CIO.com

data privacy (information privacy)

By Stephen J. Bigelow

What is data privacy?

Data privacy, also called information privacy, is an aspect of data protection that addresses the proper storage, access, retention, immutability and security of sensitive data.

Data privacy is typically associated with the proper handling of personal data or personally identifiable information (PII), such as names, addresses, Social Security numbers and credit card numbers. However, the idea also extends to other valuable or confidential data, including financial data, intellectual property and personal health information. Vertical industry guidelines often govern data privacy and data protection initiatives, as well as regulatory requirements of various governing bodies and jurisdictions.

Data privacy is not a single concept or approach. Instead, it's a discipline involving rules, practices, guidelines and tools to help organizations establish and maintain required levels of privacy compliance. Data privacy is generally composed of the following six elements:

1. Legal framework. Prevailing legislation enacted and applied to data issues, such as data privacy laws.
2. Policies. Established business rules and policies to protect employees and user data privacy.
3. Practices. Best-practices put in place to guide IT infrastructure, data privacy and protection.
4. Third-party associations. Any third-party organizations, such as cloud service providers, that interact with data.
5. Data governance. Standards and practices used to store, secure, retain and access data.
6. Global requirements. Any differences or variations of data privacy and compliance requirements among legal jurisdictions around the world such as the U.S. and European Union (EU).

Data privacy is a subset of the broader data protection concept. It includes traditional data protection -- such as data backups and disaster recovery considerations -- and data security. The goal of data protection is to ensure the continued privacy and security of sensitive business data, while maintaining the availability, consistency and immutability of that data.

Why is data privacy important?

The importance of data privacy is directly related to the business value of data. The evolving data economy is driving businesses of all sizes to collect and store more data from more sources than ever before. Data is used for a range of business reasons, including the following:

• to identify customers, understand their needs and provide goods and services to them;
• to understand the business infrastructure, facilities and human behaviors based on data from networks and devices;
• to glean insight from databases and data sources; and
• to train machine learning and AI systems.

Data privacy is a discipline intended to keep data safe against improper access, theft or loss. It's vital to keep data confidential and secure by exercising sound data management and preventing unauthorized access that might result in data loss, alteration or theft.

For individuals, the exposure of personal data might lead to improper account charges, privacy intrusion or identity theft. For businesses, unauthorized access to sensitive data can expose intellectual property, trade secrets and confidential communications; it can also adversely affect the outcome of data analytics.

Data privacy lapses, also referred to as data breaches, can have a serious effect on all parties involved. Individuals affected by a data breach may find improper financial and credit activity in their name, compromised social media accounts and other issues. A business may face significant regulatory consequences, such as fines, lawsuits, and irreparable damage to their brand and reputation. With the integrity of its data compromised, a business may not be able to trust its data and need a response plan.

What are the laws of data privacy?

Regulatory legislation drives many data privacy practices because government entities recognize the potential negative effects of data breaches on citizens and the greater economy. Numerous laws require and enforce data privacy functions and capabilities.

In the U.S., laws and regulations concerning data privacy have been enacted in response to the needs of a particular industry or section of the population. Examples include:

• Children's Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids.
• Health Insurance Portability and Accountability Act (HIPAA) ensures patient confidentiality for all healthcare-related data.
• Electronic Communications Privacy Act (ECPA) extends government restrictions on wire taps to include transmission of electronic data.
• Video Privacy Protection Act (VPPA) prevents the wrongful disclosure of an individual's PII stemming from their rental or purchase of audiovisual material.
• Gramm-Leach-Bliley Act (GLBA) mandates how financial institutions must deal with the individual's private information.
• Fair Credit Reporting Act (FCRA) regulates the collection and use of credit information.

While some U.S. data protection laws are enacted at the federal level, states may also ratify and enact data privacy laws. Examples of state-level data privacy laws include the following:

• California Consumer Privacy Act (CCPA)
• California Privacy Rights Act (CPRA)
• Virginia's Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• New York SHIELD Act
• Utah Consumer Privacy Act (UCPA)
• Connecticut Personal Data Privacy and Online Monitoring Act (CPDPA)

The EU has the General Data Protection Regulation (GDPR), which governs the collection, use, transmission and security of data collected from residents of its 27-member countries. GDPR regulates areas such an individual's ability to consent to provide data, how organizations must notify data subjects of breaches and individual's rights over the use of their data.

Data privacy vs. data security

Data privacy and data security are closely related ideas, but they aren't interchangeable.

• Data privacy focuses on issues related to collecting, storing and retaining data, as well as data transfers within applicable regulations and laws, such as GDPR and HIPAA.
• Data security is the protection of data against unauthorized access, loss or corruption throughout the data lifecycle. Data security can involve processes and practices, along with a variety of tools such as encryption, hashing and tokenization to guard data at rest and in motion.

Data privacy is a subset of data security. That is, data privacy can't exist without data security.

What are the challenges of data privacy?

Data privacy isn't easy or automatic, and many businesses struggle to meet requirements and counter threats in an ever-changing regulatory and security landscape. Some of the biggest data privacy challenges include the following:

• Privacy is an afterthought. Many businesses deal with data privacy long after implementing a business model and IT infrastructure, leaving business and technology leaders scrambling to understand and address complex requirements. Data privacy should be treated as a fundamental business goal, with policies, training, tools and IT infrastructure designed to meet privacy needs from the ground up.
• Poor data visibility. The old axiom, "you can't manage what you can't see," applies to data privacy. Organizations need a clear understanding what data is present, its level of sensitivity and where it's located. Only then can a business make decisions about security and data privacy.
• Too much data. A business can be responsible for managing petabytes of data comprising various files, databases and stores located across storage devices and cloud repositories. It's easy to lose track of data, allowing sensitive content to elude security, privacy and retention guidance. A business must have the right tools and policies to manage enormous and growing data volumes.
• More isn't always better. Businesses are starting to understand that data must have context and value -- retaining all data forever is expensive and presents storage, protection, attack and legal discovery risks. Modern businesses must set balanced data retention policies about the amount of data collected, its value to the business and what constitutes reasonable retention needs.
• Too many devices. Modern businesses must embrace remote access, wireless, bring-your-own device, IoT, smart device and other technologies. With all these moving pieces, it becomes harder to manage those devices while controlling data storage and access. Data privacy in this complex environment demands careful infrastructure management, strong access controls, comprehensive monitoring and well-considered data governance policies.
• Too many regulations. Any given business may be subject to data privacy regulations at various levels, including federal, state, province and industry. An enterprise that does business in another state, province or country is then subject to those prevailing controls, as well. New controls appear regularly, and they can change over time. This presents a vast, complex and fluid regulatory landscape.

What are the benefits of data privacy compliance?

Proper data privacy compliance can yield four major benefits for a business, including:

• Lower storage costs. Storing all data forever can be costly and risky. Companies that make rational decisions about what data to collect and store, and implement the minimum retention time for that data, reduce costs for primary and backup data storage.
• Better data use. Data is time-sensitive. A business making better data collection and retention decisions can benefit from timely and better-quality data -- which translates into more accurate and relevant analytical results.
• Better business reputation and brand. The reputation of a business can be as important as its product or service. A business that successfully adopts and adheres to data privacy practices can demonstrate care for customer data and data privacy, leading to a better reputation and a stronger brand. Conversely, a business that experiences a major data breach can suffer irreparable damage to its reputation and brand.
• Regulatory compliance. Proper data privacy compliance can protect a business from the litigation and fines that come with data privacy breaches.

Tips to protect data privacy

There are countless guidelines and tips that can apply to data privacy. For individuals, data privacy can be reinforced with safeguards and actions such as the following:

• select strong passwords and change them frequently;
• use multifactor authentication (MFA) or biometric identification for important accounts;
• don't click links and buttons within emails;
• avoid providing PII that's unnecessary or not required;
• use malware tools and keep those tools updated; and
• use only trusted apps and websites.

For businesses, privacy principles and guidelines are more extensive and complex, but they can include the following tactics:

• collect as little data as possible to accomplish a business task;
• require strong authentication and MFA, such as user passwords or app credentials for APIs;
• understand data sources, uses and storage locations;
• employ access monitoring and logging to track data access;
• use encryption and other security technologies to protect data at rest and in motion;
• back up data and test restoration;
• ensure any third-party storage providers, such as cloud storage providers, share data privacy requirements and techniques; and
• regularly educate employees, partners and customers about data privacy guidelines.

A business must also contend with privacy legislation and regulatory issues related to data storage and retention. All data privacy guidance should include a thorough understanding of regulatory requirements.

Data privacy is one of the most challenging areas of IT security many businesses have to contend with. Find out more about the top three data privacy challenges.