What is Data Privacy?
Definition and Compliance Guide
Data privacy is the branch of data management that deals with handling personal data in compliance with data protection laws, regulations, and general privacy best practises.
Ensuring data privacy involves setting access controls to protect information from unauthorised parties, getting consent from data subjects when necessary, and maintaining data integrity.
Data privacy needs to be a top priority for businesses. Failure to comply with data privacy regulations can lead to big losses. Think legal action, steep financial penalties, and brand damage.
Ensuring data privacy is part of the larger topic of data governance. Data governance requires organisations to know what data they have, where it’s stored, how it flows through their IT systems, and how it’s used. Data governance best practises allow organisations to maintain data integrity and trust in their data.
Personal data protection
Any data may be sensitive, from a company’s earnings information to sales figures or product roadmaps. Among the most sensitive data is information about people — personal data about any identified or identifiable individual. Personally identifiable information (PII) can be almost anything. PII isn't always as obvious as a name or Social Security number. Sometimes, it's another identifier such as an IP address or cookie information. If it’s possible to identify an individual based on a data field or record, that data is personal data.
The importance of data privacy in today's business world cannot be overstated. In most of the world, personal data — such as credit card information or personal health information — is subject to data privacy laws.
GDPR and other data regulations
Data privacy laws specify how data should be collected, stored, and shared with third parties. The most widely discussed data privacy laws include:
GDPR: The European Union’s General Data Protection Regulation (GDPR) is the most comprehensive data privacy law in effect. It applies to European Union citizens and all companies that do business with them, including countries not based in Europe. GDPR gives individuals the right to determine what data organisations store, request that organisations delete their data, and receive notifications of data breaches. Noncompliance may result in hefty fines and legal action.
CCPA: The California Consumer Privacy Act (CCPA) is a state-level regulation in the United States. It enables California residents to ask organisations what personal data exists about them, delete it on request, and find out what data has been given to third parties. These measures apply to consumer data gathered within the state.
Data sovereignty as part of data privacy laws
Data sovereignty is the concept that data is subject to the laws of the location in which it's collected. For example, in July 2020, the Schrems II ruling decided that, according to GDPR, consumer data for customers in the EU must be hosted on servers within the borders of the EU.
Think of data sovereignty as a way to make sure that user data stays close to home for its own protection. By dictating where data can be stored and processed, governments aim to keep their citizens' data from falling into the wrong hands.
Data sovereignty becomes critical when looking at cloud service providers. GDPR compliance, or future regulations, may require you to store certain data on servers in certain jurisdictions.
Data laws and acts worldwide
While discussion of the General Data Protection Regulation in the EU brought information privacy to light for businesses and consumers around the world, the roots of privacy laws are deeper than most realise. In fact, the right to privacy was included in the United Nations' Universal Declaration of Human Rights way back in 1948.
Data privacy legislation is being enacted all the time, and by now a majority of countries worldwide have passed data laws and acts. Which regulations you need to comply with will depend on where your company operates, what borders you do business across, and which industry you’re in.
It's well known that healthcare providers, financial institutions, and the insurance industry are highly regulated, but most service providers are subject to some kind of data regulations. Even if your business is not in a highly regulated industry, regulatory compliance is a necessary part of doing business with customers in those fields.
Other data legislation that may affect your business could include cybercrime laws, online transaction laws, and consumer protection laws. For example, the Children's Online Privacy Protection Act (COPPA) ensures information privacy for minors in the US. It's why social media companies like Facebook and Twitter don't allow children under the age of 13 to create their own accounts.
The legal landscape is always shifting, and it's clear that data legislation is only growing. It's important to familiarise yourself with regulators and stay aware of pending legislation that could affect your business. That includes completing due diligence before expanding business into a new region.
Data privacy vs. data security
Data privacy is related to, but not the same as, data security. They do have some overlapping obligations:
- Access control: Preventing unauthorised access to and use of data is the cornerstone of privacy, and possible only through security.
- Integrity of the data: Making sure that data is accurate and not altered is both a privacy and a security concern.
- Accountability: Company policies relating to data should document both privacy and security.
But privacy and security have different emphases. Data security is concerned with ensuring the confidentiality, integrity, and availability of all data. Security professionals implement cybersecurity measures such as authorisation and data encryption. They prevent data breaches and defend against malicious attacks.
Data privacy, by contrast, focuses on information about individuals. Privacy rules determine what types of PII may be collected, about whom, to what extent, and what can be done with it. Businesses must ensure that only the appropriate access rights are granted to people in the organisation, to partners with which they share data, and to the general public.
A data governance framework enables data sharing and preserves data privacy. For example, an organisation can offer self-service access to those with a business need to see sensitive data, while anonymising PII for others.
Data privacy is not data security
Security can exist without privacy principles, but privacy needs security — in fact, there is no privacy without security.
Implementing a full suite of privacy policies — data collection, data processing, data portability, data retention, and data deletion — is meaningless if someone can gain unauthorised access to sensitive data. Data privacy and data security professionals must work together to ensure that sensitive data is both private and secure.
Security applies to all types of information, whether it's PII or not. The question of whether information is personally identifying simply determines the level of security necessary. PII requires the highest security standard. However, privacy encompasses a wider set of obligations than security, including:
- Data lifecycle: The data lifecycle for PII must begin with a clear purpose for collecting user data. It also maps how PII is managed, from collection to deletion.
- Data ethics: Ethics extend beyond lawfulness and compliance with data privacy regulations. Ethical behaviour towards personal data includes transparency, openness, and fairness regarding how that data is handled.
- Data quality: While ensuring the accuracy of user data isn't solely the responsibility of data privacy professionals, it is vital to maintaining data privacy. For example, if patient records aren't up to date, test results could go to the wrong person.
Data privacy depends on data health
Data privacy goes hand in hand with data health. Data is healthy if it is available to everyone across the organisation who needs it when they need it, and they can trust it to provide value in their analyses or decision-making processes.
If your customer data is a mess, or your data is siloed and inaccessible across the organisation, you're probably in noncompliance with data regulations. Unhealthy data can't be managed with enterprise-wide data governance, so you won't meet the deadlines for GDPR or CCPA discovery requests
The good news is that data health is achievable through a combination of preventative care, supportive treatments, and a supportive culture. While data health metrics will look different for any organisation, you can measure data health with data quality metrics and by assessing the business value of your data.
Talend offers a free data health checkup: Talend Trust Assessor. When you export a subset of your data and run it through the tool, you'll get a rapid evaluation of the validity, completeness, and uniqueness of the data. We also provide sample datasets so you can also see how it works without uploading any data of your own.
How Talend facilitates data privacy
Talend Data Fabric is an important tool for businesses who want a software platform for achieving data health and managing data privacy. Companies use it to securely administer data regardless of whether the data is in the cloud or on-premises. Talend Data Fabric enables businesses to keep their data in compliance with data privacy, data security, and data governance best practises, laws, and regulations. It lets organisations classify data as PII and secure and restrict its access. Try it for free and see how Talend Data Fabric can aid your data privacy practises.