Unearthing Challenges to Data Privacy
Data privacy today is about…
● Protecting consumers through laws and regulations. A growing list of policy initiatives — GDPR, CPRA, and many more — protect peoples’ data from exploitation and preserve the right to privacy online. Concerns range from mass commercial surveillance, to algorithmic decisioning, to law enforcement data rights, to keeping our children safe online (and the list goes on).
● Building trust by conducting responsible business. Businesses have a huge opportunity to uphold the consumer contract and use privacy as a brand differentiator. Companies like Apple and Okta are doing this to grow their revenue bottom line already, turning compliance into an advantage. Say “data privacy,” and dozens of definitions probably come to mind.
Data privacy, called “data protection” in Europe, is about protecting people’s right to privacy in an increasingly digitized world. Since the 1960s, privacy has been an internationally recognized human right. Article 12 of the Universal Declaration of Human Rights (UDHR) requires that no person be “subjected to arbitrary interference with his privacy, family, home or correspondence…,” and that “everyone has the right to the protection of the law against such interference or attacks.”
Relational databases became exponentially cost-effective through the 1970s and 80s, making it easier than ever to store, search, and analyze electronic data at scale. In response to these advances, the UN Human Rights Committee called for laws that protect individuals’ privacy rights as well as their data. The 1970 U.S. Fair Credit Reporting Act (1970) and the 1973 Swiss Data Act were some of the first such laws.
As information technologies advanced, so did the opportunities and risks from an increasing volume, variety, and velocity of personal data. In response to these challenges, the European Union enacted the pan-European 1995 Data Protection Directive.
Across the Atlantic, laws like the 1996 U.S. Health Insurance Portability and Accountability Act (HIPAA) and 1998 U.S. Children’s Online Privacy Protection Act (COPAA) continued America’s focus on specific data privacy issues. Today, Europe is thought to have the world’s most comprehensive privacy regime thanks to its 2016 General Data Protection Regulation (GDPR). Among other benefits, the GDPR strengthened existing protections for Europeans and added more ways for them to control their data. The GDPR also inspired an ongoing series of global privacy reforms, including in the U.S. by way of the comprehensive 2018 California Consumer Privacy Act (CCPA).
As such, data privacy is also about the laws and obligations that inform how organizations should protect personal data and mitigate their interference with our rights to privacy.
What is ‘Personal Data’?
Personal data is defined differently under different laws, but overarchingly, it is data that relates to an individual. Every time you stream a show, buy a product online, register for a newsletter, pay your bills, download a free app, or apply for a credit card, you give up data about yourself. Even without your knowledge, information about who you are, what you do, and what you like is compiled and analyzed behind the scenes for a variety of uses.
Comprehensive privacy laws like the GDPR, and recently the California Consumer Privacy Act (CCPA), take this reality into account by considering ways in which data is collected, created, and related online. These laws broadly define “personal data” (GDPR) and “personal information” (CCPA) to include online identifiers, psychographics, location data, and other characteristics that, with today’s data science, are easy to mine and package into comprehensive profiles.
Consumer protection laws like the U.S.’s Fair Credit Reporting Act (FCRA) and Health Insurance Portability and Accountability Act (HIPAA) deal with specific kinds of personal data, defining narrower terms like “consumer report” and “protected health information.” Even the commonly-used “Personally Identifiable Information” (PII), which is defined in the U.S. Code of Federal Regulations, is arguably narrower than Europe’s PD and California’s PI.
Challenges to Data Privacy
Privacy and data protection are two sides of the same coin, protecting the human right to privacy. Organizations are challenged to bridge many requirements, expectations, and hazards that are part of today’s information economy. Below are some common challenges and recommendations for achieving privacy peace of mind.
Challenge 1: Becoming overwhelmed by complexity
Organizations new to data privacy can become overwhelmed by the sheer complexity of the problem. There are many laws and regulatory guidelines to consider, and just as many areas of overlap as there are of conflicting differences. Whether you are a California retailer looking to enter the European market, or a Canadian agency helping a UK software company market its product in Japan, it helps to take a principle-based view.
Approach: Ground yourself with foundational privacy principles Modern privacy laws share a common set of principles that are the bedrock of any privacy and data protection program. As you consider your organization’s specific needs, root yourself in the below OECD’s principles for the protection of privacy and personal data:
Collection Limitation Principle: Collect only as much as you really need.
Data Quality Principle: Inaccurate and irrelevant data benefits no one.
Purpose Specification Principle: Be informative and timely about your actual data uses.
Use Limitation Principle: Be fair and proportionate with your data uses.
Security Safeguards Principle: Practice good security hygiene every time.
Openness Principle: Be transparent and clear about your data practices.
Individual Participation Principle: Honor privacy rights, from requests to complaints.
Accountability Principle: Hold yourself and your partners in demonstrable compliance, with applicable rules and policies.
Challenge 2: Not knowing where to start
A common starting challenge is not knowing where personal data exists across your tech stack. From hosted web forms that collect visitors’ registration data to customer engagement tools – you’d be amazed how many systems touch your employees’ and customers’ personal data today.
Challenge 3: Privacy and security teams not working together
Data Privacy and Data Security are separate but overlapping disciplines that must work together to build and maintain trust. Approach: Recognize differences while supporting mutual goals What concerns security professionals Data security teams focus on confidentiality, integrity, availability, and resilience of data environments.
It is often technical and prescriptive, requiring a thorough understanding of system interactions and configurations similar to:
● Confidentiality: Access to valuable business information which may or may not relate to an identified or identifiable individual. Per the Security Safeguards Principle, confidentiality helps prevent the unauthorized viewing or disclosure of personal data. Worst case scenarios lead to personal data breaches and harms like identity theft.
● Integrity: Keeping data authentic, accurate, and reliable for its intended uses. Per the Data Quality Principle, integrity is the means by which data can be kept correct and current. Data tampering and corruption can lead to a range of harms if that data is used to make legal, professional, or financial decisions about an individual.
● Availability: Applies to Security (and IT) ensuring that information systems function properly so that business and personal data could be used by the organization when needed. Taking steps to recover mission-critical data in case of a fire in one of your server rooms is just one example. Per the Accountability Principle, not having availability safeguards in place can in itself be a data protection violation.
What concerns privacy professionals
Data privacy focuses on the collection, use, analysis, and disclosure of personal data. Digital business models bring about particular concerns which revolve around:
● Identifiability: The ways in which an individual, or their browser or device, can be singled out. For example, your name alone may not be enough to identify you as a customer, together with your email address and account ID you can easily be.
● Linkability: The ways in which information can be associated with an individual or stitched together to learn or infer more about the person. When you hear terms like identity graphs, single-customer-view, profiling, and targeting, data linkage is involved.
● Secondary uses: Where personal data is used for something other than it was originally collected, which can lead to unexpected, unwanted, and potentially negative outcomes. For example, if a website publisher sells your contact information to a data broker, you may start receiving time-wasting junk mail and email spam.
● Disclosure to third parties: As much a concern for Security as it is for Privacy teams, it is important to have trust in one’s suppliers, service providers and business partners. If you share your customers’ personal data with another organization, you are responsible for ensuring privacy principles and applicable obligations can be met.
● Unawareness: This is a whole-business problem. Employees handling personal data should be trained on their privacy and data protection responsibilities. But this implies the business should know what those responsibilities are. Awareness starts with understanding what applies to you.
● Privacy harms: Is personal data being used correctly? How can individuals be harmed if their data is misused or abused? Harms can be minor inconveniences like cleaning out spam emails to major consequences of having your identity stolen. Cybercriminals’ goals are often to steal a company’s most valuable information which is not only trade secrets.
Security and Privacy teams care deeply about preventing personal data breaches, and doing what it takes to ensure unauthorized parties keep their mitts off. With the above in mind, it’s easy to see how security and privacy share many principles and goals. This is one of the reasons minimum security requirements are included in data privacy laws, and why the GDPR enshrines “[personal] data protection by design.
Challenge 4: Underestimating the risk of non-compliance
Besides GDPR, California’s CCPA, Canada’s PIPEDA, China’s PIPL, and Brazil’s LGPD are just a sampling of the comprehensive data privacy laws in effect today. Virginia, Colorado, Utah and Connecticut passed their own privacy laws, and Canada and the United Kingdom are looking at fresh legislative renovations. (Don’t worry, we’ll cover this alphabet soup in the next section.)
Each regime has enforcement mechanisms that can expose your business to potential administrative penalties, and in some cases private lawsuits. Penalties can be staggering. For example, European data protection authorities can fine an organization up to 4% of their annual global revenues. Penalties can also stack up. The California Privacy Rights Act gives the Privacy Protection Agency powers to fine businesses up to $2,500 per violation or $7,500 per intentional violation.