Data Privacy: What You Need to Know and How to Get Started

Data privacy is a huge public concern of the digital age, in part because data breaches continue exposing the personal data of millions of people. Even a single breach can have serious impacts: Individuals can suffer identity theft or blackmail, while companies risk financial costs along with damage to the public, investor, and customer trust.

Balancing the need to use personal data for business purposes against an individual’s right to data privacy is a challenge. This article explores the importance of data privacy, how it is related to data protection, which compliance regulations are focused on data protection, and what you should consider when adopting a data privacy policy.

What is data privacy, and which data is involved?

Data privacy, or information privacy, means handling all data related to a person’s identity with respect for confidentiality and anonymity.

 

To define data privacy, it’s useful to clarify exactly what is to be protected. Here are some of the types of information commonly considered sensitive, both by the general public and by legal mandates:

• Personally identifiable information (PII) — Data that could be used to identify, contact or locate an individual or distinguish one person from another
• Personal health information (PHI) — Medical history, insurance information and other private data that is collected by healthcare providers and could be linked to a certain person
• Personally identifiable financial information (PIFI) — Credit card numbers, bank account details or other data concerning a person’s finances
• Student records — An individual’s grades, transcripts, class schedule, billing details, and other educational records.

More broadly, in its “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” the National Institute of Standards and Technology (NIST) gives the following examples of information that may be considered PII:

• Names, such as full name, maiden name, mother‘s maiden name, or alias
• Personal identification numbers, such as Social Security number (SSN), passport number, driver‘s license number, taxpayer identification number, patient identification number, or financial account or credit card number
• Address information, such as street address or email address
• Personal characteristics, including photographic images (especially of the face or another distinguishing characteristic), x-rays, fingerprints, or other biometric images or template data (e.g., retina scans, voice signature, facial geometry)
• Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).

What data isn’t subject to privacy concerns?

It’s also useful to lay out what types of data are not subject to data concerns. There are two primary types:

• Non-sensitive PII — Information that is already in the public record, such as a phone book and online directory.
• Non-personally identifiable information (non-PII) — Data that cannot be used to identify a person. Examples include device IDs or cookies. However, some privacy laws hold that even cookies can be considered personal data because they can leave traces that could be used in combination with other identifiers to establish a person’s identity.

Personal data protection and privacy regulations

Data breaches keep hitting the news, and people understand they are losing control over their personal information. Industry research shows that 71% of Americans occasionally or frequently worry about the hacking of personal data (Gallup, 2018) and that 8 in 10 U.S. adults are concerned about the ability of businesses to safeguard their financial and personal information (American Institute of CPAs (AICPA), 2018).

Due to rising public concerns, governments are busy creating and adapting privacy data protection laws. In fact, the need to address modern privacy issues and protect data privacy rights is a global trend. The EU’s General Data Protection Regulation (GDPR)  is the best-known law, but many countries, including Brazil, India, and New Zealand, have enacted new privacy regulations or strengthened existing laws to regulate how personal data can be collected, stored, used, disclosed and transmitted.

Here are the U.S. federal privacy laws that restrict companies from inappropriate sharing of personal data and the specific types of data they target. Note that many U.S. states are also passing their own mandates.

• Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH) — Protects personal health information
• Gramm–Leach–Bliley Act (GLBA) — Limited to financial information
• Children’s Online Privacy Protection Act (COPPA) — Protects children’s privacy by allowing parents to control what information is collected
• Family Educational Rights and Privacy Act (FERPA) — Protects students’ personal information
• Fair Credit Reporting Act (FCRA) — governs the collection and use of consumer information

Data protection vs. privacy protection

Data privacy is closely related to data protection. Data protection share the same goal: safeguarding sensitive data from breaches, cyberattacks, and accidental or intentional data loss. However, while information privacy is focused on rules for how organizations may collect, store and process personal information, data protection is focused on the security controls that provide for the confidentiality, integrity, and availability of information. Moreover, data protection often involves safeguarding not just personal information but other business-critical data as well, such as company trade secrets and financial data.

In other words, data protection requires implementing policies, controls and procedures to satisfy privacy principles, such as the following principles listed in the ISO/IEC 29100 framework:

• Consent and choice
• Purpose legitimacy and specification
• Collection limitation
• Data minimization
• Use, retention, and disclosure limitation
• Accuracy and quality
• Openness, transparency, and notice
• Individual participation and access
• Accountability
• Information security
• Privacy compliance

How can you get started with privacy protection?

Simply implementing one or more data security technologies can’t guarantee that you will achieve data privacy. Instead, when building your data privacy protection policies, be sure to follow these best practices:

• Know your data. It is essential to know what information is being collected, how it is being used, and whether it is being sold to or shared with third parties. Since different types of PII and their combinations are not equal in their value and some types of personal data become sensitive in certain contexts, you need to classify your data using a quality data discovery and classification solution.
• Get control over your data stores and backups. Make sure you don’t keep personal data without a defined purpose. Develop retention policies and minimize personal data according to its value and risk.
• Safeguard against unauthorized access. Implement and strictly maintain the least-privilege principle to ensure that users can access only the data they need to do their jobs and monitor your systems for suspicious access attempts. Devices, computers, and network drives should have adequate security controls in place, such as access controls, encryption, and antivirus software.
• Manage and control risk. Data privacy protection needs to include a regular risk assessment. Instead of building a framework from scratch, you can adopt a commonly used one, such as the NIST risk assessment framework documented in Special Publication SP 800-30.
• Train users on a regular basis. Make sure that employees are aware of the nuances of data privacy and security. Explain privacy basics from the very beginning, noting which devices can be used when working with sensitive data and how this data may be transferred and shared. Sometimes, it is necessary to remind people that they are not allowed to revise other person’s records out of curiosity or for personal reasons or to take data with them when they leave the organization.

Conclusion

The time when personal data could be quietly collected and shared is gone. Today, organizations that store and use financial, health and other personal information must handle that data with respect for its privacy. Using the best practices outlined here will help your organization create a baseline privacy framework for becoming a responsible and ethical steward of personal data.