Insights | Curate Insights

What is Data Privacy

Written by Curate Insights | Sep 21, 2023 7:28:31 PM

Data privacy is the protection of an individual’s ability to control who has access to their personal information.  The concept of data privacy predates the advent of computers. In fact, public versus private (privacy) are key distinctions used as far back as Aristotle.  

The mass use of computing and data storage opened a flood gate of abuse at a much larger scale. In 1974, we see one of the first digital responses with the US Privacy Act passed in hopes to eliminate the risk of the nation’s citizens. In 1996, we see additional controls with HIPPA regulation within the medical industry. While these are sweeping regulations, even when it is not obvious that data privacy is at risk, our society defaults to keeping personal information private. 

Why is Data Privacy Important

The importance of data privacy is difficult to overstate. Especially in a world that is entirely digital, there are more ways than ever for someone’s personal data to fall into the wrong hands. Proper data privacy frameworks protect consumers and service providers from identity theft, which affects millions of Americans every year, sometimes uprooting their lives and causing massive harm to their financial and legal status. Data privacy also protects individuals’ physical safety. If a company were to release a consumer’s tracking data to the public, nefarious actors could locate or monitor the consumer, opening them up to avoidable danger. Organizations bear a responsibility to their consumers to comply with both federal and state data privacy and data protection laws. An example of such a law is the California Consumer Protection Act (CCPA), which states that consumers hold the right to request businesses to disclose the information they collect from their consumers and for what purpose that information is being collected. It is a business’s responsibility to remain compliant with such laws, to both satisfy legal and compliance regulations and to earn the trust of the consumer.  

Data Privacy Challenges

While data privacy is not a new concept, its implementation has rapidly changed as the world adopts more complex technology, multiplying the avenues of risk to sensitive data. Some of these challenges are:  

1. Businesses collect an increasing amount of consumer data.
 
2. Despite the increasing amount of consumer data collection, businesses are unaware of the various data privacy laws that are meant to protect this data– meaning there is more data to be stolen, and there is a severe lack of legal awareness.

3. Cyber-attacks are growing in their complexity.  

 

Data Privacy Best Practices

 To mitigate these challenges and ensure compliance with data privacy laws, there are some best practices to follow while handling sensitive data, including:  

1. Only collecting the personal data that is needed for the specific purpose it intends to serve.
Collecting superfluous information only exposes the business to avoidable legal compliance violations.  

2. Having a clearly defined data privacy structure, with access provisioning at the appropriate levels of privacy.
For example, the ability to view consumer SSN and DOB data should be limited to only those who need to access this data for a specific purpose that benefits the consumer, as this is highly sensitive data that could cause significant harm if mishandled.  

3. Deleting personal data once its purpose is served and is no longer needed.
Keeping sensitive information that the organization does not need any more is a simple exercise of zero potential gain and unlimited potential risk – not a good practice!  

Data Privacy Laws You Need to Know About 

1. General Data Protection Regulation (GDPR) 
GDPR is a European Union law that covers everyone in the EU. This law’s purpose is to protect residents’ personal data and apply that protection all across the EU. It also covers the transmission of information outside the EU as well, further protecting its constituents. 

2. California Consumer Privacy Act (CCPA) 
Previously covered, CCPA is a law in California that enables individuals to request corporations delete their collected personal information and grants the right to know what information the companies have collected from them.  

3. Health Insurance Portability and Accountability Act (HIPAA) 
As most readily identifiable law of this list, HIPAA protects patients’ healthcare data and its policies apply to all levels of the healthcare system. It enforces strong encryption standards and tight procedures to protect patient information.  

4. Children’s Online Privacy Protection Act (COPPA) 
COPPA is a US law that protects children under the age of 13 by requiring websites to gain parental permission to gather their children's data while browsing. 

What Happens if I Am Not Compliant?  

There are a million reasons to raise compliance standards if you are a decision maker at your organization – or 888 million of them if you’re Amazon. Here are some recent regulatory fines that some of the various data protection-centric regulatory bodies have leveled against non-compliant organizations:  

1. Facebook was fined $57 million in 2019 by the Irish Data Protection Commission for violating the GDPR. The IDPC ruled that Facebook did not inform its users of their data’s usage and consumption in an adequate manner.  

2. Amazon was fined $888 million by the Luxembourg National Commission for also being non-compliant with the GDPR, for similar reasons as Facebook, including nonconsensual user data collection.  

3. Google was fined $57 million in 2020 by the CNIL, which is a French data protection organization for, you guessed it – non-compliance with the GDPR

Aside from the moral implications of failing to protect consumer data, there are unimaginably strong financial incentives to raise data privacy standards at your organization. The fines are not simply a slap on the wrist – they could destroy your bottom line.  

What Now? 

Protecting consumer data is harder now than it has ever been, which places an emphasis on experts who can guide organizations to higher data privacy standards and top of the line regulatory compliance metrics. We typically get called in to assist with data privacy concerns after another consultant firm finished a large engagement for infrastructure or reporting. Often privacy, policy and governance are never part of the 2-3 year roadmap that our clients paid millions to implement. While the shiny new tools (likely struggling with company-wide adoption) are working as designed, the risk to the company has just exponentially increased.