What Security Professionals Need to Know About Data Privacy
It’s Cybersecurity Awareness Month, and as an information security pro, you’re probably busy running employee trainings, writing spotlights for the company newsletter, and pitching technology upgrades to your bosses.
While you’re spending October teaching everyone how to stave off phishing scams that are angling for customer data and avoid balancing company ledgers on public WiFi networks, we’d like to offer you a break.
So grab a coffee and sit back for five minutes—we’ll sub in for today’s lesson on what security professionals need to know about data privacy.
Data security vs. data privacy
For a long time, data privacy and data security were seen as synonymous. Until 2016, there weren’t many laws out there that required businesses to protect the sensitive consumer data they collected, stored, and processed.
But after the European Union passed the General Data Protection Regulation (GDPR), data privacy laws became the new big thing. Thanks to the tireless work of privacy advocates—and the fallout from massive and increasingly frequent data breaches—consumers around the world started demanding more regulatory oversight of how their personal information was collected and used.
This oversight resulted in new definitions for data security and data privacy. Here’s a highly simplified breakdown:
- Data security is concerned with securing data against bad actors, exposure, and threats.
- Data privacy is about how and why you’re collecting data, what you’re doing with it, who you're sharing it with, and how long you’re storing it. At its core, data privacy is about responsible data governance.
As the landscape becomes more complex, data security and data privacy are increasingly multifunctional and cross-departmental. But since it’s not possible for anyone at the company to secure data without help from a cybersecurity expert, it’s also important for IT teams to understand the basics of modern data privacy.
If you’ve been spending your days worrying about firewalls and data loss prevention instead of cookie consents and data inventories, don’t worry. Here are the five data privacy basics you need to know.
Data protection regulations are variable
Lesson 1: Legal compliance is complex and varies across states and countries. The best way to future-proof your data privacy processes is to build them on best practices.
It only took two years for the United States to pass a law similar to the EU’s GDPR. But whereas the GDPR is an omnibus bill that applies to all member states, the U.S. has taken a sectoral approach to data privacy. As with so many issues before it, U.S. data protection regulations have been left up to individual states for now.
The first modern data privacy law in the U.S. was the California Consumer Privacy Act (CCPA). Since the CCPA’s passage in 2018, a patchwork of state laws has popped up around the country, including:
- California Privacy Rights Act (CPRA, a CCPA amendment)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
While it’s good news for consumers, this state-by-state approach makes compliance more challenging. For businesses, the most effective approach tends to be building a data protection program based on privacy best practices rather than regulatory mandates. This strategy supports an agile, customer- AND business-friendly approach to privacy—and you don’t have to dismantle your privacy program each time your legal obligations shift.
Lesson 2: Consumer rights are key to compliance, and digital trust is now an important part of your bottom line.
Modern data protection regulations like the GDPR and CCPA are known as rights-based laws because they are specifically designed to give consumers more power to control the collection and use of their personal data online.
Most privacy laws provide consumers some version of these rights:
- Know the types of personal data being collected
- Obtain a copy of their personal data in an easy-to-read and portable format
- Choose to opt-out of having their personal data sold or shared
- Choose to opt-out of targeted advertising
- Correct any inaccurate personal data
- Delete personal data from your system
Non-compliance can result in steep fines, injunctive action, and criminal liability in some jurisdictions. But even worse, consumers have proven they are willing to walk away from companies that abuse customer trust and misuse data. According to a Cisco privacy survey, 33% of consumers have ended relationships with companies—social media, ISP, retailers, credit card providers, and even banks—over their use of consumer data.
Conversely, 84% of users are more loyal to companies with strong security controls.
Transparency is key
Lesson 3: Creating a data inventory is one of the greatest contributions you can make to building a strong data privacy program.
Transparent privacy notices that accurately describe your company’s data collection, processing, and storage practices are critical to both achieving compliance and meeting consumer expectations.
It’s not your job to write the notice, but it is your job to make sure the people who do so understand the who, whats, whys, wheres, and hows of your data program. And to do this, your best tool is a data inventory.
A data inventory tracks how data moves through your system, who has access to it, and where it’s at risk of exposure. Trying to create and manage a privacy program without this information is like trying to do a 1,000-piece jigsaw puzzle without ever seeing a reference photo. You’ll just be guessing where things should go.
Access controls are as important as firewalls
Lesson 4: It’s your job to design protection from outside threats and to actualize privacy plans to ensure internal security.
Firewalls and antivirus software are integral to any data security program. But when it comes to data privacy, protecting data from outside threats isn’t enough. You also have to protect it from unauthorized internal access.
Data privacy laws and best practice compliance require that you treat your consumer data with as much confidentiality as possible. While your privacy team can mandate that employees access the least amount of data needed to complete a task, it’s up to you to implement the access controls and permissions that can make it a reality.
Privacy is a team sport (but privacy and IT are natural teammates)
Lesson 5: When everyone works together to support best privacy and security practices, your business comes out ahead. IT and privacy especially benefit from incorporating one another into their processes.
Consumer data crosses multiple departments. From marketing to customer service to product development, everyone in your company plays a role in maintaining your customers’ privacy. Working cross-functionally also helps you by taking the burden of compliance off your shoulders.
The processes you put in place will yield better results when both IT and privacy team members collaborate together. For example, security professionals can incorporate privacy considerations when they review something from a security perspective.
Get a privacy expert on your side
Privacy and security are two sides of the same data coin. When we work in partnership, it leads to more valuable outcomes for everyone. Schedule a consult today and let’s get started protecting your customers and your company.