What is Data Privacy?
Definition and Compliance Guide
Data privacy is the branch of data management that deals with handling personal data in compliance with data protection laws, regulations, and general privacy best practices.
Ensuring data privacy involves setting access controls to protect information from unauthorized parties, getting consent from data subjects when necessary, and maintaining data integrity.
Data privacy needs to be a top priority for businesses. Failure to comply with data privacy regulations can lead to big losses. Think legal action, steep financial penalties, and brand damage.
Ensuring data privacy is part of the larger topic of data governance. Data governance requires organizations to know what data they have, where it’s stored, how it flows through their IT systems, and how it’s used. Data governance best practices allow organizations to maintain data integrity and trust in their data.
Personal data protection
Any data may be sensitive, from a company’s earnings information to sales figures or product roadmaps. Among the most sensitive data is information about people — personal data about any identified or identifiable individual. Personally identifiable information (PII) can be almost anything. PII isn't always as obvious as a name or Social Security number. Sometimes, it's another identifier such as an IP address or cookie information. If it’s possible to identify an individual based on a data field or record, that data is personal data.
The importance of data privacy in today's business world cannot be overstated. In most of the world, personal data — such as credit card information or personal health information — is subject to data privacy laws.
GDPR and other data regulations
Data privacy laws specify how data should be collected, stored, and shared with third parties. The most widely discussed data privacy laws include:
GDPR: The European Union’s General Data Protection Regulation (GDPR) is the most comprehensive data privacy law in effect. It applies to European Union citizens and all companies that do business with them, including countries not based in Europe. GDPR gives individuals the right to determine what data organizations store, request that organizations delete their data, and receive notifications of data breaches. Noncompliance may result in hefty fines and legal action.
CCPA: The California Consumer Privacy Act (CCPA) is a state-level regulation in the United States. It enables California residents to ask organizations what personal data exists about them, delete it on request, and find out what data has been given to third parties. These measures apply to consumer data gathered within the state.
Data sovereignty as part of data privacy laws
Data sovereignty is the concept that data is subject to the laws of the location in which it's collected. For example, in July 2020, the Schrems II ruling decided that, according to GDPR, consumer data for customers in the EU must be hosted on servers within the borders of the EU.
Think of data sovereignty as a way to make sure that user data stays close to home for its own protection. By dictating where data can be stored and processed, governments aim to keep their citizens' data from falling into the wrong hands.
Data sovereignty becomes critical when looking at cloud service providers. GDPR compliance, or future regulations, may require you to store certain data on servers in certain jurisdictions.
Data laws and acts worldwide
While discussion of the General Data Protection Regulation in the EU brought information privacy to light for businesses and consumers around the world, the roots of privacy laws are deeper than most realize. In fact, the right to privacy was included in the United Nations' Universal Declaration of Human Rights way back in 1948.
Data privacy legislation is being enacted all the time, and by now a majority of countries worldwide have passed data laws and acts. Which regulations you need to comply with will depend on where your company operates, what borders you do business across, and which industry you’re in.
It's well known that healthcare providers, financial institutions, and the insurance industry are highly regulated, but most service providers are subject to some kind of data regulations. Even if your business is not in a highly regulated industry, regulatory compliance is a necessary part of doing business with customers in those fields.
Other data legislation that may affect your business could include cybercrime laws, online transaction laws, and consumer protection laws. For example, the Children's Online Privacy Protection Act (COPPA) ensures information privacy for minors in the US. It's why social media companies like Facebook and Twitter don't allow children under the age of 13 to create their own accounts.
The legal landscape is always shifting, and it's clear that data legislation is only growing. It's important to familiarize yourself with regulators and stay aware of pending legislation that could affect your business. That includes completing due diligence before expanding business into a new region.
Data privacy vs. data security
Data privacy is related to, but not the same as, data security. They do have some overlapping obligations:
- Access control: Preventing unauthorized access to and use of data is the cornerstone of privacy, and possible only through security.
- Integrity of the data: Making sure that data is accurate and not altered is both a privacy and a security concern.
- Accountability: Company policies relating to data should document both privacy and security.
But privacy and security have different emphases. Data security is concerned with ensuring the confidentiality, integrity, and availability of all data. Security professionals implement cybersecurity measures such as authorization and data encryption. They prevent data breaches and defend against malicious attacks.
Data privacy, by contrast, focuses on information about individuals. Privacy rules determine what types of PII may be collected, about whom, to what extent, and what can be done with it. Businesses must ensure that only the appropriate access rights are granted to people in the organization, to partners with which they share data, and to the general public.
A data governance framework enables data sharing and preserves data privacy. For example, an organization can offer self-service access to those with a business need to see sensitive data, while anonymizing PII for others.
Data privacy is not data security
Security can exist without privacy principles, but privacy needs security — in fact, there is no privacy without security.
Implementing a full suite of privacy policies — data collection, data processing, data portability, data retention, and data deletion — is meaningless if someone can gain unauthorized access to sensitive data. Data privacy and data security professionals must work together to ensure that sensitive data is both private and secure.
Security applies to all types of information, whether it's PII or not. The question of whether information is personally identifying simply determines the level of security necessary. PII requires the highest security standard. However, privacy encompasses a wider set of obligations than security, including:
- Data lifecycle: The data lifecycle for PII must begin with a clear purpose for collecting user data. It also maps how PII is managed, from collection to deletion.
- Data ethics: Ethics extend beyond lawfulness and compliance with data privacy regulations. Ethical behavior towards personal data includes transparency, openness, and fairness regarding how that data is handled.
- Data quality: While ensuring the accuracy of user data isn't solely the responsibility of data privacy professionals, it is vital to maintaining data privacy. For example, if patient records aren't up to date, test results could go to the wrong person.
Data privacy depends on data health
Data privacy goes hand in hand with data health. Data is healthy if it is available to everyone across the organization who needs it when they need it, and they can trust it to provide value in their analyses or decision-making processes.
If your customer data is a mess, or your data is siloed and inaccessible across the organization, you're probably in noncompliance with data regulations. Unhealthy data can't be managed with enterprise-wide data governance, so you won't meet the deadlines for GDPR or CCPA discovery requests
The good news is that data health is achievable through a combination of preventative care, supportive treatments, and a supportive culture. While data health metrics will look different for any organization, you can measure data health with data quality metrics and by assessing the business value of your data.
Talend offers a free data health checkup: Talend Trust Assessor. When you export a subset of your data and run it through the tool, you'll get a rapid evaluation of the validity, completeness, and uniqueness of the data. We also provide sample datasets so you can also see how it works without uploading any data of your own.
How Talend facilitates data privacy
Talend Data Fabric is an important tool for businesses who want a software platform for achieving data health and managing data privacy. Companies use it to securely administer data regardless of whether the data is in the cloud or on-premises. Talend Data Fabric enables businesses to keep their data in compliance with data privacy, data security, and data governance best practices, laws, and regulations. It lets organizations classify data as PII and secure and restrict its access. Try it for free and see how Talend Data Fabric can aid your data privacy practices.
Ready to get started with Talend?
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- PCI DSS: Definition, 12 Requirements, and Compliance
- [GDPR Step 15] How to Set Up Data Sharing Agreements
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 08] How to Conduct Data Protection Impact Assessments
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 3] How to Confirm Data Owners
- [GDPR Step 06] How to Define Acceptable Use Standards for GDPR
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- What is Data Portability?
- [GDPR Step 01] How to Develop Policies, Standards, and Controls
- [GDPR Step 5] How to Establish Data Collection Standards