Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Increasingly, individuals are asking about and learning the importance of their privacy rights across the globe. They are beginning to inquire about the privacy of their personal information, its integrity, how it is collected and being used, and more importantly, its security.
Similarly, nations seem to be united on protecting the integrity and privacy of consumers’ personal information by regulating the data through privacy laws. Privacy was first noted as a fundamental right by the United Nations in 1948, the European Union wrote a convention in 1985 and since then many laws have been enacted - including the EU’s General Data Protection Regulation (GDPR) that came into force in 2018 and California’s CCPA enforced in 2020.
Each law has differences around definitions of what is considered personal data (or in the USA PII), the lawful basis for collection of personal data (consent, contract, vital interests, etc.), automated decision-making using that data and processing, including whether, how and when data can be transferred to 3rd parties. These laws also provide rights to the individuals concerned so that they have the right of access, remediation, and deletion of data held.
New laws are coming into force on a regular basis - see our global map of privacy laws for the latest information on each country and state. Violations of these laws can result in bad publicity, millions of dollars in fines, class action lawsuits from the individuals, and other penalties that may include imprisonment in some countries.
Take, for instance, the EU GDPR’s record-breaking fine of $865 Million on Amazon for violating the regulations associated with obtaining data subject consent.
Where does data privacy fit in all that? Why is it important for businesses in the GDPR or CCPA era? What is its role in regulatory compliance?
Data privacy is the resulting pay-off of all those consumers’ concerns regarding the use of their personal information, the growth of data that keeps multiplying ceaselessly, and the increasing number of regulatory requirements.
This guide will discuss the definition of data privacy, its importance, role in compliance, challenges, and some best practices.
In a broader sense, data privacy is the general right of every individual to be free from any prying or intervention. In plain terms, they have the right to be left to their affairs. In the internet-centric sense, data privacy is the principle of giving control of the flow of personal information (PI) to an individual. They have the right to know how their PI is collected, processed, and treated. They have the right to inquire about the third parties with whom the PI is shared. They also have the right to ensure that their data is being protected or kept private.
In the age of digitalization, there’s a seemingly never-ending growth in the collection and generation of data – It is reported to hit 175 zettabytes of data by 2025. Businesses are collecting users’ data at various touch points throughout their interactions. The same data is then broken down, refined, and analyzed to make critical decisions, improve users’ experience, and feed innovations.
In the United States, “Data Privacy” is the term used in policies, laws, and regulations. However, in the European Union and other countries, the term “Data Protection” is used in laws, regulations, and policies. The common understanding is that data protection is a wider term that includes all areas from theory, practice, and implementation, for example, includes references to the use of data (such as automated decision making) where privacy is more narrowly focused on the individual elements collected and used. Honestly, though, in many documents, the two terms are used interchangeably.
Data is inarguably the ultimate driving component in various sectors. The internet giants have all built their empire atop the data that they have been collecting and processing for many years. The data economy keeps getting larger with the growing technological advances associated with the proliferation of data and its collection.
Customers are now considering data privacy as one measure of an organization that they consider before they do business with it. Organizations with a sound data privacy strategy and framework are able to reduce data breaches by a significant margin. A lower number of breaches give organizations a better chance at upholding that trust. With a reduced number of breaches, organizations can prevent heavy fines, penalties, and civil lawsuits.
As technologies around the collection of data have improved over the years, governments across the globe have started regulating how organizations treat personal information. There are now multiple global and regional laws that govern how organizations collect information, process it, and protect it. In its The Top 8 Cybersecurity Predictions for 2021-2022, Gartner predicted that the modern privacy laws will cover 75% of PI of the global population by 2023.
Let’s take a look at some of the most prominent data privacy laws:
The California Consumer Privacy Act (CCPA, soon to be CPRA) regulates how consumers’ personal information is collected and treated. The privacy law applies to businesses operating within or outside of California offering products and services to consumers living in California. The CCPA impacts over 40 million California residents and 0.5 million businesses in California. Amongst the many privacy rights that CCPA bestows on consumers, the right to opt-out ensures businesses do not sell consumers’ personal information. Businesses are required to set up a “Do Not Sell My Information,” button on their website to comply with this right.
The General Data Protection Regulation (GDPR) is by far the most comprehensive privacy and data protection law in the world, inspiring many other countries to follow up on the provisions provided under GDPR. The regulation is based on the EU Charter of Fundamental Rights that considers the protection of an individual’s personal data as a basic human right. GDPR considers that in all cases the individual “owns” their data and any time it is used by an organization it is only on loan and the individual can ask for data access, data update, data deletion, and that the data can only be used for the purpose it was initially collected.
The GDPR has set a broader definition of personal data and imposed strict regulations on data collection, storage, processing, access, security, and transfer. The GDPR applies to all organizations operating within or outside the EU regions dealing with the personal data of individuals living in the EU.
The California Privacy Rights Act (CPRA) is an upgraded version of the CCPA and it is going to take effect from January 1, 2023. The new privacy act has amended data privacy rights by modifying and introducing additional consumer rights. Amongst the many other additions, the CPRA has also introduced a new category of personal information, i.e., sensitive personal information (SPI), mandating businesses to only use SPI for limited purposes, and at the same time, enabling consumers to restrict businesses from any other uses. The new law will be enforced by the California Privacy Protection Agency (CPPA).
The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD) models most of its provisions after the EU GDPR. LGPD has defined 9 privacy rights for individual data subjects, 10 legal bases for lawful processing of personal data, and the obligation to businesses to provide data protection impact assessment (DPIA) upon the request of the Brazilian Data Protection Authority (ANPD). LGPD further requires businesses to recruit a data protection officer (DPO) to oversee the implementation of the law and offer guidance to the senior management regarding compliance with LGPD.
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-centric data privacy and protection framework that governs only the collection, processing, and security of credit card data. The PCI DSS defines 12 security requirements grouped under 6 goals that every payment card processing service must comply with to ensure secure collection and processing of cardholders’ data.PCI focuses more on specific security technologies, policies, and processes.
The United States Health Insurance Portability and Accountability Act (HIPAA) regulates how the personal health information of an individual should be treated. Under HIPAA, personal health information is covered for up to 50 years of an individual’s death. The violation of any act under HIPAA would result in a fine of $1,500,000.
Although privacy laws provide a few hints, principles, and guidance on data privacy and protection, they don’t necessarily elaborate completely on how a sound data privacy framework should be implemented. Let’s take a look at some of the challenges that hinder organizations from ensuring the protection of data privacy and meeting compliance requirements.
Most organizations have sensitive data across a number of different systems and environments, Especially, organizations that deal with petabyte-scale data, often have sensitive data in their managed, on-prem systems, or cloud servers. The challenge of discovering sensitive data becomes more intimidating when it comes to finding it across legacy systems where it tends to get lost. It is fairly challenging to monitor the flow of data in a dynamic environment and to track its lineage and residency.
Data privacy becomes challenging with the proliferation of data assets, especially shadow IT. Shadow IT is the use of applications, systems, and resources that aren’t sanctioned by the IT team, and it may include BOYD. The growth in shadow IT can be measured by the fact that 80% of employees admit that they use cloud applications without the approval of the IT team. Other statistics report that 83% of IT teams believe that employees use unsanctioned cloud storage services to store business data. Keeping track of all those devices across the board can be challenging which may lead to poor data privacy.
As mentioned earlier, there are now more privacy laws across the globe than there were a decade ago. The challenge arises with varying regulations, provisions, and definitions associated with personal information, processing, and protection. Compliance becomes challenging for businesses that deal with data at a petabyte-scale. Businesses find it difficult to track the level of data privacy they need to implement for varying datasets.
Most data privacy breaches are often the result of poor access control. Internal employees, malicious employees, or corporate spies might gain access to data that is not properly protected. With the growth in data systems and the data itself, it becomes difficult for organizations to keep track of sensitive resources and employees’ access levels.
Compliance with privacy regulations is imperative for customer trust and loyalty, and to stay ahead of the competition. But to achieve that, it is also important that organizations must streamline their data privacy and protection practices. Let’s take a look at the following best practices that can help define an organization’s approach to robust data privacy.
See how easy it is to manage privacy compliance with robotic automation.