What is Data Privacy?

Increasingly, individuals are asking about and learning the importance of their privacy rights across the globe. They are beginning to inquire about the privacy of their personal information, its integrity, how it is collected and being used, and more importantly, its security.

Similarly, nations seem to be united on protecting the integrity and privacy of consumers’ personal information by regulating the data through privacy laws. Privacy was first noted as a fundamental right by the United Nations in 1948, the European Union wrote a convention in 1985 and since then many laws have been enacted - including the EU’s General Data Protection Regulation (GDPR) that came into force in 2018 and California’s CCPA enforced in 2020.

Each law has differences around definitions of what is considered personal data (or in the USA PII), the lawful basis for collection of personal data (consent, contract, vital interests, etc.), automated decision-making using that data and processing, including whether, how and when data can be transferred to 3rd parties. These laws also provide rights to the individuals concerned so that they have the right of access, remediation, and deletion of data held.

New laws are coming into force on a regular basis - see our global map of privacy laws for the latest information on each country and state. Violations of these laws can result in bad publicity, millions of dollars in fines, class action lawsuits from individuals, and other penalties that may include imprisonment in some countries.

Take, for instance, the EU GDPR’s record-breaking fine of $865 Million on Amazon for violating the regulations associated with obtaining data subject consent.

Where does data privacy fit in all that? Why is it important for businesses in the GDPR or CCPA era? What is its role in regulatory compliance?

Data privacy is the resulting pay-off of all those consumers’ concerns regarding the use of their personal information, the growth of data that keeps multiplying ceaselessly, and the increasing number of regulatory requirements.

This guide will discuss the definition of data privacy, its importance, role in compliance, challenges, and some best practices.

What is Data Privacy?

In a broader sense, data privacy is the general right of every individual to be free from any prying or intervention. In plain terms, they have the right to be left to their affairs. In the internet-centric sense, data privacy is the principle of giving control of the flow of personal information (PI) to an individual. They have the right to know how their PI is collected, processed, and treated. They have the right to inquire about the third parties with whom the PI is shared. They also have the right to ensure that their data is being protected or kept private.

In the age of digitalization, there’s a seemingly never-ending growth in the collection and generation of data – It is reported to hit 175 zettabytes of data by 2025. Businesses are collecting users’ data at various touch points throughout their interactions. The same data is then broken down, refined, and analyzed to make critical decisions, improve users’ experience, and feed innovations.

In the United States, “Data Privacy” is the term used in policies, laws, and regulations. However, in the European Union and other countries, the term “Data Protection” is used in laws, regulations, and policies. The common understanding is that data protection is a wider term that includes all areas from theory, practice, and implementation; for example, includes references to the use of data (such as automated decision-making) where privacy is more narrowly focused on the individual elements collected and used. Honestly, though, in many documents, the two terms are used interchangeably.

Types of Data Privacy

Since data privacy isn’t a hard and fast science, it is hard to describe it objectively. Similarly, it is just as hard to exact the various types of data privacy. However, the most important and frequently mentioned categories of data privacy include the following:

Financial Data Privacy:

Financial information such as credit card information shared with an organization as part of a transaction or for any other purpose is sensitive and needs to be appropriately protected.

Medical Data Privacy:

A user’s medical history, such as details related to medical treatment in the past or the medications they’re on, is vital information. As such, this information must be protected and appropriately secured against any unconsented sharing of such data with third parties.

Biometric Data Privacy:

Owing to technological advances, users now rely on biometric information as login credentials for everything ranging from their smartphones to their financial PIN codes. Hence, such data is highly valuable while being sensitive simultaneously, requiring appropriate measures to protect it at all times.

Political/Religious Data Privacy:

This is information that websites, primarily social media sites, can discern about an individual based on their interactions with others and content on the platform. However, such discernment about a user’s political or religious beliefs does not free the organization from its obligations to maintain the privacy of such data by taking the appropriate measures.

The Importance of Data Privacy

Data is inarguably the ultimate driving component in various sectors. The internet giants have all built their empires atop the data that they have been collecting and processing for many years. The data economy keeps getting larger with the growing technological advances associated with the proliferation of data and its collection.

Customers are now considering data privacy as one measure of an organization that they consider before they do business with it. Organizations with a sound data privacy strategy and framework are able to reduce data breaches by a significant margin. A lower number of breaches give organizations a better chance at upholding that trust. With a reduced number of breaches, organizations can prevent heavy fines, penalties, and civil lawsuits.

The Different Laws That Govern Data Privacy

As technologies around the collection of data have improved over the years, governments across the globe have started regulating how organizations treat personal information. There are now multiple global and regional laws that govern how organizations collect information, process it, and protect it. In its The Top 8 Cybersecurity Predictions for 2021-2022, Gartner predicted that modern privacy laws will cover 75% of PI of the global population by 2023.

Let’s take a look at some of the most prominent data privacy laws:

Online Data Privacy

CCPA

The California Consumer Privacy Act (CCPA, soon to be CPRA) regulates how consumers’ personal information is collected and treated. The privacy law applies to businesses operating within or outside of California offering products and services to consumers living in California. The CCPA impacts over 40 million California residents and 0.5 million businesses in California. Amongst the many privacy rights that CCPA bestows on consumers, the right to opt-out ensures businesses do not sell consumers’ personal information. Businesses are required to set up a “Do Not Sell My Information” button on their website to comply with this right.

GDPR

The General Data Protection Regulation (GDPR) is by far the most comprehensive privacy and data protection law in the world, inspiring many other countries to follow up on the provisions provided under GDPR. The regulation is based on the EU Charter of Fundamental Rights that considers the protection of an individual’s personal data as a basic human right. GDPR considers that in all cases the individual “owns” their data and any time it is used by an organization it is only on loan and the individual can ask for data access, data update, data deletion, and that the data can only be used for the purpose it was initially collected.

The GDPR has set a broader definition of personal data and imposed strict regulations on data collection, storage, processing, access, security, and transfer. The GDPR applies to all organizations operating within or outside the EU regions dealing with the personal data of individuals living in the EU.

CPRA

The California Privacy Rights Act (CPRA) is an upgraded version of the CCPA, and it is going to take effect from January 1, 2023. The new privacy act has amended data privacy rights by modifying and introducing additional consumer rights. Amongst the many other additions, the CPRA has also introduced a new category of personal information, i.e., sensitive personal information (SPI), mandating businesses to only use SPI for limited purposes and at the same time, enabling consumers to restrict businesses from any other uses. The new law will be enforced by the California Privacy Protection Agency (CPPA).

LGPD

The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD) models most of its provisions after the EU GDPR. LGPD has defined 9 privacy rights for individual data subjects, 10 legal bases for lawful processing of personal data, and the obligation to businesses to provide data protection impact assessment (DPIA) upon the request of the Brazilian Data Protection Authority (ANPD). LGPD further requires businesses to recruit a data protection officer (DPO) to oversee the implementation of the law and offer guidance to the senior management regarding compliance with LGPD.

Financial Data Privacy

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is an industry-centric data privacy and protection framework that governs only the collection, processing, and security of credit card data. The PCI DSS defines 12 security requirements grouped under 6 goals that every payment card processing service must comply with to ensure the secure collection and processing of cardholders’ data.PCI focuses more on specific security technologies, policies, and processes.

Healthcare Data Privacy

HIPAA

The United States Health Insurance Portability and Accountability Act (HIPAA) regulates how the personal health information of an individual should be treated. Under HIPAA, personal health information is covered for up to 50 years of an individual’s death. The violation of any act under HIPAA would result in a fine of $1,500,000.

Challenges Organizations Face with Data Privacy Protection

Although privacy laws provide a few hints, principles, and guidance on data privacy and protection, they don’t necessarily elaborate completely on how a sound data privacy framework should be implemented. Let’s take a look at some of the challenges that hinder organizations from ensuring the protection of data privacy and meeting compliance requirements.

Pervasive Sensitive Data

Most organizations have sensitive data across a number of different systems and environments, Especially, organizations that deal with petabyte-scale data often have sensitive data in their managed, on-prem systems, or cloud servers. The challenge of discovering sensitive data becomes more intimidating when it comes to finding it across legacy systems where it tends to get lost. It is fairly challenging to monitor the flow of data in a dynamic environment and to track its lineage and residency.

Rapid Increase in Shadow IT

Data privacy becomes challenging with the proliferation of data assets, especially shadow IT. Shadow IT is the use of applications, systems, and resources that aren’t sanctioned by the IT team, and it may include BOYD. The growth in shadow IT can be measured by the fact that 80% of employees admit that they use cloud applications without the approval of the IT team. Other statistics report that 83% of IT teams believe that employees use unsanctioned cloud storage services to store business data. Keeping track of all those devices across the board can be challenging which may lead to poor data privacy.

The Growing Number of Global Privacy Laws

As mentioned earlier, there are now more privacy laws across the globe than there were a decade ago. The challenge arises with varying regulations, provisions, and definitions associated with personal information, processing, and protection. Compliance becomes challenging for businesses that deal with data at a petabyte-scale. Businesses find it difficult to track the level of data privacy they need to implement for varying datasets.

Ineffective Access Control

Most data privacy breaches are often the result of poor access control. Internal employees, malicious employees, or corporate spies might gain access to data that is not properly protected. With the growth in data systems and the data itself, it becomes difficult for organizations to keep track of sensitive resources and employees’ access levels.

Data Privacy vs. Data Security

With more and more data privacy laws coming into effect globally, data privacy has become a tremendously important strategic and operational goal for most organizations. Each regulation that comes into effect places different requirements and obligations on organizations, resulting in data privacy being more dynamic in nature.

On the other hand, data security is a staple industry name now. Whether it’s a multinational conglomerate or a startup, it is rare to find an organization that does not treat data security as a literal matter of life and death since data integrity loss or corruption can have devastating consequences.

But what exactly sets them apart, and more importantly, are they really so different from one another?

In a nutshell, while data privacy and security are different aspects of an organization’s data processing obligations, they are highly dependent on one another. Most organizations collect personal data from their users in the form of email addresses, phone numbers, credit cards, login credentials, and so much more.

Owing to both their regulatory obligations and operational requirements, they must maintain the privacy of this collected data. That is only possible if the data in question is appropriately protected.

Data security is the protection of data from any form of theft, corruption, and unauthorized access that may jeopardize the storage, usage, sharing, archiving, and creation of data. It is not limited to virtual space as any physical and policy changes designed to achieve the aforementioned purpose are also data security.

Standard methods used in data security involve encryption, data masking, and redaction of sensitive data.

Data privacy, on the other hand, aims to ensure that the data subject has appropriate control over how their data is used after the organization has collected it. Giving users a chance to unsubscribe from email marketing and newsletter is an introductory example of how organizations aim to provide users with appropriate data privacy.

Other common aspects of data privacy include only sharing/selling users’ collected data with third parties after getting the users’ informed consent, as well as only using the collected data for purposes that were specified during the initial permission to collect the data.

Data Privacy Best Practices

Compliance with privacy regulations is imperative for customer trust and loyalty, and to stay ahead of the competition. But to achieve that, it is also important that organizations must streamline their data privacy and protection practices. Let’s take a look at the following best practices that can help define an organization’s approach to robust data privacy.

• Keep track of all the systems and resources containing personal information or sensitive personal information. Monitor the inclusion of new devices or unregistered devices regularly.
• Discover all PI and sensitive PI across all the structured and unstructured systems to identify its lineage, residency, and privacy use cases.
• Identify data owners to help define and establish a data governance framework.
• Monitor employees’ access level to sensitive data and implement least privilege access to reduce insider threats.
• Adopt and implement a Privacy by Design (PbD) approach to streamlining data privacy. To begin with, conduct routine assessments to minimize the risk impact on privacy. Create effective retention policies and ensure strict security measures, including encryption, MFA, SSO, etc.
• Data privacy isn’t a done and delivered process but iterative. Therefore, leaving the implementation of the process to traditional technologies and manual labor could result in delayed implementation, erroneous execution, and compliance failure. The best feasible option is to automate the process to reduce error and increase efficiency.
• The expansion of data is beyond the expectations of anyone. Organizations with international roots are dealing with data at a petabyte scale. Therefore, it is a must for organizations to adopt automated solutions that can help them scale their process with their growing inventory of data.
• Data privacy and data protection need to be instilled in every employee of an organization or its culture. Routine training and awareness sessions should be conducted to educate employees about data security practices.