Why is Data Privacy Important?

Data privacy provides important guidelines for how data should be collected, stored, accessed, and managed throughout its lifecycle based on its sensitivity and value. It should be top of mind for organizations, especially for departments that work with sensitive information, such as sales, operations, engineering, human resources, and finance.

Data privacy is also important because it helps ensure that sensitive information is only accessible by approved users. A crucial part of overall cybersecurity, it provides another layer of protection between private data and criminals or malicious insiders.

Types of Important Information Protected

The two primary types of content covered by data privacy are personally identifiable information (PII) and personal health information (PHI). Additional types of sensitive information covered by data privacy are:

• Employee data, such as salary
• Academic data, such as grades and enrollment data—as specified under FERPA
• Medical and health data—as specified under HIPAA
• Proprietary or copyrighted data—as specified under DMCA
• Confidential legal or financial data

Data Privacy vs. Data Security

Data privacy and data security differ; however, they do overlap in three key areas:

1. 1. Access control

   Manage users’ rights to data with tight controls on granting and terminating privileges.

2. 2. Data integrity

   Ensure that data is accurate and consistent throughout its lifecycle.

3. 3. Accountability

   Implement technology and processes to track how data is used and provide reporting capabilities.

Can data privacy exist without data security, and vice versa? The answer is not really. They each need the other to perform reliably.

Without data security, data cannot be protected; thus, neither can its privacy. And since data security administrators have authorized access to data, they can view private information, which requires protection. Data privacy and data security must be integrated to deliver optimal protection.

Data Privacy Laws and Act

Regulations in the United States

The United States does not have a comprehensive federal law to govern data privacy. Instead, it is regulated by a collection of federal and state laws with varying degrees of specificity, ranging from the broad California Consumer Privacy Act (CCPA) to regulations focused on healthcare data, financial institutions, and marketing.

Here is a sampling of data privacy regulations in the United States:

• Bank Secrecy Act (BSA)
• California Consumer Privacy Act (CCPA)
• California Online Privacy Protection Act (CalOPPA)
• Fair Credit Reporting Act (FCRA)
• Fair and Accurate Credit Transactions Act (FACTA)
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH Act)
• Payment Card Industry Data Security Standard (PCI DSS)
• SOC 2
• Stop Hacks and Improve Electronic Data Security Act (SHIELD)
• US Privacy Act of 1974

International Regulations

Global data privacy regulations include:

• Argentina’s Personal Data Protection Act of 2000
• Australia’s Privacy Principles (APP)
• Bahrain’s Personal Data Protection Law (PDPL)
• Brazilian Internet Act
• Canada’s Personal Information Protection and Electronic Data Act (PIPEDA)
• Chile’s Act on the Protection of Personal Data
• China’s Cyber Security Law (CCSL)
• Colombia’s Regulatory Decree 1377
• European Union’s General Data Protection Regulation (GDPR)
• Ghana’s Data Protection Act, 2012
• Hong Kong’s Personal Data Ordinance
• Iceland’s Data Protection Act of 2000
• India’s Information Technology Act
• Japan’s Personal Information Protection Act
• Malaysia’s Personal Data Protection Act 2010
• Mexico’s Federal Law for the Protection of Personal Data Possessed by Private Persons
• Morocco’s Data Protection Act
• New Zealand’s Privacy Act of 1993
• Norway’s Personal Data Act
• Philippines’ Republic Act No. 10173
• Russian Federal Act on Data Protection
• Singapore’s Personal Data Protection Act
• South Africa’s Electronic Communications and Transactions Act
• South Korea’s Act on Promotion of Information and Communications Network Utilization and Data Protection
• Switzerland’s Federal Act on Data Protection
• Taiwan’s Computer-Processed Personal Data Protection Law

Data Privacy Best Practices

The most successful data privacy programs start with a commitment to put privacy first and embed it in the organization’s culture. These best practices are rooted in the concept of privacy by design and default, as set forth by GDPR and other regulations.

Best practices for effective data privacy:

• Practice minimal data collection
  Data privacy policies should include direction to collect only necessary data. When creating forms, take time to double-check the fields to confirm that extraneous information is not collected. The more data that is collected, the more extensive the threat and risk landscape. This results in increased liability for the organization and burdens the security team. Practicing minimal data collection also reduces costs associated with bandwidth and storage.
• Engage users when developing policies
  Being part of the establishment of data privacy policies enhances user engagement. In addition, by bringing users into the process, policies are more likely to fit better into existing workflows. This increases the adoption of data privacy policies and compliance with laws and regulations.
• Know your data
  Policies should provide processes for understanding what data is collected, how it is handled, and where it is stored. This is the crux of successful data privacy. In addition, data policies need to define how frequently data is scanned and how it is classified. Data privacy policies should also include processes for auditing data to ensure that directives are applied correctly.
• Ensure that data security mechanisms align with data privacy policies
  Privacy policies provide guidance on how data can be shared. Data security provides the underlying solutions to protect the data. Data policies should clearly outline data privacy levels and the required data protection.
• Encourage education and awareness
  Successful data privacy depends on a secure-aware organization. Implementing policies will have a limited effect if the entire team, including the company’s business partners, does not understand the importance. Education is crucial in bolstering data privacy effectiveness.

Tips for Implementing Data Privacy Best Practices

Regardless of the type of sensitive information, the following steps are critical when implementing data security systems to support data privacy policies.

• Set security controls based on the sensitivity of the information as set forth in data privacy policies.
• Understand who can access, modify, or delete sensitive information as documented in policies.
• Establish a data privacy classification policy for sensitive information.
• Identify sensitive information that is collected and stored.
• Tag sensitive information according to data privacy classifications on an ongoing basis.
• Conduct regular scans to identify sensitive information and ensure policy adherence.
• Ensure that sensitive information is stored in designated locations with access granted according to data privacy policies.

Data Privacy Compliance

To meet data privacy compliance requirements, care must be taken to put in place robust administrative, technical, and physical security solutions and processes. This ensures the confidentiality, integrity, and availability of sensitive information. Data security also needs to align with data privacy compliance requirements to avoid penalties and reputational damage.

A systematic approach to data privacy compliance expedites implementation and helps achieve consistent and reliable results. Here are a few components of an effective compliance program:

• Comprehensive strategy
  Take the time to work with leadership and stakeholders to develop a comprehensive, integrated, measurable, and centralized strategy for achieving data privacy compliance. This should include protocols and documentation that define how personal data and sensitive information will be handled throughout its lifecycle, including how and when to destroy data.handled throughout its lifecycle, including how and when to destroy data.
• Subject matter experts (SMEs)
  Assign and train team members to become SMEs for specific regulations and laws as well as become knowledgeable about the data privacy compliance program. These SMEs can provide the oversight needed to effectively meet compliance requirements
• Incident response strategy and plan
  In the event of a data breach, a timely response is critical. A data privacy compliance program should have a response component that is integrated with the data security response. Training should be provided to expedite the identification of a breach and to mitigate damage. The plan should also outline steps to be taken to evaluate the cause of the breach and identify changes that can be made to prevent another incident.
• Compliance program documentation
  All components of the data privacy compliance program should be documented, including details about people, plans, and processes. The documentation should have an “owner” responsible for maintaining it and managing access to it.
• Proof of compliance
  The Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), and other regulations include a stipulation for audits to confirm that requirements are met. Data privacy compliance programs should have a reporting component. This can be used to meet external requirements as well as to assess compliance to identify gaps in advance of an audit.

Data Privacy Challenges

Data privacy continues to grow as a priority for organizations and regulators around the world. Requirements for data privacy compliance make it not just something that should be done, but something that must be done—or organizations can risk stringent penalties.

Data privacy challenges facing organizations include:

• Embedding data privacy
  Data privacy is often an afterthought that is rolled into data security or disaster recovery plans.
• Increased regulation and its expense
  The list of regulations continues to grow and brings with it daunting data privacy requirements. Compliance is achieved not just with technology solutions and better processes, but with the people who implement and maintain these tools and processes and educate all relevant stakeholders. Organizations struggle to balance data privacy compliance with excessive CAPEX and labor expenses.
• Exponential growth of data
  Data growth is a challenge that impacts every organization. From a data privacy perspective, it has a major impact when data is not categorized correctly.
• Proliferating devices
  The more devices, the larger the attack surface, with more points of threat for data privacy breaches. From IoT to BYOD, the spread of data adds to the difficulty of implementing and managing data privacy programs.

Data Privacy Tools and Technologies

Data privacy tools and technologies, in conjunction with data security solutions, support the management and maintenance of data privacy programs. These solutions provide support for a range of data privacy program functions, including:

• responding to consumer requests (also known as data subject request or DSR)
• tracking users’ access to data
• tracking the location of sensitive information
• cookie tracking
• user consent management
• data classification
• reporting
• audit support

Examples of commonly used data privacy tools and technologies include:

• Data classification
  Prioritizes sensitive information to facilitate data protection, then classifies data according to priority level—usually a combination of manual and automated processes.
• Data access policy automation
  Provides users the right amount of data access, usually following the tenet of least privilege.
• Cloud data protection
  Encrypts sensitive data that is stored in the cloud to protect it from nefarious users and unwanted surveillance.
• Two-factor authentication
  Prevents attackers from accessing data with only login credentials by requiring a second piece of information for authentication.
• Tokenization
  Substitutes a randomly generated value called a token for sensitive data, then stores the token in an ultra-secure mapping database.
• Encryption
  Converts data into unreadable code that can only be made legible again by decrypting it using a single-purpose key. Data can be encrypted at the storage, network, and application levels
• Identity verification software
  Ensures a person or an online user matches who they are offline to comply with data privacy regulations.
• Privacy impact assessment (PIA) software
  Helps organizations automate the evaluation, assessment, tracking, and reporting of data privacy implications for the information they collect, use, and store.

Data Privacy Impact

Data privacy impacts organizations of all types and sizes. It must be considered a mission-critical function and be given the proper attention and support. The goal should be to develop an organizational culture that values and defends data privacy.