Data Privacy: Regulations, Tips, and Compliance
A quick data privacy definition might sound something like this: Data privacy involves ensuring that your information is collected with your consent and used in ways you are aware of and approve of.
While the definition is simple, implementation is not. Plenty of companies want to ensure data privacy, but they don’t have the tools, policies, and procedures to do so.
Let’s dig into what data privacy really involves and how you can provide it for your customers.
What is information privacy?
< Companies collect your data with your consent, and they use it in a manner you've approved. No unauthorized person can see or use your information. If you're handling both of these tasks, you are ensuring data privacy.
Data privacy is critical for modern businesses, as almost any company collects data. You know when customers come to your website, you track people that buy your products, you ask your buyers to give you credit card data, and you collect a lot of information about your employees. Abuse your customers and staff by sharing their information widely, and the consequences could be severe.
Ask Google. Data is the company's major asset, and insights have been sold to the highest bidder for decades. Now, in 2021, when Google wants to try something new and stop sharing private data, reporters don't believe them. Some consumers don't either.
Your legislative environment could compel you to embrace information privacy too. Disobey laws, and you could be forced to pay steep fines.
Data privacy is often confused with data security. While the two concepts are related, they aren't synonymous. Data security involves protecting sensitive information you've stored in your system. Data privacy involves crafting and enforcing rules about who has access to the data you've stored.
Let's give a few examples.
- Data security breach: Between 2014 and 2018, hackers were buried deep inside Marriott International web servers. They stole a great deal of information, including credit card numbers, while they were inside.
- Data privacy breach: Cambridge Analytica built a personality quiz app for Facebook, and people were encouraged to take it to find out more about their personality profiles. Quiz takers also gave the company access to their profile information and friends lists. Some friends also had data exposed.
Poor data security policies can lead to data privacy issues. But you can violate privacy even if no one ever steals data you’ve stored.
Do consumers have data privacy rights?
We've mentioned legislation already, and that's intentional. Many companies weren't concerned with data privacy until laws made them snap to attention. These rules ensure that consumers have a say in data collection, and they can take action if their rights are violated.
Data privacy legislation includes:
- HIPAA. The Privacy Rule included in this legislation protects healthcare-related data, including patient names, ages, conditions, and more.
- General Data Protection Regulation. This European legislation covers collection, use, storage, and transfer of information about European individuals, no matter where they live.
- California Consumer Privacy Act. California consumers, no matter where they are, have the right to know about the data a company collects. Consumers can also opt out of data collection and ask companies to delete information about them.
Some companies have compliance officers who comb through the rules and ensure everyone is playing along. That's a smart move, as these laws are complex and notoriously hard for companies to follow.
Common data privacy risks
Could you be violating expectations about data privacy? Many companies do, and they may not be aware of it.
You could face an issue if you:
- Collect too much data. Companies use less than half of the data they collect. If you're grabbing all sorts of metrics and you can't explain why you're doing so, you could be in trouble.
- Don't train your staff. Does everyone know the risks involved with downloading data and taking it home? Do your staffers routinely email sensitive information to one another?
- Don't craft data rules. Where is information stored? How often is it purged? Who can see it? Who can modify it? Who can download it?
- Put no one in charge. "Most companies" employ a chief privacy officer, experts say, but it's difficult to find hard numbers. It’s likely some companies lean on IT to protect data. If you have no idea who is working on your data, you could be in trouble.
- Don’t disclose data use. Have you collected information in the past you’re using in new ways now? Did you tell everyone about that?
You may face other data privacy problems we haven’t listed here. Assessments can help you spot them.
Data privacy tips
The best way to ensure information privacy is to walk through the risks we've outlined and address them. But you have more homework to do.
Smart companies will also:
- Update software. Let WannaCry prompt you. Companies that updated their software were protected from the devastation of a ransomware attack. Those that didn't were vulnerable. Make sure you've deployed all security patches.
- Perform routine assessments. Even if you're not working in a regulatory environment that demands reports, fill them out. Walk through all of your processes and lock down leaks.
- Watch closely. Know what's happening on your site and in your databases. Act on breaches quickly.
Partner with a company like Okta to protect your data. We use the zero trust model to ensure that data gets used by people who need it, and it's protected from those that don't. Find out more about how that approach works here.
References
Google Says It Won't Build Backdoors Into Its Privacy Sandbox for Gathering User Data. (May 2021). Plugged.
The 15 Biggest Data Breaches of the 21st Century. (January 2021). CSO.
Facebook Data Privacy Scandal: A Cheat Sheet. (July 2020). TechRepublic.
Your Rights Under HIPAA. U.S. Department of Health and Human Services.
California Consumer Privacy Act. State of California Department of Justice.
Companies Collect a Lot of Data, But How Much Do They Actually Use? (August 2019). Priceonomics.
The Chief Privacy Officer: The New 'Must Have.' (December 2018). ACC Docket.
The Petya Ransomware Attack Shows How Many People Still Don't Install Software Updates. (June 2017). The Conversation.