Data privacy, often known as information privacy, is a subset of data security that focuses on the proper handling of data — consent, notice, and regulatory duties. Practical data privacy considerations frequently revolve around:
- If and how data is shared with third parties.
- How information is legally collected and stored.
- GDPR, HIPAA, GLBA, and CCPA are examples of regulatory constraints.
In this article, we’ll look at why data privacy is important and how it relates to data security. Then we’ll look at the data privacy legislation in various significant countries and industries. Finally, we’ll discuss how to increase your data privacy in both personal and corporate settings.
Why is Data Privacy Important?
There are two reasons why data privacy is one of our industry’s most pressing concerns.
Data is one of a company’s most valuable assets. Companies see significant value in collecting, sharing, and using data as the data economy grows. Google, Facebook, and Amazon have all established empires on the back of the data economy. Transparency in how organizations obtain consent, adhere to privacy policies, and manage data obtained is critical to establishing confidence and accountability with consumers and partners who expect privacy. Many businesses have learned the value of privacy the hard way, as a result of publicly publicized privacy failures.
Second, privacy is an individual’s right to be free from unwelcome scrutiny. It is essential to living in a democratic society to be able to exist in one’s own space and openly express one’s thoughts behind closed doors.
“Privacy is the foundation of our freedom.” “You must have periods of reserve, meditation, closeness, and seclusion,” says Dr. Ann Cavoukian, former Ontario Information, and Privacy Commissioner.
Dr. Cavoukian is well-versed in data privacy. She is most known for her contributions to the establishment of Privacy by Design (PbD), which has become a cornerstone of many pieces of modern data privacy laws.
Data Privacy vs. Data Security
Organizations frequently feel that keeping sensitive data secure from hackers automatically makes them comply with data privacy rules. This is not true.
Data security and data privacy are frequently used interchangeably, although there are important distinctions:
- Data security safeguards data against compromise by both external attackers and harmful insiders.
- Data privacy governs how information is gathered, shared, and used.
Consider a situation in which you have gone to considerable measures to protect personally-identifying information (PII). Access to the data is restricted, and various overlapping monitoring mechanisms are in place. However, even if the data is protected, if that PII was gathered without proper consent, you may be in violation of a data privacy rule.
Data Protection is the Force Behind Our Right to Privacy
Despite recent gains in data privacy legislation and practice, firms and governments often infringe or compromise consumers’ privacy. As a result, some claim that customers have already lost the privacy battle.
While data protection can exist without data privacy, data privacy cannot exist without data protection.
Ensuring data privacy implies that you are not the creepy corporation that greedily collects all of your customers’ personal data – whether, through passive location monitoring, apps silently swallowing your personal address book, or websites secretly capturing your every keystroke.
Employees should instead be trained on data protection on a regular basis so that they understand the processes and procedures required to ensure proper gathering, distribution, and use of sensitive data as part of a data security portfolio.
Regulations requiring organizations to protect data are also part of information privacy. And, as global data protection policy expands, global privacy needs and demands will develop and alter. However, one constant is adequate data protection: it is the greatest approach to ensure that businesses comply with the law while also protecting information privacy.
Varonis’ products are among the most advanced in data security. As a result, our solutions are employed to safeguard consumer privacy all over the world.
Different Definitions of Data Privacy
Though most people agree on the necessity of data privacy and that data protection is vital to protecting privacy, the definition of “data privacy” itself is notoriously difficult.
None of the regulations mentioned in this article – the GDPR, the CCPA, or the HIPAA – define data privacy precisely. Instead, the regulations they include recommend a number of best practices and define our consumer and company rights. Because every piece of legislation is different, attempting to define exactly what “privacy” means can be quite difficult.
The problem does not improve if we limit our focus to a single piece of legislation. The GDPR, or General Data Protection Regulation, is likely the most comprehensive piece of data privacy law in the world. Unfortunately, it is also perplexing: the New York Times described it as a “huge, bewildering jumble” in May 2018. The law offers citizens certain rights, including the right to data portability (the capacity to move data between platforms) and the right not to be subjected to choices based on automated data processing (prohibiting, for example, the use of an algorithm to reject applicants for jobs or loans).
- The issue is that the practical consequences of these principles are extremely complex. The GDPR, like much EU legislation, aims to present a unified front.
- To begin, you should be aware that the CCPA applies to the people of California (albeit in an unusual fashion), regardless of where your company is located. Similarly, no matter where your organisation is located, the GDPR safeguards the rights of EU citizens. You are protected if you deal with EU or California residents.
- The CCPA protects Californians’ right not to have their data sold by companies. Companies doing business with Californians (that is, any businesses with a website) must include a “do not sell my personal information” link on their home pages to provide consumers with the option to opt out of having their information sold. The GDPR, on the other hand, makes no mention of this concern.
- Another significant distinction is that, under Article 6 of the GDPR, businesses must demonstrate that they have a legal basis for collecting customer data. The CCPA, on the other hand, does not require you to justify acquiring or processing personal information.
Data Privacy Laws and Acts
Fortunately, legislators have realised the need for data privacy regulation and holding firms accountable for end-user data.
Companies must now establish whether data privacy acts and legislation apply to their users. For example, you must understand where the data came from (country and state), what personally identifiable information it may contain, and how it was used.
Let’s look at how the most current data privacy legislation affects users and businesses. The four most important elements of data privacy legislation are listed below.
The GDPR: EU Data Privacy Laws
The GDPR, which went into effect in May 2018, intends to protect the personal data of EU residents and is already having a significant impact on European businesses. There are numerous facets of the GDPR, as well as numerous actions that businesses must complete in order to achieve and maintain GDPR compliance. Among these include, but are not limited to:
- Users’ explicit opt-in consent
- The right to obtain information from businesses
- Your right to have your data erased
GDPR grants customers some data rights while also imposing security standards on firms that store their data. One difficult part of the regulation for businesses is the duty to respond to subject access requests.
Most corporations cannot readily identify, provide, or erase an individual’s personal data on demand. Many CIOs and data privacy officers rely on GDPR compliance software that automatically detects and categorizes personal data to secure it and expedite data subject access requests.
Data Privacy in Healthcare
Healthcare providers have always been a popular target for data breaches. Indeed, health records are enormously valuable—tens to hundreds of times more valuable than credit card data. As a result, they need to verify HIPAA compliance.
Despite the fact that Congress passed HIPAA in 1996, requests for even greater data privacy protection have grown, with data breaches at an all-time high and firms using and selling the data they acquire on their patients at an alarming rate.
Fortunately, the U.S. Department of Health and Human Services (HHS) enacted the Privacy Rule in December 2000 to carry out HIPAA’s duty to protect the privacy of individually identifiable health information.
If you’re wondering how GDPR and HIPAA compare, keep in mind that GDPR has a larger reach than HIPAA and does not only apply to health data. GDPR requires the protection of “sensitive personal data,” which includes health information. Bottom line: GDPR’s regulatory obligations are comparable to those of HIPAA.
Data Privacy for Financial Institutions
The Gramm-Leach-Bliley Act is another important regulation to be aware of (GLBA). The GLBA compels financial firms to protect consumer financial information. To accomplish this, use classification to easily determine where your sensitive financial data is kept.
The advantages of obtaining GLBA compliance are numerous. It decreases the possibility of fines and reputational damage as a result of unlawful disclosure or loss of sensitive financial data. The GLBA isn’t the same as the GDPR in the EU, but it won’t be long before America obtains its own.
Innovative US Data Privacy Laws
A number of other laws govern data privacy in the United States. Some of these are state-specific, while others apply to the entire country. These regulations reflect an innovative approach to preserving data privacy in the country, and in some cases go far further than existing legislation that addresses specific sectors.
The CCPA, for example, is a California statute that expands data privacy rights in that state. Businesses in California must be ready for the CCPA on January 1, 2020, in order to identify and discover personal information, fulfil data subject access requests, and protect consumer data. Consumers have the right to control how firms gather and use their personal data under the CCPA. This