Article

What is data privacy?

ComplianceSecurity
Time to read: 9 minutes

Data privacy is broadly considered to be the concept that personal information should not be shared without permission. When a data privacy rule is in place, individuals determine when, how, and to what extent their personal information can be shared.

Personal information encompasses a wide range of data, including a person’s name, address, phone number, email, Social Security Number, financial information, health or school records, and details related to their behavior and activities they engage in and any details related to their behavior.

Definition of data privacy

Data privacy, sometimes also referred to as information privacy, is a subset of data protection that focuses on maintaining the confidentiality, integrity, and accuracy of personal data as well as data that organizations depend on to operate (e.g., trade secrets, sales and marketing plans, and financial information). In practice, most work related to data privacy is driven by data privacy compliance requirements set forth by organizations and governments, such as those outlined below.

Data privacy processes and programs keep personal and sensitive information safe from:

  1. Alteration
  2. Improper access
  3. Loss
  4. Theft

The discipline of data privacy is comprised of a variety of elements, including:

  1. Data governance—provides standards and practices that direct how personal and sensitive information is collected, stored, secured, accessed, and used
  2. Legal frameworks—created by various entities and enforced with data privacy laws
  3. Policies—put in place by organizations to ensure that data privacy requirements are met for information that they collect, store, and process
  4. Practices—established best practices that guide how IT infrastructure and data security systems are implemented and used
  5. Third-party management protocols—used to direct how third-party organizations (e.g., vendors, service providers, and contractors) handle personal and sensitive information

Why data privacy is important

Aside from being a legal requirement, there are many reasons that data privacy is important, including the following.

Lowers data storage expenses

A key part of data privacy is data minimization and erasure. When data is no longer needed, it is eliminated, which reduces the operational burden and expense of storing it.

Prevents identity theft

It only takes a few key pieces of personal information to commit identity theft. The data protection systems and processes that accompany data privacy help minimize the risk of identity theft.

Mitigates misuse of personal and sensitive information

Without data privacy protections, personal and sensitive information can be misused, such as:

  1. Criminals can use personal data to commit thefts in a variety of ways (e.g., withdraw funds from bank accounts, use credit cards, or commit identity theft)
  2. Individuals’ activities can be tracked and monitored without their consent
  3. Personal data can be sold to third parties and advertisers without users’ consent, resulting in unwanted solicitations and marketing messages

Protects consumer and brand reputations

Data privacy is among the consumer protections that individuals expect. Policies, programs, and processes to support data privacy ensure this important consumer protection is in place. This also bolsters brand reputations by showing a commitment to taking individuals’ rights to privacy seriously.

Reduces the efficacy and impact of data breaches

The data protections that come with data privacy help prevent a data breach from happening, and if it is successful, information cannot be accessed.

Support business operations

When information is used within the confines of data privacy rules, businesses can leverage it in a number of positive ways, such as:

  1. Gain insights from data sets based on customers’ and prospective customers’ demographics and behaviors
  2. Identifying potential customers
  3. Understand customers’ needs and provide goods and services to meet them
  4. Use individuals’ information to train machine learning (ML) and artificial intelligence (AI) systems

Underpins the data economy

Data privacy assurances are critical for organizations that depend on collecting, sharing, and using data about customers or users. Many applications, social media platforms, and websites need to collect and store personal data about users to provide services.

Laws that govern data privacy

United States data privacy laws

Federal data privacy laws include:

  1. Health Insurance Portability and Accountability Act (HIPAA)—governs how personal healthcare data must be handled.
  2. Children’s Online Privacy Protection Act (COPPA)—restricts what information websites can collect from children under 13.
  3. Electronic Communications Privacy Act (ECPA)—extends government restrictions on wiretaps to include other electronic data.
  4. Video Privacy Protection Act (VPPA)—prevents unauthorized disclosure of personal information derived from the rental or purchase of audiovisual content.
  5. Gramm-Leach-Bliley Act (GLBA)—mandates how financial institutions handle individual’s personal information.
  6. Fair Credit Reporting Act (FCRA)—regulates the collection and use of individuals’ credit-related information.
  7. Federal Trade Commission (FTC) Act—includes provisions for the enforcement of data privacy laws.
  8. Family Educational Rights and Privacy Act (FERPA)—restricts access to educational information and records.

Several states have enacted data privacy laws, including:

  1. California Consumer Privacy Act (CCPA)
  2. California Privacy Rights Act (CPRA)
  3. Colorado Privacy Act (CPA)
  4. New York SHIELD Act
  5. Utah Consumer Privacy Act (UCPA)
  6. Virginia’s Consumer Data Protection Act (VCDPA)

International data privacy laws

Most countries have enacted data privacy laws. Examples of these laws include:

  1. General Data Protection Regulation (GDPR)
  2. Personal Information Protection Electronic Documents Act (PIPEDA)
  3. Personal Data Protection Act (PDPA)
  4. The Privacy Act of 1974
  5. Lei Geral de Proteção de Dados (LGPD)
  6. Personal Information Protection Law (PIPL)
  7. Protection of Personal Information Act (PoPIA)

What are fair information practices?

Many data privacy rules and laws are based on the principles and practices outlined in the Fair Information Practices adopted by the Organization for Economic Cooperation and Development (OECD) in its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

This international organization’s practices provide guidelines for data collection and usage. The eight principles that make up the Fair Information Practices are as follows.

  1. Accountability
    A data controller should be accountable for complying with measures that affect the Fair Information Practices principles.
  2. Collection limitation
    There should be limits to the collection of personal data, and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  3. Data quality
    Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.
  4. Individual participation
    An individual should have the right:
  5. Openness
    There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available to establish the existence and nature of personal data, the main purposes of their use, and the identity and usual residence of the data controller.
  6. Purpose specification
    The purposes for which personal data are collected should be specified not later than at the time of data collection, and the subsequent use is limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  7. Security safeguards
    Reasonable security safeguards should protect personal data against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
  8. Use limitation
    Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except with the consent of the data subject or by the authority of law.
  9. To obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
  10. To have communicated to them data relating to him within a reasonable time, at a charge, if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to him;
  11. To be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
  12. To challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended.

Data privacy challenges for the enterprise

Despite the many tools available, data privacy remains a challenge. Among the issues that enterprises must address concerning meeting data privacy requirements are:

  1. Complex web of data privacy rules and regulations
  2. Difficulty determining which data should be retained and which data should be eliminated
  3. Lack of control over third-party data sharing
  4. Poor visibility into sprawling data stores and devices
  5. Unwieldy volumes of data

Technologies that support data privacy

Many technology solutions are available to support data privacy initiatives, including:

  1. Anti-virus and anti-malware software
  2. Automated data discovery, mapping, and classification tools
  3. Data loss prevention (DLP)
  4. Device management and mobile device management solutions
  5. Encryption solutions, such as symmetric encryption, asymmetric encryption, and end-to-end encryption
  6. Endpoint protection systems
  7. Firewalls
  8. Identity and access management
  9. Multi-factor authentication, role-based access controls, and privileged access management
  10. Intrusion detection and prevention solutions

Data privacy matters

Data privacy is considered a human right by most governments. Beyond compliance requirements, organizations need to protect data privacy to meet the expectations of the individuals who engage with them.

Unleash the power of unified identity security.

Centralized control. Enterprise scale.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief