Data Privacy and its Importance
Privacy of data has always been important. All companies have data from financial data and payment details to contact information for employees and customers. Decisions are based on this data followed by employees to deliver quality products and services. In fact, data is one of the most important assets a company has. For that reason alone, data privacy is taking on greater importance. And, this includes maintaining the Confidentiality, Integrity, and Availability of the data. (Please refer: http://www.qualitians.com/cia-confidentiality-integrity-availability/)
Data privacy relates to the collection and dissemination of data, and how a piece of information or data should be handled based on its importance. Data privacy is also called data protection or information privacy. The challenge of data privacy is to use data while protecting an individual’s privacy preferences and their personally identifiable information.
For example, you wouldn’t mind sharing your information like the name with a stranger, but you wouldn’t share sensitive personal information, at least until you become more acquainted to some third person. You’ll probably share a tremendous amount of personal information like name, address, contact details, etc. to open a new bank account because you trust bank and its processes.
The concept of data privacy typically applies to personally identifiable information (PII) and personal health information (PHI), also known as critical personal information. This can include financial records, including bank account and credit card numbers, health and medical records, social security numbers, passport numbers, etc.
For a business, data privacy is not just privacy of PII of its employees and customers. It also includes the research and development data, confidential reports, business strategies, or financial information that helps the company operate.
Bad things can happen, if confidential/critical data gets in wrong hands. A breach at a hospital can put PHI in the hands who might misuse it. A breach at bank can put a lot of financial data in the wrong hands who might use credit cards in an unauthorized way. A breach at an organization can put proprietary data in the hands of a competitor. A breach at a college/school could put students’ PII in the hands of criminals who could commit identity theft.
What data need to be protected?
Key pieces of information that are commonly stored or processed by businesses, be that financial information, customers’ details, employees’ records, need to be protected from being misused by others. This data contains personally identifiable information (PII) and personal health information (PHI) related to staff, their family, business partners, clients and customers. Common data fields are name, contact details, address, email address, credit/debit card numbers, financial history, health information, IP addresses, etc.
Businesses are required to adhere to data protection act principles to protect all this information.
Data Privacy Acts and Laws
New data privacy laws, rules and regulations (GDPR, HIPAA, CCPA, etc.) are taking effect across the globe to regulate collection, use, share, retention, disclosure, and disposal of personal information. On the other hand, the rate of data breaches and cyber-attacks is growing exponentially. It is very important to understand the importance of individuals rights and obligations with respect to personal data.
The European Union’s enforcement General Data Protection Regulation (GDPR) went into effect on 25 May 2018, for all individuals citizens of the European Union (EU) and the European Economic Area (EEA). (Read: Introduction to GDPR)
After the GDPR, the California Consumer Privacy Act (“the CCPA”) is considered to be one of the most significant legislative privacy developments. The CCPA is a consumer privacy law out of California that requires businesses to comply with the new regulations, regardless of where they are located. As of Jan 01, 2020, businesses around the world will have to comply with additional regulations related to the processing of personal data of California residents. Companies both inside and outside of California will be affected by the CCPA requirements. (Read: The CCPA – California Consumer Privacy Act)
There is a requirement of recognition of the latest international data privacy and security regulations, especially where threat of increasing liability and risk with statutory penalties and lawsuits is huge. Implementing a compliance program with a set of best practices for data privacy and security can surely help mitigate these risks. Companies should be well-served by a privacy by design approach that promotes privacy and data security compliance from the start in order to mitigate risk down the road. Data privacy is a continuing process and companies may face challenges during the implementation of policies & procedures and rolling out new systems and technologies.