In recent years, data privacy has become an increasingly familiar issue to the public. This may be due to the frequent reporting of data breaches, such as the 2018 Exactis data breach that leaked the personal details of 340 million Americans, or the Cambridge Analytica scandal that made clear that Facebook has been harvesting personal data for political purposes. As data has become an important product in the digital age, consumers and organisations will need to alter their approaches to data processing and practices.
Data security, along with network security and cloud security, are vital to all businesses. The first step to building an IT system that is secure and reliable is to hire an expert IT support team.
The importance of data privacy
In the 21st century, data has emerged as a vital asset, and influential companies such as Facebook and Google are built solely upon the data economy. In 2017, data overtook oil to become the world’s most valuable commodity.
In business, this puts a stronger emphasis on trust and transparency, as the way that companies manage data and privacy policies is essential in their relations with customers and partners. By law, the personal data of individuals needs to be respected, and a level of transparency should be maintained and communicated by all businesses. In this way, business reputations will not be impacted, and individuals will be able to exercise their rights to privacy.
Data privacy and data security
These two terms are not the same thing, although they sound quite similar and may be easily confused.
Data privacy relates to the rights of individuals in the context of data collection and processing, the approaches organisations take with personal data management, and privacy preferences. It can also refer to the practices of sharing, storing and deleting data in accordance with the law.
Data security is the measures that an organisation takes to protect data from unauthorised access. This may include protection against malicious attacks, or the prevention of data being stolen or leaked in a data breach. Data security may include network security, encryption or access control.
Data protection refers to the practices and safeguards in place to ensure personal data is secure and under control. Not only does this involve keeping customers, clients and partners informed and up-to-date on the use of personal data, but also the correct procedures in the use of sensitive data, and training staff to ensure they follow these procedures. Data protection may also include keeping clear policies with regards to data, restricting access, monitoring and reporting, and regularly carrying out backups.
In the new era of data, compliance has become an important issue for businesses, as the penalties imposed by governments can be costly to businesses. In January 2019, the French government fined Google €50 million for collecting personal data without a sufficient level of transparency. In the same year, a Polish data processing company was fined €220,000 for using publicly available personal data to contact 90,000 individuals without permission.
Failure to meet data compliance regulations is a potential hazard for both public and private organisations of different types, and both small and large businesses are subject to fines when regulations are not met. British Airways was fined £183 million for a data breach caused by poor security, while Polish retailer Morele.net was fined €645,000 for failing to protect the data of 2.2 million customers.
Data privacy regulations
The General Data Protection Regulation (GDPR) came into effect in May 2018 and is aimed at protecting the personal data of EU citizens. It gives consumers rights concerning their data and imposes security obligations on companies that hold their data, regardless of their global location. For companies, a difficult part of the GDPR is the need to respond to subject access requests, when many organisations are unable to easily locate the specified data. Organisations also need to make opt-in consent clear to consumers, and respect individual rights to request or delete data.
The Californian Consumer Privacy Act (CCPA) is due to come into effect from 1st January 2020 and has a focus on consumer privacy rights. It will give consumers the right to know what personal data is collected and why, and they will also have the right to access data, to opt out of data collection, and request its deletion. The act will also include the regulation of internet activity, IP addresses, biometric data, cookies and data collected by IoT devices.
Other data privacy regulations include the Health Information Privacy and Portability Act (HIPAA) to improve healthcare efficiency and safeguard patient personal information in the United States. Healthcare providers are especially vulnerable to data breaches, as health records are estimated to be between 10 and 20 times more valuable than credit card details.
The Payment Card Industry Data Standards Security (PCI-DSS), is another US set of security standards created by credit card companies to protect cardholder data. The Australian Data Privacy Regulations is a government security measure that also applies to the private sector, with the objective of protecting consumer data.
As cases of data misuse receive more frequent exposure in the media, which leads to a wider public awareness of the issue, governing bodies have responded by developing complex regulations to highlight and prosecute criminal actions. For businesses, it is essential that the relevant guidelines are carefully adhered to, in order to increase efficiency of data practices and avoid heavy penalties, while for individuals it is still important to be wary of negative data practices. The age of data is still in its infancy, so we all need to stay informed to keep up with the myriad of new developments.