The Cambridge Analytica scandal of 2018 and documentaries like Netflix’s “The Social Dilemma” have put a spotlight on issues surrounding data privacy.
The magnitude of information and control that corporations, governments, and many of the large technology companies possess is alarming to both consumers and businesses alike.
Seventy-nine percent of Americans report being concerned about the way their data is being used by companies, according to Pew Research. While there’s no way to eradicate the unethical use of private data, an informed understanding of data security and privacy can help companies and individuals take constructive measures to mitigate data privacy risk.
Data privacy or information privacy has to do with handling all data related to a person’s identity with respect to their confidentiality and anonymity. It deals with safeguarding an individual’s fundamental rights of privacy as defined by international and regional laws.
It also determines what data can be rightfully shared by third parties. There are three main elements to data privacy: the right of an individual to be left alone and control their personal data, procedures for proper handling and processing of data, and compliance with data privacy regulations.
For an individual, data privacy can be applied to personally identifiable information (PII) and personal health information (PHI). This may include social security numbers, health and medical records, financial data, and basic information like names, addresses, and birthdates.
For businesses, this may include information that assists a company in its operations, such as proprietary research and development data or confidential financial information that highlights profit and expenditure.
Data privacy ensures personal information cannot be exploited for nefarious reasons, including identity theft, fraud, and in severe cases, unlawful character defamation.
Personal information can be anything found on one’s driver’s license to banking details, as well as personal photos and images.
Organizations and businesses have sensitive or confidential information that should not be in the public domain. This may include preliminary scientific research, business operating frameworks, sensitive data between employees and HR, or client information. In a business context, safeguarding data provides a competitive edge and prevents delicate data from getting into crooked hands.
Data privacy protection also upholds freedom of speech. While distinctions should inevitably be made between hate speech and freedom of expression, it becomes easy to misconstrue information or take things out of context without data privacy. This is especially dangerous in countries and environments where the freedom of expression is restricted. For example, Privacy International outlined an example, highlighting how the Chinese government uses the personal data of their citizens as a monitoring tool for anti-Chinese communications.
Increased improvements to maintain data privacy make it difficult for hackers to access certain information. If the steps necessary to implement data protection controls are not taken, personal and company data can be used for blackmail, extortion, identity theft, phishing scams, and numerous other kinds of fraudulent activities.
Many people use data privacy and security interchangeably. However, data privacy focuses on the collection, processing, sharing, archiving, and deletion of data. Data security, on the other hand, are measures that an organization takes to prevent third parties from unauthorized access or any intentional or unintentional alteration, disclosure, or deletion of data. Data security aims to prevent the exploitation of stolen data garnered from data breaches and cyber attacks. Techniques include access control, data masking, encryption, and network security.
Data privacy regulations are complex because there isn’t a single comprehensive federal law that governs data privacy in the United States. As a result, many sector-specific and medium-specific laws address health information, telecommunications, credit information, financial institutions, and marketing.
The USA’s Federal Trade Commission Act does not explicitly regulate what information should be included in website privacy policies, even though it exerts its authority to issue regulations, protect consumers, and enforce privacy laws.
On the upside, federal laws govern online data collection, such as the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, the Health Insurance Portability and Accounting Act. Each act is tailor-made to its specific industry.
In the United States, the most notable and comprehensive data privacy legislation is the California Consumer Privacy Act (CCPA), which went into effect as of January 1, 2020. This legislation imposes hefty duties on entities or persons that collect personal information about or from California residents.
On a global scale, the General Data Protection Regulation (GDPR) governs the collection, use, transmission, and security of data collected from residents who are part of the European Union. Any business that fails to uphold the law may be liable for a fine of up to 4% of the EU’s total global turnover.
Data breaches and non-compliance with privacy regulations can be a costly affair. Here’s a list of data privacy risks that could impact business:
Individuals and companies should be privy to or have access to a privacy guide that informs them on the data privacy basics they are responsible for, including avoiding errors such as poor password hygiene, personal data sharing without explicit consent, as well as not rectifying outdated or incorrect personal data. Businesses should have a data privacy guideline available for both employees and customers. This resource will ensure there is a clear understanding of data privacy policies.
Always ensure that data is transferred over secure channels, ie. SFTP, HTTPS, or TLS. If a website is not secure, it means personal information could be modified, stolen, or read by hackers. In addition, any data stored via a cloud vendor should always be vetted to ensure maximum protection.
All data privacy compliance programs should have a multi-pronged incident response plan with a set protocol to adhere to if there is a cybersecurity attack. Most plans have six phases: preparation, identification, containment, eradication, recovery, and a debriefing. Your robust data governance program should be flexible enough to keep you compliant with changing data security and privacy legislation.
Not everyone can afford the millions of dollars corporate and government organizations spend each year on data security. However, when it comes to personal data protection, there are few simple steps you can take.
Software updates don’t just iron out functionality issues; they also eradicate vulnerability issues and update a device’s security system. Even though they can be inconvenient, it is one of the simplest ways to ensure greater data protection. In addition, antivirus software also offers critical protection against malware, i.e., software specifically designed to send personal data to unauthorized third-party users over the internet.
Ensure your at-rest data (data stored on physical servers) and in-transit data (information on cloud servers) are properly encrypted. Algorithms that have Advanced Encryption Standard (AES) offer at least 128-bit encryption. For highly sensitive data, 256-bit encryption is most appropriate. You can encrypt data with a VPN pin to ensure no one can read it, even if it is hacked.
Don’t be lackadaisical with passwords just because it’s convenient. Try to use a unique, complex password and don’t replicate it on every application and/or device. In addition your password should include a combination of upper and lower case letters, numbers, and special characters. Avoid basing your password on birth dates or things that strangers can easily guess, such as hometown or middle name, after performing basic research. An audit can help you gauge your password strength, while multi-factor and two-step authentications go a long way in bolstering data security.
Non-production data environments used for development, testing, and analytics pose the highest risk. A data masking solution that automatically identifies sensitive information in data sources, runs de-identification algorithms, and creates an auditable data privacy history can drastically mitigate the risk of a data breach. Data masking also enables enterprises to govern data in accordance with security policies and data privacy regulations.
Even with a basic overview of data privacy, many people still have a few pressing but common questions around the responsibility and the protection of data.
Which member of an organization is responsible for privacy?
Any employee who handles personal data is responsible for its privacy. However, there is a difference between responsibility and accountability. Accountability falls mostly on the shoulders of business leadership. If executed well, this accountability also trickles down to each employee.
Organizations should have a privacy guide or policies in place that comply with the law. That organization’s specific business process owners are tasked with running these policies. Some organizations have a data protection offer (DPO) to protect data and develop and implement policies and processes.
No. However, the General Data Protection Regulation (GDPR) mandated by the European Union is seen as a benchmark by many nations. In the U.S., data privacy laws differ in each state.
Personal data includes any data that can be used to identify an individual, including information that can be linked together to identify a person, like a salary slip, for example. Any action on data is considered processing, including storing, transferring, pseudonymization, changing, and copying.
This tool is used to identify and reduce the privacy risks in any given project, program, or organization. It is used to record the management of privacy risks at different points in time in a project’s, program’s, or organization’s life cycle. Any initiative that requires the processing of personal data should always have a data protection impact assessment.
Having a strong data security and privacy practice includes having robust policies, processes, and tools in place to help manage requirements. Employees should be regularly communicated with about training or changes that may affect them. Having the technology and tools in place to automatically identify sensitive data across the enterprise, protect that data, and scale across teams can help businesses adapt quickly and ensure compliance.
Learn how Delphix's data masking capabilities can mask sensitive data for compliance with privacy regulations.