Data Privacy

Privacy, in the broadest sense, is the right of individuals, groups, or organizations to control who can
access, observe, or use something they own, such as their bodies, property, ideas, data, or information.

Control is established through physical, social, or informational boundaries that help prevent unwanted
access, observation, or use. For example:

A physical boundary, such as a locked front door, helps prevent others from entering a building without
explicit permission in the form of a key to unlock the door or a person inside opening the door.

A social boundary, such as a members-only club, only allows members to access and use club resources.

An informational boundary, such as a non-disclosure agreement, restricts what information can be

disclosed to others.

The exponential growth of a global information economy, driven by new technologies and disruptive
business models, means that an ever-increasing amount of personal data is being collected, used,
exchanged, analyzed, retained, and sometimes used for commercial purposes. It also means there is an
ever-increasing number of accidental or intentional data breaches, incorrect or lost data records, and
data misuse incidents.

As a result, the demand for data privacy — the right to control how personal information is collected,
with whom it is shared, and how it is used, retained, or deleted — has grown, as has the demand for
data security.

Balancing the individual’s right to data privacy and an organization’s desire to use personal data for its
own purposes is challenging, but not impossible. It requires developing a data privacy framework.

Developing a Data Privacy Framework

Although there isn’t a “one-size-fits-all template” for a framework, there are several universal processes
that can help you develop one relevant to your business:

Discovering and classifying personal data — Determining what types of data is collected (e.g., medical,
financial, or personally identifying data such as Social Security numbers), where and how the data is
collected, where data is stored, who has access to the data and where are they physically located, data
flows within and across a business unit, and data transfers within and between countries.

Conducting a Privacy Impact Assessment (PIA) — Determining how and where data is stored, backed up,
and disposed, what data security measures are currently implemented, and where systems may be
vulnerable to a data privacy breach. Examples of data security measures include the following:

Change management — Monitors, logs, and reports on data structure changes. Shows compliance
auditors that changes to the database can be traced to accepted change tickets.
Data loss prevention — Monitors and protects data in motion on networks, at rest in data storage, or in
use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests,
and unusual activity to prevent data theft.

Data masking — Anonymizes data via encryption/hashing, generalization, perturbation, etc.

Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational
and statistical accuracy.

Data protection — Ensures data integrity and confidentiality through change control reconciliation, data-
across-borders controls, query whitelisting, etc.

Ethical walls — Maintains strict separation between business groups to comply with M&A requirements,
government clearance, etc.

Privileged user monitoring — Monitors privileged user database access and activities. Blocks access or
activity, if necessary.

Secure audit trail archiving — Secures the audit trail from tampering, modification, or deletion, and
provides forensic visibility.

Sensitive data access auditing — Monitors access to and changes of data protected by law, compliance
regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an
audit trail for forensics.

User rights management — Identifies excessive, inappropriate, and unused privileges.

User tracking — Maps the web application end user to the shared application/database user and then to
the final data accessed.

VIP data privacy — Maintains strict access control on highly sensitive data, including data stored in multi-
tier enterprise applications such as SAP and PeopleSoft.

Understanding marketing issues — Determining cross-border marketing issues (e.g., whether products or
services are directly marketed to residents of other countries, the language used on a website, or a
deployment of mobile applications), and third-party marketing issues (e.g., sharing of information for
marketing purposes).

Analyzing compliance requirements — Determining applicable compliance requirements, based on the

results gathered in understanding the personal data and conducting a PIA.

Legislative Regulations — State, country, or governmental agency laws regulating personal data
collection, use, storage, transport, and protection. Examples include General Data Protection Regulation
(GDPR — European Union), Personal Information Protection and Electronic Documents Act (PIPEDA —
Canada), Information Technology Act 2000 (ITA — India), Privacy Act 1993 (New Zealand).
Industry-specific Regulations — Laws or mandates defining how a specific industry, type of business, or
government agency will treat and secure personal data. Examples include Health Information Portability
and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health
(HITECH), Payment Card Industry Data Security Standards (PCI DSS).

Third-Party Obligations — Agreements among business partners defining how a contractor, vendor, or
other external agency will treat and secure personal data collected by the ‘parent’ organization. For
example, an agency located in India providing credit card services for a U.S. based vendor must observe
PCI DSS data protection requirements.

Developing privacy policies and internal controls — Creating external privacy statements (e.g., website,
mobile app, and offline privacy policies); internal and external privacy policies and procedures related to
data governance, data privacy and security breaches; and data privacy training.

Discovering and classifying personal data — Determining what types of data is collected (e.g., medical,
financial, or personally identifying data such as Social Security numbers), where and how the data is
collected, where data is stored, who has access to the data and where are they physically located, data
flows within and across a business unit, and data transfers within and between countries.

Conducting a Privacy Impact Assessment (PIA) — Determining how and where data is stored, backed up,
and disposed, what data security measures are currently implemented, and where systems may be
vulnerable to a data privacy breach. Examples of data security measures include the following:

Change management — Monitors, logs, and reports on data structure changes. Shows compliance
auditors that changes to the database can be traced to accepted change tickets.

Data loss prevention — Monitors and protects data in motion on networks, at rest in data storage, or in
use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests,
and unusual activity to prevent data theft.

Data masking — Anonymizes data via encryption/hashing, generalization, perturbation, etc.

Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational
and statistical accuracy.

Data protection — Ensures data integrity and confidentiality through change control reconciliation, data-
across-borders controls, query whitelisting, etc.

Ethical walls — Maintains strict separation between business groups to comply with M&A requirements,
government clearance, etc.

Privileged user monitoring — Monitors privileged user database access and activities. Blocks access or
activity, if necessary.
Secure audit trail archiving — Secures the audit trail from tampering, modification, or deletion, and
provides forensic visibility.

Sensitive data access auditing — Monitors access to and changes of data protected by law, compliance
regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an
audit trail for forensics.

User rights management — Identifies excessive, inappropriate, and unused privileges.

User tracking — Maps the web application end user to the shared application/database user and then to
the final data accessed.

VIP data privacy — Maintains strict access control on highly sensitive data, including data stored in multi-
tier enterprise applications such as SAP and PeopleSoft.

Understanding marketing issues — Determining cross-border marketing issues (e.g., whether products or
services are directly marketed to residents of other countries, the language used on a website, or a
deployment of mobile applications), and third-party marketing issues (e.g., sharing of information for
marketing purposes).

Analyzing compliance requirements — Determining applicable compliance requirements, based on the

results gathered in understanding the personal data and conducting a PIA.

Legislative Regulations — State, country, or governmental agency laws regulating personal data
collection, use, storage, transport, and protection. Examples include General Data Protection Regulation
(GDPR — European Union), Personal Information Protection and Electronic Documents Act (PIPEDA —
Canada), Information Technology Act 2000 (ITA — India), Privacy Act 1993 (New Zealand).

Industry-specific Regulations — Laws or mandates defining how a specific industry, type of business, or
government agency will treat and secure personal data. Examples include Health Information Portability
and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health
(HITECH), Payment Card Industry Data Security Standards (PCI DSS).

Third-Party Obligations — Agreements among business partners defining how a contractor, vendor, or
other external agency will treat and secure personal data collected by the ‘parent’ organization. For
example, an agency located in India providing credit card services for a U.S. based vendor must observe
PCI DSS data protection requirements.

Developing privacy policies and internal controls — Creating external privacy statements (e.g., website,
mobile app, and offline privacy policies); internal and external privacy policies and procedures related to
data governance, data privacy and security breaches; and data privacy training.
Discovering and classifying personal data — Determining what types of data is collected (e.g., medical,
financial, or personally identifying data such as Social Security numbers), where and how the data is
collected, where data is stored, who has access to the data and where are they physically located, data
flows within and across a business unit, and data transfers within and between countries.

Conducting a Privacy Impact Assessment (PIA) — Determining how and where data is stored, backed up,
and disposed, what data security measures are currently implemented, and where systems may be
vulnerable to a data privacy breach. Examples of data security measures include the following:

Change management — Monitors, logs, and reports on data structure changes. Shows compliance
auditors that changes to the database can be traced to accepted change tickets.

Data loss prevention — Monitors and protects data in motion on networks, at rest in data storage, or in
use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests,
and unusual activity to prevent data theft.

Data masking — Anonymizes data via encryption/hashing, generalization, perturbation, etc.

Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational
and statistical accuracy.

Data protection — Ensures data integrity and confidentiality through change control reconciliation, data-
across-borders controls, query whitelisting, etc.

Ethical walls — Maintains strict separation between business groups to comply with M&A requirements,
government clearance, etc.

Privileged user monitoring — Monitors privileged user database access and activities. Blocks access or
activity, if necessary.

Secure audit trail archiving — Secures the audit trail from tampering, modification, or deletion, and
provides forensic visibility.

Sensitive data access auditing — Monitors access to and changes of data protected by law, compliance
regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an
audit trail for forensics.

User rights management — Identifies excessive, inappropriate, and unused privileges.

User tracking — Maps the web application end user to the shared application/database user and then to
the final data accessed.

VIP data privacy — Maintains strict access control on highly sensitive data, including data stored in multi-
tier enterprise applications such as SAP and PeopleSoft.
Understanding marketing issues — Determining cross-border marketing issues (e.g., whether products or
services are directly marketed to residents of other countries, the language used on a website, or a
deployment of mobile applications), and third-party marketing issues (e.g., sharing of information for
marketing purposes).

Analyzing compliance requirements — Determining applicable compliance requirements, based on the

results gathered in understanding the personal data and conducting a PIA.

Legislative Regulations — State, country, or governmental agency laws regulating personal data
collection, use, storage, transport, and protection. Examples include General Data Protection Regulation
(GDPR — European Union), Personal Information Protection and Electronic Documents Act (PIPEDA —
Canada), Information Technology Act 2000 (ITA — India), Privacy Act 1993 (New Zealand).

Industry-specific Regulations — Laws or mandates defining how a specific industry, type of business, or
government agency will treat and secure personal data. Examples include Health Information Portability
and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health
(HITECH), Payment Card Industry Data Security Standards (PCI DSS).

Third-Party Obligations — Agreements among business partners defining how a contractor, vendor, or
other external agency will treat and secure personal data collected by the ‘parent’ organization. For
example, an agency located in India providing credit card services for a U.S. based vendor must observe
PCI DSS data protection requirements.

Developing privacy policies and internal controls — Creating external privacy statements (e.g., website,
mobile app, and offline privacy policies); internal and external privacy policies and procedures related to
data governance, data privacy and security breaches; and data privacy training.

Data Privacy: Definition, Explanation and Guide

Data privacy or information privacy is a branch of data security concerned with the proper handling of
data – consent, notice, and regulatory obligations. More specifically, practical data privacy concerns
often revolve around:

Whether or how data is shared with third parties.

How data is legally collected or stored.

Regulatory restrictions such as GDPR, HIPAA, GLBA, or CCPA.

Why is Data Privacy Important?

There are two drivers for why data privacy is one of the most significant issues in our industry.

Data is one of the most important assets a company has. With the rise of the data economy, companies
find enormous value in collecting, sharing and using data. Companies such as Google, Facebook, and
Amazon have all built empires atop the data economy. Transparency in how businesses request consent,
abide by their privacy policies, and manage the data that they’ve collected is vital to building trust and
accountability with customers and partners who expect privacy. Many companies have learned the
importance of privacy the hard way, through highly publicized privacy fails.

Second, privacy is the right of an individual to be free from uninvited surveillance. To safely exist in one’s
space and freely express one’s opinion behind closed doors is critical to living in a democratic society.

“Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy, and
solitude,” says Dr. Ann Cavoukian, former Information & Privacy Commissioner of Ontario, Canada.

Dr. Cavoukian knows a thing or two about data privacy. She is best known for her leadership in the
development of Privacy by Design(PbD), and now it serves as a cornerstone for the many data protection
regulations including the most recent one that became law, the EU General Data Protection Regulation.

Data Privacy vs. Data Security

Organizations commonly believe that keeping sensitive data secure from hackers means they’re
automatically compliant with data privacy regulations. This is not the case.

Data Security and data privacy are often used interchangeably, but there are distinct differences:

Data Security protects data from compromise by external attackers and malicious insiders.

Data Privacy governs how data is collected, shared and used.

Consider a scenario where you’ve gone to great lengths to secure personally identifiable information
(PII). The data is encrypted, access is restricted, and multiple overlapping monitoring systems are in
place. However, if that PII was collected without proper consent, you could be violating a data privacy
regulation even though the data is secure.
Data Privacy Cannot Exist Without Data Protection

While you can have data protection without data privacy, you cannot have data privacy without data
protection.

Ensuring data privacy means that you’re not the creepy company that greedily collects all of your
customer’s personal data – whether it is with passive location tracking, apps secretly absorbing your
personal address book, or websites recording your every keystroke.

Instead, employees should be regularly trained on data protection so they understand the processes and
procedures necessary to also ensure proper collection, sharing, and use of sensitive data.

Information privacy also includes the regulations required for companies to protect data. And as more
data protection regulation grows worldwide, global privacy requirements and demands will also expand
and change. However, the one constant is adequate data protection: it’s the best way to ensure that
companies are both complying with the law and guaranteeing information privacy.

What is data privacy?

Data privacy relates to how a piece of information—or data—should be handled based on its relative
importance. For instance, you likely wouldn’t mind sharing your name with a stranger in the process of
introducing yourself, but there’s other information you wouldn’t share, at least not until you become
more acquainted with that person. Open a new bank account, though, and you’ll probably be asked to
share a tremendous amount of personal information, well beyond your name.

In the digital age, we typically apply the concept of data privacy to critical personal information, also
known as personally identifiable information (PII) and personal health information (PHI). This can include
Social Security numbers, health and medical records, financial data, including bank account and credit
card numbers, and even basic, but still sensitive, information, such as full names, addresses and
birthdates. The list of personal information can be pretty extensive, as we noted in this article.

For a business, data privacy goes beyond the PII of its employees and customers. It also includes the
information that helps the company operate, whether it’s proprietary research and development data or
financial information that shows how it’s spending and investing its money.
Why is data privacy important?

When data that should be kept private gets in the wrong hands, bad things can happen. A data breach at
a government agency can, for example, put top secret information in the hands of an enemy state. A
breach at a corporation can put proprietary data in the hands of a competitor. A breach at a school could
put students’ PII in the hands of criminals who could commit identity theft. A breach at a hospital or
doctor’s office can put PHI in the hands of those who might misuse it.

5 simple tips to help protect your personal data

Since data privacy is such a prevalent issue, many government organizations and corporations spend
millions of dollars each year to help protect their data—which could include your PII—from exposure.
The average consumer probably doesn’t have that kind of money to spend. But there are inexpensive
steps you can take to help protect your data. Here are a few suggestions:

At home, use a mail slot or locking mailbox, so that thieves can’t steal your mail.

Before discarding, shred documents, including receipts and bank and credit card statements, that
contain personal information.

Make sure to secure your home Wi-Fi network and other devices so that criminals can’t “eavesdrop” on
your online activity.

Don’t automatically provide your Social Security number just because someone asks for it. Determine if
they really need it and, if so, ask how they’ll help protect it.

Use strong, unique passwords for all of your online accounts.