Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Data Privacy: Definition, Explanation and Guide

Data Security

Data privacy or information privacy is a branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations. More specifically, practical data privacy concerns often revolve around:

  1. Whether or how data is shared with third parties.
  2. How data is legally collected or stored.
  3. Regulatory restrictions such as GDPR, HIPAA, GLBA, or CCPA.

Why is Data Privacy Important?

There are two drivers for why data privacy is one of the most significant issues in our industry.

Data is one of the most important assets a company has. With the rise of the data economy, companies find enormous value in collecting, sharing and using data. Companies such as Google, Facebook, and Amazon have all built empires atop the data economy. Transparency in how businesses request consent, abide by their privacy policies, and manage the data that they’ve collected is vital to building trust and accountability with customers and partners who expect privacy. Many companies have learned the importance of privacy the hard way, through highly publicized privacy fails.

Second, privacy is the right of an individual to be free from uninvited surveillance. To safely exist in one’s space and freely express one’s opinion behind closed doors is critical to living in a democratic society.

“Privacy forms the basis of our freedom. You have to have moments of reserve, reflection, intimacy, and solitude,” says Dr. Ann Cavoukian, former Information & Privacy Commissioner of Ontario, Canada.

Dr. Cavoukian knows a thing or two about data privacy. She is best known for her leadership in the development of Privacy by Design(PbD), and now it serves as a cornerstone for the many data protection regulations including the most recent one that became law, the EU General Data Protection Regulation.

Data Privacy vs. Data Security

Organizations commonly believe that keeping sensitive data secure from hackers means they’re automatically compliant with data privacy regulations. This is not the case.

Data Security and data privacy are often used interchangeably, but there are distinct differences:

  • Data Security protects data from compromise by external attackers and malicious insiders.
  • Data Privacy governs how data is collected, shared and used.

Consider a scenario where you’ve gone to great lengths to secure personally identifiable information (PII). The data is encrypted, access is restricted, and multiple overlapping monitoring systems are in place. However, if that PII was collected without proper consent, you could be violating a data privacy regulation even though the data is secure.

Data Privacy Cannot Exist Without Data Protection

While you can have data protection without data privacy, you cannot have data privacy without data protection.

Ensuring data privacy means that you’re not the creepy company that greedily collects all of your customer’s personal data – whether it is with passive location tracking, apps secretly absorbing your personal address book, or websites recording your every keystroke.

Instead, employees should be regularly trained on data protection so they understand the processes and procedures necessary to also ensure proper collection, sharing, and use of sensitive data.

Information privacy also includes the regulations required for companies to protect data. And as more data protection regulation grows worldwide, global privacy requirements and demands will also expand and change. However, the one constant is adequate data protection: it’s the best way to ensure that companies are both complying with the law and guaranteeing information privacy.

Data Privacy Acts and Laws

Fortunately, lawmakers have recognized the importance of having data privacy regulation and the need to hold companies responsible for end-user data.

Companies are now required to determine what data privacy acts and laws affect their users. For instance, you must know where the data originated (country and state), what personally identifiable information it might contain and usage methodology.

Let’s take a closer look at how the most recent data privacy regulations impact users and companies.

GDPR (General Data Protection Regulation)

Enacted in May 2018, the GDPR aims to protect EU citizen personal data. There are many action items that companies in scope need to take to be become compliant, including but not limited to:

  • Explicit opt-in consent
  • The right to request their data
  • The right to delete their data

GDPR gives consumers certain rights over their data while also placing security obligations on companies holding their data. For companies, one challenging aspect of the GDPR is the requirement to respond to subject access requests.

The reality is that most organizations can’t easily locate, provide, or delete an individual’s personal data on request. Many CIOs and data privacy officers rely on GDPR compliance software that automatically discovers and classifies personal data in order to keep it protected and to help expediate data subject access requests.

HIPAA (Health Information Privacy and Portability Act)

While the EU has GDPR, one of the most prominent US data protection and privacy laws at the federal level is HIPAA—a data privacy regulation that was put in place to safeguard patient personal health information.

Healthcare providers have always been an attractive target for data breaches. In fact, health records are extremely valuable—approximately 10-20 times more valuable than credit card numbers.

What is Data Privacy in Healthcare?

Even though Congress passed HIPAA in 1996, calls for even greater data privacy protection has increased when data breaches and how companies use and sell the data they collect on their patients are now at an all-time high.

Fortunately, in December 2000, the U.S. Department of Health and Human Services(HHS) issued the Privacy Rule to carry out HIPAA’s mandate to safeguard the privacy of individually identifiable health information.

The goal of the Privacy Rule is to ensure that a patient’s health data is properly safeguarded while allowing covered entities to process health information as needed, conduct high quality health care while protecting the patient’s health records and care.

Meanwhile, patients understand the benefits of having convenient access to their health data, but also desire data privacy. And that’s why GDPR adapted and integrated PbD lingo into law. PbD doesn’t compromise business goals. You can have privacy, revenue, and growth. You’re not sacrificing one for the other.

If you’re curious how GDPR and HIPAA compare, keep in mind that GDPR covers an even broader scope than HIPAA and does not focus exclusively on health data. GDPR calls for protecting “sensitive personal data” which includes protecting health data. Bottom line: GDPR is comparable to HIPAA’s regulatory requirements.

GLBA (Gramm-leach-Bliley Act)

Another regulation that should be on your radar is the Gramm-Leach-Bliley Act(GLBA). The GLBA requires financial institutions to safeguard consumer financial data. To do this, leverage classification to quickly identify where your sensitive financial data is stored.

The benefits of achieving GLBA compliance is multi-fold. It reduces potential fines and reputational harm due to the unauthorized sharing or loss of sensitive financial data. Sure, the GLBA isn’t the same as the EU’s GDPR, but it won’t be long before America gets their own.

CCPA (California Consumer Privacy Act)

Businesses operating in the state of California need to be ready on January 1, 2020 for the CCPA to identify and discover personal information, fulfill data subject access requests, and protect consumer data. The CCPA gives consumers a right to control how companies collect and use their personal data. This means that companies need to be able to quickly and accurately find and classify sensitive data so that they can identify data that falls under the CCPA and fulfill data subject access requests (DSARs).

How Varonis Helps with Data Privacy

To achieve data privacy nirvana, organizations need a data security solution that protects enterprise data, prevents data breaches, reduces risk, and helps achieve compliance. At Varonis, our approach to data security as it relates to enhancing data privacy includes:

  1. Manage access to sensitive and regulated data

You’ll never hear anyone complain of having too much access. That’s why regular entitlement reviews with DatAdvantage and DataPrivilege ensure that only the right people have access to the right data: unrestrained access leave companies at risk of a data breach, theft or misuse. If you want to achieve least privilege and compliance faster, the Automation Engine helps you get there – so that you can automatically remediate global access and fix file system permissions.

  1. Follow proper compliance requirements

Love it or hate it, compliance requirements hold a baseline that enforces data privacy goals to sustain freedom, intimacy, and solitude. With Data Classification Engine, you’ll find and classify regulated and sensitive content. After, you’ll have the option to automatically transport data to where it needs to be and also fulfill data subject access requests as needed.

  1. Monitor and detect suspicious behavior on sensitive data

Arming your organization with DatAlert means that you’ll have continuous monitoring and alerting on all your organization’s data. This means companies can identify and monitor consumer personal data, track who is accessing it, highlight unusual activity and report on odd behavior that’s regulated and sensitive. Ultimately, knowing that your data is always safe and secure also ensures data privacy.

Get a 1:1 demo to see how customers use Varonis as part of their data security strategy – it’s a requirement for data privacy!

 

 

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.