Data Privacy Definition
In an age where personal data is stored across numerous organisations, regulation standards dictate the way organisations can use, collect, store, and distribute this data. Data privacy regulations aim to protect customer data from unethical use and distribution to third parties. Some regulations require organisations to notify users of any data breaches and provide publicly available documentation telling customers how their data will be used and collected.
Why is Data Privacy Important?
Personally identifiable information (PII) includes any information that can be used to identify an individual consumer or corporate customer. This information includes name, address, social security number, credit card data, date of birth, and several other personal data points. Organisations that collect this information must store it ethically and carefully set authorisation rules when the data is shared with employees, vendors, contractors, and third-party applications. Consumer data privacy regulations ensure that organisations follow strict rules when collecting and sharing private information of their customers, or they might face hefty fines for violations.
Protecting user data from theft and misuse helps reduce identity theft and fraudulent activity. Data privacy also provides users with information on ways their data will be shared and collected to make intelligent decisions on whether they want an organisation to have their information. Certain compliance regulations such as GDPR (General Data Protection Regulation) require organisations to remove data if a consumer requests its deletion from the system.
Data security and privacy work together to protect consumer information. The security behind data protection determines the tools and authorisation procedures that allow access. Data privacy pinpoints critically important data and why this data is sensitive. Without data privacy, organisations could sell data to a third party for a profit without regard to the person receiving the data or consent from the data owner. Compliance regulations put the responsibility on the organisations so that users have a legal right to their own information and have some control over the way a third party can use it.
Data Privacy vs. Data Security
Although data privacy and data security work together, they are two entirely different focuses. Convincing customers to send data to an organisation requires trust. To preserve customer trust, organisations must take data privacy seriously and keep it a primary focus of customer service and data management. After a data breach, loss of trust is one of the major residual effects in the aftermath that can create extensive revenue loss as customers find a different provider or no longer purchase a product from the company.
Data security involves procedures, tools, software, authorisation, auditing, and user information monitoring. Privacy is conceptual, while data security involves the actions used to preserve data privacy. Organisations keep their data security strategies private as it adds a level of defence against attackers, but data privacy presumes a level of transparency. Data privacy requires data security, but data security does not always mean that data privacy is a concern for the organisation.
Another element common to data privacy and security is compliance. Compliance regulations often determine the way organisations deploy data security. For instance, compliance regulations such as HIPAA (Health Insurance Portability and Accountability Act) require audit trails on every access request for private user data. If organisations fail to track access, they could face hefty fines for violations. GDPR requires that organisations have tools to remove data from their system upon user request.
Data Protection Rights
User rights around data protection are determined by the country the consumer is located. For example, the General Data Protection Regulation (GDPR) is a European Union (EU) ruling that took effect in 2018. The California Consumer Privacy Act (CCPA) of 2020 is similar to GDPR, but it's specific to the way businesses store and share California resident data. Defining compliance regulations that oversee the business is key to understanding data protection rights. Some compliance regulations are specific to the type of data stored. For example, the Health Insurance Portability and Accountability Act (HIPAA) defines data protection rights for patients and provides guidance and healthcare cybersecurity standards for providers, hospitals, and any other organisation that stores and collects patient information.
Although data protection rights differ by location and the compliance regulations overseeing security, all data privacy laws aim for similar goals. A few goals include:
- Consent: Users must give consent before organisations can distribute, consent with a third party, or share their information.
- Legal obligations: Rules and regulations define legal repercussions and requirements of organisations that handle data set by regional and country-specific laws.
- Exercising rights: Users have defined ways to exercise their rights. For example, they must have the option for personal data removal using specified channels of communication.
- Interests: The top priority in data privacy is the consumer's interest, which the organisation is responsible for preserving.
Important Data Privacy Laws
No single law oversees data privacy. Instead, a collection of laws and frameworks depending on the type of data stored (in some cases) and the organisation’s location are determinants of data privacy laws. Here are a few of the most common data privacy laws:
- California Consumer Privacy Act (CCPA): CCPA went into effect on January 1, 2020, and oversees the way businesses handle California resident data. California residents have the right to know the ways corporations collect data, and it allows them to access and remove data from the corporate systems.
- Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a federal law that defines the way organisations store, secure, share, transfer, and audit patient information. It affects mainly healthcare providers and hospitals, but even ecommerce and other businesses that store patient information must apply HIPAA regulations to security controls.
- Children’s Online Privacy Protection Act (COPPA): COPPA is an older law enacted in 2000 that defined the way businesses collect and share children’s information. Organisations that handle data for children under twelve must protect their screen names, email addresses, chat names, photographs, audio files, and geolocation coordinates.
- PCI-DSS: Any retailer or organisation that stores consumer financial and credit card data must follow PCI-DSS regulations. This compliance standard focuses on protecting user payment information to stop fraud and identity theft. Both large and small organisations, including online stores, must follow PCI-DSS regulations to store financial data on consumers.
Aside from CCPA, the above data privacy laws cover federal regulations, but several other laws are set forth by individual states. Several US states have their own regulations that oversee the way US businesses store state resident information. California, New York, Maryland, Massachusetts, Hawaii, and North Dakota have laws that regulate the way their consumer data is stored and shared. For example, the New York SHIELD Act aims to improve data security by enforcing stronger cybersecurity requirements on companies that store New York resident data.
International Data Privacy
Organisations that work with international user data have the added overhead of complying with laws affecting European residents. While two primary privacy laws are the main concerns for US companies, the following two privacy regulations concern EU resident data:
- The Cookie Law: Cookies are small files stored on a user’s device to save website information. This information could be sent to third-party entities or disclosed should the device be stolen. The Cookie Law requires user consent before a website can store a cookie on the user’s device.
- General Data Protection Regulation (GDPR): GDPR is one of the strictest data privacy laws governing EU resident data. Organisations that violate GDPR face potentially millions in fines and penalties. GDPR oversees data privacy, data security, accountability for organisations, and the penalties for violations. Organisations that store EU consumer data must ensure that they publish how user data is stored, shared, and collected and offer an easy way for users to have their data removed from the corporate system.
Reducing Costs and Improving Visibility with Proofpoint Modern Compliance
The next generation of archiving is here. Proofpoint data archiving solutions offers modern compliance that makes it easy for you to manage information risk.
Webinar: Regulatory Compliance Training
Regulated organisations must retain all communications for compliance. Learn to capture and manage the data in our regulatory compliance archiving webinar.
Learn about Proofpoint Next Generation Compliance Solutions
Data growth is infinite. How can IT and legal teams keep up? Manage risk with a modern archiving and compliance solution.