DATA PRIVACY 101: WHAT YOU NEED TO KNOW NOW
HOW TO NAVIGATE WITHIN THE NEW DATA ECONOMY
As opposed to data security, Data Privacy or information privacy is concerned with the correct and lawful storage and processing of data, particularly personal data, including Personally Identifiable Information (PII), and the consent, notice, and regulatory obligations surrounding it. Privacy is a human right in a democratic society and ensuring that personal data is handled in a way that protects the rights, freedoms and interests of the individual is paramount to the principle of data privacy.
We’ll look at why data privacy is important, how data privacy differs from data security and what companies need to be considering in order to ensure both. Then we’ll take a look at some of the legislation that covers data privacy in several countries and industries.
TABLE OF CONTENTS
Why is Data Privacy important?
What is the difference between Data Privacy and Data Security?
How is Data Privacy enforced?
What does GDPR require?
What is Data Protection by Design and Default?
What are Subject Access Requests?
Data Privacy in Healthcare
Data Privacy for Financial Institutions
How do I enable Data Privacy?
WHY IS DATA PRIVACY IMPORTANT?
Ensuring that individuals’ data is stored and processed in a way that protects their rights, freedoms and interests is vital. The rise of the “data economy” means that companies derive enormous value in collecting, sharing and using data. Companies such as Google, Facebook, and Amazon hold vast amounts of data about their customers and personal data is now constantly moving between companies, their suppliers and third parties. It is now realistically impossible for individuals to track and control the use of their data if they want to function efficiently in the modern world. Therefore, transparency in how businesses request consent, abide by their privacy policies, and manage the data that they’ve collected is vital to building trust and accountability with customers and partners who expect privacy. We don’t really know who is seeing our data or how they’re using it and therefore we need appropriate safeguards to ensure that it is being treated properly.
WHAT IS THE DIFFERENCE BETWEEN DATA PRIVACY AND DATA SECURITY?
Many commonly believe that keeping PII data secure from cyber attack means that you are compliant with data privacy regulations. This is not the case. Data Privacy and Data Security are often used interchangeably, but there are distinct differences:
Data Security is part of the Safeguarding construct of a company (‘Health and Safety’ is another example of Safeguarding) and describes how data is kept secure in an organisation, how it is protected from compromise by external attackers and malicious insiders.
Data Privacy is about protecting the rights and freedoms of the individual and governs how data is collected, shared and used within an organisation. To that end it has far wider reaching considerations than just keeping it safely within the boundaries of a company’s systems.
Consider a scenario where you’ve gone to great lengths to secure PII. The data is encrypted, access is restricted, and multiple overlapping monitoring systems are in place. However, if that PII was collected without proper consent, you could be violating a data privacy regulation even though the data is secure.
Likewise, even if your organisation has suffered a breach and personal data has been leaked onto the internet, your ability to identify and maintain adequate control of where that data resides and how it is being treated goes a long way to maintain your claim to data privacy compliance, even through your data security measures may have been compromised.
While the two concepts are undoubtedly linked, they are not completely interdependent. It is a complex environment that needs careful understanding and treatment.
HOW IS DATA PRIVACY ENFORCED?
As data protection regulation tries to keep up with the continual evolution of technology, the way in which data privacy is regulated becomes more complex.
Firstly, data protection legislation does not tend to define precisely what is meant by data privacy. Best practices are described and recommended, and the rights and freedoms of consumers and businesses are set out, but in large part it is left to organisations to decide exactly how to achieve compliance, and this can heighten the risk for companies.
Secondly, since every piece of legislation is different, if your company operates in more than one region, trying to define exactly what is meant by “privacy” can be difficult. For instance:
The CCPA protects the rights of Californians to not have their data sold by companies. Companies dealing with Californians must include a “do not sell my personal information” link on their website home pages to give consumers the right to opt out of allowing their information to be sold. GDPR, on the other hand, deals with this issue by offering the individual the opportunity to object to their personal data being transferred (or ‘sold’) to other parties where the transfer occurs in the legitimate interests of the parties involved with the transfer..
Under Article 6 of GDPR, companies must demonstrate that they have a legal basis for processing customer information. The CCPA, on the other hand, doesn’t require that you justify collecting or processing private data.
GDPR applies to all companies who work with data, whereas the CCPA only applies to for-profit businesses.
GDPR requires that “data protection officers” be appointed within companies where large-scale processing of personal data is a core business. The CCPA doesn’t require this, as long as the other provisions in the regulation are being adhered to.
GDPR’s Article 83 states that companies can be subject to fines of up to €20 million or 4% of total worldwide turnover. The CCPA, on the other hand, is much more lenient: companies are given a grace period of 30 days to fix the violation, and then are only fined $2500 per violation.
In practice, the lack of clarity, regional differences and the constant evolution of legislation means that companies effectively need to exceed the law in order to ensure compliance.
WHAT DOES GDPR REQUIRE?
Europe’s GDPR grants individuals a number of rights, including the right to data portability (which allows people to move their data between platforms), and the right not to be subject to decisions based on automated data processing (limiting, for example, the use of an algorithm to reject applicants for jobs or loans).
Fundamentally, you must identify and openly state the valid purposes and legal grounds for collecting and using personal data in a fair way that is not detrimental, unexpected or misleading to the individuals concerned. That means that the data that you collect and use must be sufficient, accurate, current and relevant to properly fulfil your stated purpose.
Crucially, you must ensure that you have appropriate security measures in place to protect the personal data you hold and you must be able to demonstrate that this is the case. This is a key aspect of the ‘integrity and confidentiality’ principle of the GDPR – previously known as the security principle.
GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
WHAT IS DATA PROTECTION BY DESIGN AND DEFAULT?
In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.
Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.
Data Protection by default, however, is where the responsibilities really kick in. Because, by default, it means that only personal data necessary for each specified purpose can be processed, including that it is not made accessible to an indefinite number of individuals. It means that you should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This affects every aspect of a company and involves developing a culture of ‘privacy awareness’ across your organisation.
It means that every business practice should protect personal data automatically through the entire lifecycle of the existence of the data. With privacy built into the system, the individual does not have to take any steps to protect their data – their privacy remains intact without them having to do anything. This is where the concepts of enabling both data protection security and data privacy at the same time come together and this may have far reaching consequences on a company.
Consider, for instance, that the lifecycle of a piece of data includes not just when it is being stored in a company’s systems but also after it has been breached. Data protection by default means that a company’s responsibility to manage that data does not end once that data has been breached and leaked unwittingly onto the internet. Putting in place strong security measures therefore needs to include looking outside your own systems and proactively looking for your data to see whether you have been breached, and if so where the data is and how you can continue to control it.
The other area that requires significant planning and structure is on the subject of individuals making requests regarding their personal data, and in particular Subject Access Requests (SARs)
WHAT ARE SUBJECT ACCESS REQUESTS?
GDPR gives consumers certain rights over access to their data while also placing security obligations on companies holding their data. They have the right to ask an organisation whether or not they are using or storing their personal information, and can also ask them for copies of their personal information, verbally or in writing. They can ask:
what personal information an organisation holds about them;
how they are using it;
who they are sharing it with; and
where they got their data from.
The reality is that most organizations can’t easily locate, provide, or delete an individual’s personal data on request. Many CIOs and data privacy officers rely on GDPR compliance software that automatically discovers and classifies personal data in order to keep it protected and to help expedite data subject access requests.
DATA PRIVACY IN HEALTHCARE
The personal information contained in Healthcare records are extremely valuable to cyber criminals due to the depth and type of the potential data involved. Health records being sold on the Dark Web have been known to fetch 10-20 times more than credit card numbers.
For this reason, healthcare providers have always been an attractive target for cyber attacks trying to cause data breaches, especially in the US. Congress passed HIPAA in 1996 which has become one of the most prominent US data protection and privacy laws at the federal level —a data privacy regulation that was put in place to safeguard patient personal health information. Calls for even greater data privacy protection have increased with data breaches at an all-time high and the rate at which companies use and sell the data they collect on their patients rising fast.
DATA PRIVACY FOR FINANCIAL INSTITUTIONS
Another regulation that should be on your radar is the Gramm-Leach-Bliley Act (GLBA). The GLBA requires financial institutions to safeguard consumer financial data. To do this, leverage classification to quickly identify where your sensitive financial data is stored.
The benefits of achieving GLBA compliance is multi-fold. It reduces potential fines and reputational harm due to the unauthorized sharing or loss of sensitive financial data.
HOW DO I ENABLE DATA PRIVACY?
If you’ve read through the above, you’re probably wondering how you can ensure data privacy. In this section, we’ll give you some tips on how to do that, whether you are a business or merely a concerned consumer.
The link between data privacy and data protection security is clear and so initially working to ensure that your organisation is properly set up to protect it is vital:
Every employee at your company needs to understand the concepts of data privacy and data protection security. You should integrate training on data privacy into your training program, and it should be part of the onboarding process for new staff.
The teams and employees that will be directly involved or impacted by a data breach should also go through a full scenario planning exercise so that everyone understands how the company will react when a data breach occurs.
You should take all reasonable security safeguards, particularly monitoring your network for suspicious activity, so that you can identify an attack early enough to reduce the damage.
Just as important, however, is monitoring outside your own network to proactively look for data that may have been breached and identify ways to regain or maintain control of it.
You should reassure your customers that data privacy is important to you and engender trust that you have their data interests at heart. Full, open and detailed privacy notices and processes should be prepared to enable timely and efficient data privacy compliance, including rights requests.
Internally, you should proactively plan and manage access to sensitive and regulated data, including criminal offence and special categories of personal data such as ethnicity or race.
Finally, familiarity breeds contempt. It is very important to engage objective expert advice to guide and check your plans, policies and governance.