Data privacy and data privacy laws are increasingly critical in the modern world. Suppose you’re ever going to communicate over any type of network or entrust your personal information to any organization or individual. In that case, it’s important to be confident that they will keep your information safe and secure. Data privacy laws exist to hold organizations accountable as regards private information.
Depending on where you live, your perspective of data privacy laws may vary. Most people know about GDPR, yet it’s just one of the several data privacy laws in existence. It’s only a few years old, though it certainly has more press than HIPAA, GLBA, PCI DSS, and FERPA.
FERPA has been protecting student educational data since 1974. GLBA (Gramm-Leach-Bliley Act) protects your financial data, while HIPAA (Health Insurance Portability and Accountability Act) protects your personal health information, and PCI DSS protects your credit cards.
Each of these laws and others we’re not mentioning here is more important than most people tend to appreciate. As we create and process more information, the volume of data in existence and how businesses collect and process this personal data has become a significant talking point.
The biggest worry isn’t just that companies may sell this data to advertisers (like Facebook and Google are wont to do). Instead, it’s things like the increasingly common practice of analyzing and surfacing insight from customer data.
Data might well be the new oil; companies collect far too much private and sensitive data, that protecting that data has become urgent. We need data privacy laws to help with this.
Privacy on the internet
The internet is a deregulated place, and much data from public records is available online. Many of the US federal laws on protecting data focus on specific industries. Section 5 of the FTC Act of 1914 prohibits companies from engaging in “unfair or deceptive acts or practices.” Yet, many tech giants have misrepresented the facts around the privacy of consumer-related data.
Despite its far-reaching powers, the FTC is limited. Its privacy protection policies are indirect and imperfect, and these companies are willing to exploit the loopholes for gain.
Data protection ensures people’s right to privacy
Companies and governments are most guilty of invading and compromising consumer privacy. As we’ve seen, it’s possible to protect data without ensuring data privacy. In the same vein, data privacy without data protection is a myth.
Data privacy keeps companies from obsessing over every customer detail. Yet, companies must teach data protection to employees to raise awareness of the fundamentals of proper collection, sharing, and use of sensitive data as a component of a data security portfolio.
What data privacy really is?
It’s easy to assume that everyone understands what data privacy is. Since that’s far from the truth, we’ll begin with a comprehensive definition of “data privacy.”
Data privacy comprises the protection of personally identifiable information or PII concerning an individual.
Personally identifiable information includes your name, ID number, physical address, email address, telephone number, and birth date. Other PII include your IP address, online profile photo, or social media post. The specific data regulation determines what qualifies as personally identifiable information.
Why do data privacy laws matter?
Data privacy matters because of the strict requirements for collecting, protecting, accessing, and/or deleting personally identifiable information.
These regulations now demand a radically different approach to protecting and managing data than before. Organizations carry the burden of proof to show they are continuously protecting, securing, and retaining data securely. Besides, these custodians should remove all of it from their public records whenever a user requests it.
Data privacy now imposes severe penalties on organizations who breach them. A merchant who breaches the PCI DSS will pay between $5,000 and $10,000 every month. They may also lose their ability to process credit card transactions until they fix things up.
In the same vein, a medical concern that loses PII and violates HIPAA in the process might as well get ready to part with millions in fines.
Is my company subject to data privacy laws?
Data privacy laws apply to companies irrespective of size. You’re still subject to them even when you don’t handle sensitive data.
It’s necessary to have a significant budget for protecting data. It’s a no-brainer if you consider how much you invest in sustaining compliance. We can illustrate this by mentioning the California Consumer Privacy Act (CCPA). This law targets large companies or those earning considerable profit from selling personal information. Some other US states have passed laws to protect data. It likely suggests that a federal law might be on the horizon.
We need to talk about the European Union’s GDPR. The General Data Protection Regulation became effective in 2018 and applies to all organizations in all industries worldwide, as long as the organization is in the custody of any PII relating to an EU citizen.
The GDPR offers wide latitude in its definition of PII by including data that identifies an individual “directly or indirectly.” Indirectly identifiable information includes web browser cookies, mother’s maiden name, or location data.
The GDPR also monitors behavior within the European Union, including tracking internet behavior.
Data privacy is not data security
Securing sensitive data is no substitute for complying with data privacy laws. Many companies use these terms interchangeably, but here’s the main difference:
- Data Security ensures that hackers cannot access data.
- Data Privacy addresses the collection, sharing, and usage of data.
The difference is as clear as daylight. Your organization may be doing much to secure PII. You’ll typically encrypt the data, restrict access, and install several overlapping monitoring systems. Did you know, though, that if you collect PII without appropriate consent, you’ll be falling foul of some data privacy regulation? Mind you, the data is secure!
Data privacy also covers regulations requiring companies to secure data. With more data protection regulations globally, worldwide privacy requirements and demands will also evolve. However, data protection is always crucial, as it’s how to ensure companies comply with the law and ensure data privacy.