that present significant roadblocks to even the most committed organizations.
Data privacy challenges facing organizations include:
- Embedding data privacy
Data privacy is often an afterthought that is rolled into data security or disaster recovery plans.
- Increased regulation and its expense
The list of regulations continues to grow and brings with it daunting data privacy requirements. Compliance is achieved not just with technology solutions and better processes, but with the people who implement and maintain these tools and processes and educate all relevant stakeholders. Organizations struggle to balance data privacy compliance with excessive CAPEX and labor expenses.
- Exponential growth of data
Data growth is a challenge that impacts every organization. From a data privacy perspective, it has a major impact when data is not categorized correctly.
- Proliferating devices
The more devices, the larger the attack surface, with more points of threat for data privacy breaches. From IoT to BYOD, the spread of data adds to the difficulty of implementing and managing data privacy programs.
Data Privacy Tools and Technologies
Data privacy tools and technologies, in conjunction with data security solutions, support the management and maintenance of data privacy programs. These solutions provide support for a range of data privacy program functions, including:
- responding to consumer requests (also known as data subject request or DSR)
- tracking users’ access to data
- tracking the location of sensitive information
- cookie tracking
- user consent management
- data classification
- audit support
Examples of commonly used data privacy tools and technologies include:
- Data classification
Prioritizes sensitive information to facilitate data protection, then classifies data according to priority level—usually a combination of manual and automated processes.
- Data access policy automation
Provides users the right amount of data access, usually following the tenet of least privilege.
- Cloud data protection
Encrypts sensitive data that is stored in the cloud to protect it from nefarious users and unwanted surveillance.
- Two-factor authentication
Prevents attackers from accessing data with only login credentials by requiring a second piece of information for authentication.
Substitutes a randomly generated value called a token for sensitive data, then stores the token in an ultra-secure mapping database.
Converts data into unreadable code that can only be made legible again by decrypting it using a single-purpose key. Data can be encrypted at the storage, network, and application levels
- Identity verification software
Ensures a person or an online user matches who they are offline to comply with data privacy regulations.
- Privacy impact assessment (PIA) software
Helps organizations automate the evaluation, assessment, tracking, and reporting of data privacy implications for the information they collect, use, and store.
Data Privacy Impact
Data privacy impacts organizations of all types and sizes. It must be considered a mission-critical function and be given the proper attention and support. The goal should be to develop an organizational culture that values and defends data privacy.
Last updated: 06/02/2021
Secure Remote Work
- Why is Data Privacy Important?
- Data Privacy vs. Data Security
- Data Privacy Laws and Acts
- Data Privacy Best Practices
- Tips for Implementing Data Privacy Best Practices
- Data Privacy Compliance
- Data Privacy Challenges
- Data Privacy Tools and Technologies
- Data Privacy Impact