Data is a company’s most valuable asset. Yet, we are still seeing many enterprise organizations failing to give their data the proper protection it requires. For companies, compliance auditors, and customers alike, the privacy of data is a key concern. So, what exactly is data privacy and how can you ensure that the data you store remains private?
What is Data Privacy
Data privacy focuses on preventing the unauthorized disclosure of sensitive personal information and describes the way that personal data is (or at least should be) collected, stored, and processed. In order to ensure that personal data is handled in a confidential manner, organizations must obtain consent from their users regarding the way their data will be used. A failure to do so could result in fines, lawsuits, and a loss of business due to a lack of consumer/investor confidence. Data privacy is also about complying with the relevant data privacy laws, such as GDPR, HIPAA, CCPA, and so on.
The Relationship Between Data Privacy and Data Security
The terms “data privacy” and “data security” are often used interchangeably, although there are subtle differences between them. As mentioned, data privacy is more focused on the way data is collected, stored, and used. Data security, on the other hand, is more focused on the safeguards put in place to protect it. This also includes data that belongs to the company itself, such as trade secrets, intellectual property, and any other information which, were it to be exposed, might put the company at a competitive disadvantage.
It should be noted that even if a company has the best safeguards in place to protect their data, a data subject’s privacy might still be at risk if they didn’t obtain the necessary consent before processing their data. In other words, you can have data protection without data privacy, but you can’t have data privacy without data protection.
Why is Data Privacy Important
You may have heard people refer to data as “the new gold”. However, one could argue that this is an understatement. According to the following article, data has become the world’s most valuable commodity. In short, the more a company knows about its customers, the more profit it will generate.
It’s worth noting that Google, Facebook, and Amazon are some of the richest companies on the planet, and the acquisition and distribution of data is a core part of their business model. To put things in perspective, it is thought that each individual’s Facebook data may be worth in excess of $100, and there are approximately 2.6 billion monthly active Facebook users.
If we take a resource that is valuable, replicable, reusable, and easily transmitted, we end up with a resource that is highly sought after, yet hard to protect. As such, Governments, organizations, and consumers are starting to expect high data privacy and security standards.
Companies processing sensitive personal data are expected to have clear and concise privacy notices, as well as the ability to demonstrate transparent processing activities to their customers and business associates, and of course, the supervisory authorities.
Data privacy is seen by many as a human right. As you would expect, consumers feel uncomfortable about organizations keeping track of their location, sifting through their posts, photos, contacts, or monitoring their keystrokes, yet such activities are common – hence the need for data privacy regulations.
Data Privacy Regulations
Governments across the globe now recognize the importance of data privacy, and many have introduced their own data privacy laws. Perhaps the most notorious data privacy law to be introduced was the EU’s General Data Protection Regulation (GDPR), which was enacted in May 2018. The GDPR was controversial due to its “extraterritorial scope”, which meant that any company that processes data belonging to EU citizens must comply, even if they are not located in Europe. The GDPR introduced a number of additional rights for data subjects, which include;
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure/to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object and rights in relation to automated decision making and profiling.
Other notable data privacy laws include;
The Health Insurance Portability and Accountability Act (HIPAA): A United States federal statute enacted in 1996 that outlines the lawful use and disclosure of protected health information.
The Gramm-Leach-Bliley Act (GLBA): A United States law that came into effect in 1999, which is designed to control the ways that financial institutions deal with the private information of individuals.
The California Consumer Privacy Act (CCPA): A United States law that was introduced in 2018, which is intended to enhance privacy rights and consumer protection for residents of California.
The Children’s Online Privacy Protection Act (COPPA): A United States federal law that came into effect in 1998, which imposes certain requirements on operators of websites or online services directed to children under 13 years of age.
The Payment Card Industry – Data Security Standard (PCI-DSS): A set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
ISO 27001: An international standard published in September 2013, which was introduced to help organizations manage information security.
The Federal Information Security Management Act (FISMA): A United States federal law passed in 2002, which made it a requirement for federal agencies to develop, document, and implement an information security and protection program.
Sarbanes-Oxley Act (SOX): A United States law designed to increase transparency in the financial reporting of corporations.
Data Privacy Tips
Below is a list of tips that can help you keep sensitive personal data out of the wrong hands and comply with the relevant data privacy laws;
- Expect the unexpected: Understand that all organizations, big and small, are potential targets. As they say, it’s not a question of if, but when, a data breach will unfold.
- Conduct security awareness training: Since employees are the first line of defence, it is crucially important that you carry out regular training to ensure that all employees are able to identify suspicious activity, and to create a “culture of security”.
- Use free security tools: There are many free tools available to help you keep your systems and data secure, which include; encryption solutions, password managers, and VPNs.
- Take regular backups: If your organization falls victim to a ransomware attack, or some other type of cyber-attack that affects the integrity/availability of your critical assets, you may need to restore a backup.
- Implement the zero trust model: It is wise to assume that malicious actors already have access to your network. When a user tries to access a critical resource, they must verify their identity, device, network path, and access rights.
- Use multi-factor authentication: MFA provides an extra layer of security by requesting an additional verification method, such as a passcode sent to your mobile device, biometric information, or some sort of hardware token.
- Classify your sensitive data: Naturally, if you want to keep your data secure, it helps to know exactly what data you have, and where it is located. Not only that but data privacy regulations such as the GDPR mandate that organizations respond to Subject Access Requests (SARs), which means that you will need to be able to locate all data belonging to a given subject in a timely manner.
- Enforce “least privilege” access: As always, you must ensure that access to sensitive personal data is restricted in accordance with the Principal of Least Privilege (PoLP), and as soon as access is no longer required, it should be revoked immediately.
- Monitor access to sensitive data: Anytime sensitive personal data is accessed, created, moved, modified, shared, or deleted, you will need to know about (in real-time), and be able to verify the legitimacy of the actions performed. Most sophisticated real-time auditing solutions will generate pre-defined reports that can be used to satisfy the compliance requirements that are relevant to your industry.
If you’d like to see how the Lepide Data Security Platform can help you protect your sensitive personal data and comply with the relevant data privacy regulations, schedule a demo with one of our engineers or start your free trial today.