Data Privacy – Definitions, Importance, Legislations / Privacy laws
Tuesday, May 12, 2020
Data is the “New Gold” and it is a treasure in current century which values in billions of dollars. You must have heard about “xyz company’s user data been sold for xx amount” on dark web. Its not just about dark web marketplace, data have value in legal business as well, where one company discloses its user details with its partners or peers for larger business deals. For example, WhatsApp is sharing its user details with Facebook and other partners. As data is increasing and getting valuable day-by-day, so does the requirement for data security and privacy.
For an individual, his personal details (also known as Personally Identifiable Information -PII) like name, bank account number, passwords, his sexual interest information, his relationships etc are confidential data and he needs privacy around it. While for a business, data privacy goes beyond the PII of its employees and customers. It also includes the information that helps the company operate, whether it’s proprietary research and development data, Trade secrets, Process map or financial information that shows how it’s spending and investing its money.
Data Privacy which is often termed as “Data Protection” or “Information Privacy”, relates to careful handling of data throughout its lifecycle starting from data creation to data deletion, based on its relative importance. Whereas Data Security or Data Protection are bigger terms defining how data can be secured and preventing unauthorized access of the data; data privacy is a branch of same which is majorly concerned about data processing and handling of same. Data privacy deals with management of data, governance, compliance, laws around it, consents, notices, and regulatory obligations. Data Privacy is precisely revolving around:
- How data is collected – legally or with illegal way, directly from data principal (About whom the data is) or from another data processor/owner, with consent of data principal or without consent.
- Type of data (data classification – Informational, Sensitive, Confidential, Critical /Secret) and process of handling same.
- Purpose of data collection, for how long the data is being collected, Rights of data principal on collected data- post collection of data, cross-border transfer of data, grievance redressal etc.
- Regulatory and law restrictions, such as CCPA, GDPR, SOX, HIPPA, GLBA, Data Protection Directive, CCSL, DPA 2012, Ghana, PDPB 2019 India, PDPA 2012 Singapore, Data protection Act 1998 (UK) etc.
Types of Data
Before we deep dive on Data Privacy and protection, we need to understand the different type of data which is available in market:
- Personally Identifiable Information (PII): Personal data, which is also termed as Personal Information or personally identifiable information is any information relating to an identifiable person or identity. Such information may include but not limited to his/her name, gender, address, genetic privacy, Sex life, Caste, SSN or UID number, Bank details, financial details, Mobile number, biometric information, religious or political belief or affiliation etc. UK Education Secretary Michael Gove in 2012 has highlighted that National Pupil Database of education system is also a big openly available personal Identifiable Information, which can reveal generic information of a child like child’s school life including exam results, attendance, teacher assessments and even characteristics. PII is currently known as most critical data now a days and very stringent Personal Privacy laws like GDPR, PDPA etc are formed around it.
- Financial data: Information about a company or person’s financial transactions including the amount of assets, positions held in stocks or funds, outstanding debts, and purchases can be sensitive. If criminals gain access to information such as a person’s credit card number, that person could become the victim of fraud or identity theft. Several laws and regulations like PCI DSS, SOX etc exists for such data.
- Healthcare data: Medical details of a person/patient is also a confidential information as same can cause physical or mental harm to a person if the details are revealed to public. People may not wish for their medical records to be revealed to others. This may be because they have concern that it might affect their insurance coverages or employment. Or, it may be because they would not wish for others to know about any medical or psychological conditions or treatments that would bring embarrassment upon themselves. Revealing medical data could also reveal other details about one’s personal life. Several laws like HIPPA and HITECH acts are example of such healthcare data security laws.
- Generic available Information and Data: Data which is available on social sites, provided during signup for websites, use of search engine by a person and data mining around it, Generic users purchase behaviour or Gender information or age of a person without revealing the person identity, GPS location of users device etc comes under Generic Personal Information, which may/may not be categorized as sensitive information. Several consequences occur often, and concerns are being raised time to time for such data availability, usage and sharing of such data between companies. For example, user`s behavioural data been shared by Facebook, capturing of sensitive information by Google and using it for business enhancement etc are some examples of these conflicts. Several laws, standards and regulations like The Information Technology Act 2000 India, ISO 270001 etc. revolves around such generic information Security.
Data Privacy Definitions
Data Privacy is a wide domain and it differs from state to state and country to country. Most of the states and countries have their own Data Privacy laws, Data Privacy Acts or Data Protection Bills around it. Data Privacy has a wide vocabulary of context and it differs from law to law. Some definitions are mentioned as hereunder:
- Data Fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
- A “Data Owner” is a senior business stakeholder who is accountable for the quality and privacy of one or more data sets. They are usually a senior businessperson who has the resources, budget and authority to be able to make changes to that data if necessary.
- Data Custodians are technical process owners responsible for the safe custody, transport, storage of the data and implementation of business rules.
- Data Stewards are business process owners and commonly responsible for data content, context, and associated business rules.
- Data Principal or Data Subject means the natural person to whom the personal data relates (Person/Identity)
- The term “Data Processor” means any person, including the State, a company, any juristic entity or any individual, who processes personal data on behalf of a data fiduciary (e.g. IT company or cloud service providers).
- Data sovereignty is the concept that data are subject to the laws and governance structures within the nation it is collected.
- Data localization or Data Residency Law requires data about a nations’ citizens or residents be collected, processed, and/or stored inside the country, often before being transferred internationally, and usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used and after obtaining their consent.
- Digital inheritance is the process of handing over (personal) digital media in the form of digital assets and rights to beneficiaries. The process includes understanding what digital assets and rights exist and dealing with them after a person has died.
Data Privacy Importance
Think about your credit card details gets in hands of a hacker, or your wife get to know about your extra marital relationship…. It will be a disaster, Right! Similarly Trade secrets, Client information, Process map, financial information etc. are equally important for an organization. Companies like Amazon, Alibaba, Uber, Facebook, Google, Oyo, Airbnb are data driven companies which do not have any physical assets (or limited assets) and just work around data. Data is the Treasure asset for these companies and helped them to grow exponentially. So, Data privacy is the utmost importance for these companies to keep the users trust in them.
PII protection, Data protection or Data Security is not just a business functional requirement anymore. Now it is bound by several Data protection and Privacy laws like GDPR, PDPA, SOX etc. Being compliant to such laws are mandatory for every organizations who hold such sensitive information. Rigorous penalty clauses like 4% of company worldwide turnover or €20 million whichever is high; and similar penalty clauses are applicable in several laws. So, companies are forced to follow the Data privacy Guidelines.
Not following the Data Privacy guidelines may cost financial loss, imprisonment, and Brand loss to a company. So, it is advisable and always a good practice to follow such guidelines to stay secure and complaint. Even clients and users trust more on companies which are complaint to such policies and this “Trust factor” use to be a strong ground for exponential business growth for such companies.
Data Privacy Acts and Laws
As every person have different opinion and thought process, same is with governments. Different states, countries and sectors have different-2 Data privacy laws as its best fits to their requirement. While US sectoral laws (HIPPA, GLBA etc) are considered most flexible with data protection; EU law or GDPR (General Data Protection Regulation) seems to be the most stringent law in place. There is No Global Law present as on date which is applicable across globe.
Let us have a look at few data Privacy laws, standards, and regulations, which are present currently and focusing on data protection at different locale:
US Privacy Act 1974: The Privacy Act of 1974, as amended, establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies.
The GDPR: EU Data Protection Law: Enacted in May 2018, the GDPR aims to protect European citizens’ personal data, and is already having major effects on companies across world. There are many aspects of the GDPR, and many tasks that companies have to undertake to achieve and maintain compliance with the GDPR. These include, but are not limited to:
- Explicit opt-in consent from users
- The right to request data from companies
- The right to have your data deleted
- GDPR is known to be one of the rigorous and complex-to-implement data protection law.
Personal Data Protection Bill (PDP) – 2019, India: Personal Data Protection Bill 2019 is a bill presented in India Constituency, to provide protection of the privacy of individuals relating to their personal data, laying down norms for social media intermediary, cross-border transfer of data, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes. This Act may be called Personal Data Protection Act, 2019 (PDPA).
California Consumer Privacy Act – 2020: The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
The intentions of the Act are to provide California residents with the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
Privacy Act (Canada): The Privacy Act is Canadian federal legislation that came into effect on July 1, 1983. The act sets out rules for how institutions of the Government of Canada must deal with personal information of individuals.
Privacy Act 1988 (Australia): The Privacy Act 1988 is an Australian law dealing with privacy. Section 14 of the Act stipulates a number of privacy rights known as the Information Privacy Principles (IPPs). These principles apply to Australian Government and Australian Capital Territory agencies or private sector organizations contracted to these governments, as well as to organizations and small businesses who provide a health service. The principles govern when and how personal information can be collected by these government agencies.
China Internet Security Law (China): The Cyber Security Law of the People’s Republic of China, commonly referred to as the China Internet Security Law, was enacted to increase data protection, data localization, and cybersecurity in the interest of national security.
Health Insurance Portability and Accountability Act (HIPPA): A data privacy regulation that was put in place to safeguard patient personal health information. It was created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.
ISO/IEC 27001: This is not a law, rather a standard. It specifies a management system that is intended to bring information security under management control and gives specific requirements. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit. ISO 27001 don’t specifically talk about Personal data Privacy issue, it’s a generic standard for Information security and covers a larger umbrella.
Few quick tips to protect data
Information security and data security is a prevalent issue now a days and same require a huge attention to implementation of security in all domains. Data is the centric point of any infrastructure and layered by several defence systems like Application, Database, Firewalls, Operating system security, FAM, DAM, WAF, etc; yet a single mistake at any layer may cause an irreversible damage. Be it personal security or a business security, implementing a zero-trust system is mandatory to have full security in place. Vulnerabilities, Bugs, malware, ransomware, and Viruses can break the defence layers, so it is always recommended to follow Defence-in-depth approach to have multiple layers of defence which should be very complex or nearly impossible for a hacker to break.
Some steps which we recommend for personal use cases are:
- Use complex passwords (usually min 12 characters, having Min 1 Upper case, 1 Lower case, 1 Special Character, 1 Numeric and a Non-Dictionary word) and keep changing the password at least twice in a year.
- Don’t forget to encrypt your hard disks and data to prevent data loss in laptop or desktop theft case.
- Always use https-based secure websites instead of http.
- Enable and use Multi-factor authentication wherever possible
- Always lock your laptops and never keep your confidential files and folders open without password lock.
- Keep taking regular backup of your data
- Never provide confidential details on social website and do not make it available for general public.
- Do not click on spam mails and content which seems ambiguous.
- Keep your Operating system, firewalls, Antivirus software up to date.
Suggestions for Businesses and organizations:
- Keep a stringent Privacy process in place for everyone and train them to follow same.
- Use up to date security tools and devices like Encryption, DLP, FAM, DAM, WAF, Firewalls, DR, HA etc for high end security.
- Instead of using Open internet connectivity, better use dedicated lines or VPN connections.
- Keep Monitoring, logging, and auditing in place and have separate admins for them from usual Infra/application administrators.
- Implement zero trust model to restricts access to the entire network by isolating applications and segmenting network access based on user permissions, authentication, and user verification.
- Use proper RBAC (Role based access control) policies for Authentication and Authorization.
- Follow Defence-In-Depth approach for layering the security model.
- Keep software and engineers up to date with latest technologies.
- Implement strong password policies and MFA across organization.
- Reduce the risks till maximum extent by using relevant tools and technologies.
- Use proper security mechanism in Data Lifecycle starting from Data creation to data classification, to discovery, and to proper data destruction. In Public clouds, physical destruction of media or degaussing is not permitted. Only secure way to delete the data in cloud is Crypto shredding, which is encrypting the data and deleting data along with encryption key in a way that both cannot be recovered.
- Follow proper compliance requirement and keep Internal and external audit done for same in regular manner.
- Regularly assess the privacy settings and policies and refine them as and when required
- Make sure to follow thumb rules of data sovereignty and data localization, by default. During requirement of cross-boundary data transfer, a checklist of applicable law rules and pre-requisites to be followed without fail.
Whether you are an individual or a businessman or an employee, data privacy is equally important for everyone. For businesses, data privacy is arguable more important as they have to meet legal responsibilities about how they collect, store, and process personal data, and non-compliance could lead to a hefty fine. If businesses fall victim to a hack, the consequences in terms of lost revenue and lost customer trust could be even worse.
This Website/document does not constitute any professional advice. The information in this document has been obtained or derived from different sources believed by dataprivacyacts.com to be reliable but dataprivacyacts.com does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of Dataprivacyacts.com at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. Dataprivacyacts.com neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.
© dataprivacyacts.com. All rights reserved.