With technology developing at the speed of quantum mechanics, there always seems to be some new tool to implement, an urgent priority to track, or a mission-critical requirement for security professionals to keep up with.
The same goes for privacy professionals. Just like our brethren in security, privacy professionals operate in a fast-paced, high-stakes environment and deal with complex and technical issues on a daily basis.
What’s more, our operating environments—i.e., data ecosystems—are becoming increasingly cross-functional with security. But while data privacy and data security are complementary disciplines, they’re not the same thing.
To create the most efficient systems, security and privacy experts need to understand the basic tenets of the other discipline in order to build the best long-term solutions. Security professionals don’t need to know the ins and outs of every single data privacy concern, but it’s essential for IT teams also to understand the big-ticket items when it comes to data privacy.
That said, a solid foundation in data privacy basics will set your team up for success in data privacy projects and collaborations. So sit back with a fresh cup of coffee and enjoy a refresh on the essential basics of data privacy.
The difference between data security and data privacy
If you have peers and colleagues who love to ask, “but what do you do,” and then ask you if social media is spying on them, this is the section for you.
Data privacy and security used to be practically synonymous, in part because the technology and regulations related to current data collection practices didn’t exist. But as businesses began to see the economic upside to data collection—especially via increasingly ubiquitous social media channels—privacy pioneers began to advocate for limits and regulations around when, where, and how companies could collect personal data.
This led to the advent of data privacy as a field separate from data security.
In a nutshell, here is the difference between data privacy and data security:
- Data security is the act of protecting data from unauthorized access, whether it be from hacking, data breaches, exposure, threats, and bad actors. This often takes the form of technological and physical security, from antivirus and firewall protection to safeguarding the servers where data is stored.
- Data privacy is concerned with how and why a party collects data, what they do with it, who they share it with, how long they store it, and if proper consent was given for data collection in the first place.
With that in mind, here are the top five data privacy basics you need to know.
Data privacy regulations vary between locations, but you probably need to comply with multiple jurisdictions
In 2016, the European Union’s General Data Protection Regulation (GDPR) was among the first landmark data privacy laws to come into effect, and it had significant ramifications for data collection practices.
What’s more, it triggered a wave of privacy advocacy. In subsequent years, a number of other countries, as well as different U.S. states, have adopted their own consumer privacy acts.
New consumer privacy legislation includes:
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- Brazil’s General Personal Data Protection Act (LGPD)
- California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Utah Consumer Privacy Act (UCPA)
- Connecticut Data Privacy Act (CTDPA)
But the complication for many businesses lies in uneven regulations across geographic lines. For most of these regulations, even if a business isn’t based in a given geographic jurisdiction, if you collect data from a citizen in that state or country, you are legally required to comply with that government’s data privacy policy.
For example, if you aren’t based in the EU but collect data from EU citizens, you must comply with the GDPR. This also applies to data storage: if you collect data from EU citizens, then your data storage system must comply with their regulations.
Because of this patchwork system, stitching together compliance processes to meet the basics of every single data privacy and protection act requires significant time and resources.
Instead, businesses generally find that the most effective data privacy policies are based on industry best practices, rather than perfunctory compliance with mandates. This strategy supports a customer- AND business-friendly approach to privacy, and it takes less time to implement because you don’t have to rework your entire program any time regulations shift.
Data privacy is considered a consumer right
Data protection regulations like the GDPR are considered rights-based laws, because they are designed around the notion that consumers have a right to their own personal information. The regulations are designed to give consumers more power to determine who can collect and use their information.
As rights-based laws, most privacy regulations will provide consumers with the right to:
- Know what personal data is being collected
- Obtain a copy of their personal data upon request
- Opt out of having their data sold or shared
- Opt out of targeted marketing
- Delete personal data from your system
- Correct inaccurate data
When violated, these regulations can result in catastrophic business costs, in the form of both outright monetary fines and loss of consumer trust.
Non-compliance can result in significant fines and liability. Consider the following:
- Under the GDPR, small infractions can earn businesses a fine of up to €10 million. On the other hand, large infractions can result in fines of up to €20 million, or 4% of the company’s annual revenue—whichever is greater.
- In California, the state can levy fines of $2,500 for each violation, and private plaintiffs can also bring suit against a company even if it settles all fines with the state.
- In Canada, alongside fines under PIPEDA of up to $100,000 per violation, organizations found in breach could also face additional penalties depending on the province.
To make things even more complicated, these fines apply to businesses based on different parameters depending on the jurisdiction. For example, in Virginia, fines apply to companies that process data from at least 25,000 consumers. However, GDPR fines have no such threshold, and regulations apply to any business that falls under its jurisdiction.
On top of government compliance, it would be difficult to overstate just how important data privacy is to consumer trust, and for that matter, business revenue.
Consumer trust is essential to a business’s bottom line
Consumers invest more money in businesses they trust, and many consumers will stop using a service or product if it’s associated with a business that loses consumer trust. This isn’t just a platitude—research across the U.S. shows just how much consumer trust and data privacy compliance can affect a business’s bottom line.
Studies show that:
- 33% of consumers have ended relationships with companies across all sectors over their use of consumer data
- 39% of consumers have lost trust in companies due to a breach or data misuse
- 88% of customers won’t purchase products or services from businesses they don’t trust
- 73% of consumers are more inclined to share personal data with companies they trust
- 80% of customers are more loyal to companies they see as having “good ethics”
So if businesses need consumer trust to succeed, the question is, how can businesses gain and maintain consumer trust through their data privacy?
Transparent, simple data privacy policies are key to establishing consumer trust
The most consumer-facing document in a business’s privacy policy is often a privacy notice. But how many businesses have long, convoluted privacy notices with subsections upon subsections and mind-boggling jargon you’d need a lawyer to understand?
If you answered “most of them,” you’d probably be right.
The fact is, businesses with unnecessarily complicated privacy notices are missing a critical chance to build consumer trust. That’s not to say your privacy should be bare bones, though.
Privacy notices are nuanced, but some of the items you’ll need to detail include:
- When your privacy notice becomes effective
- What data you collect, how you use it, and where it’s shared
- How your company responds to digital trackers, including cookies used and opt-out options
- How your company addresses cross-border transfers of personal data (if applicable)
- How your company responds to individual rights requests
- Whether your company uses automated decision-making (if applicable)
- Who your company contact is should a user have questions
- Coverage on children’s data (if you / don’t have it), international data transfers
- And many more (which is why it’s best to have a professional draft your notice)
This information can easily fall prey to technical jargon, but consumers shouldn’t need an attorney to understand the privacy notices of each business website they visit. If you’re struggling to walk that line and create a simple, effective privacy notice, data privacy experts can help balance regulatory compliance with a consistent brand voice with the end user in mind.
A data inventory is your best friend
As a security professional, you wouldn’t make security recommendations without performing an asset inventory. It’s the same in privacy land. Without a data inventory, it’s next to impossible to build effective privacy programs.
A data inventory, sometimes referred to as a data map, creates a road map for all the sensitive information in a company’s system. An inventory should look at:
- What types of information you’re collecting
- Where, how, and why you’re collecting it
- Who has access to it
- How long and where it’s stored
- Where it’s vulnerable to exposure
Data mapping is important for many reasons, including informing privacy policies and notices, managing individual rights requests, and assessing vendor relationships. It’s also vital for compliance with privacy regulations like GDPR, CCPA/CPRA, VCDPA, CPA, CTDPA, and UPA.
Employee data privacy training is a key to successful data protection
As a security professional, you already know this factoid: most data privacy breaches are the result of human error.
But here’s the thing. Even if you know this, your marketing and operations teams may not know all the ins and outs of data privacy…yet their roles involve access to, and the use of, personal data.
Data privacy training can help team members, no matter their role, understand the risks and responsibilities regarding data privacy and data security, such as:
- Personally identifiable information (PII)
- How data can be used and shared in accordance with privacy laws
- Reporting
- Social media
- Email scams
- Phishing
- Password protection
- And more!
By training an educated, empowered cross-functional team, you will greatly improve your company’s data privacy and data security. Rather than attempting to tackle these topics individually, privacy and security teams can work together to develop a comprehensive training plan that addresses all relevant data considerations.
Ready to build a stronger system? Bring in a data privacy expert.
Privacy and security efforts succeed as part of a collaborative, cross-functional system. When the two fields work together, it leads to stronger outcomes for everyone. Schedule a consultation with a data privacy expert today, and let’s build the right solutions to protect your customers and your company.