Data Privacy

Organizations in the recent times has seen drastic changes in the way personal data is collected & handled. Gone are those days where organizations cannot afford to oversee data privacy.

Data are omnipresent, making data privacy & governance a challenge. Data privacy, governance and data management are important for businesses that want to make use of data to create value for their stakeholders while also minimizing risk. For an enterprise to gain meaningful insights from data, strong data privacy frameworks, governance strategies and practices need to be in place.

Need for Data Privacy

Modern threat actors do not discriminate. No organization—regardless of its domain, size or geographic location—is exempt from cyberthreats and data breach.

“Less is Enough” seems to be the mantra in data privacy parlance. The speed of emerging technologies and business demands has resulted in collection of colossal data. This leaves the organization in a tangle and they face a risky situation on how the data is collected, protected & processed. There has been an increase in the number of regulations on data privacy across the globe.

Global privacy laws now exist in many forms and differ by continent / region. Various advancements not limited to technology have paved way to challenges and vulnerabilities for the organization. It is imperative for the organization to understand the “real issues” on the data privacy landscape.

Evolution of Data Privacy Laws

It all began with Europe’s General Data Protection Regulation (GDPR). After that, a privacy movement hit the United States with California first enacting a privacy law, and many more expected to follow suit. Even outside of Europe and the USA, many nations including India, Brazil, United Arab Emirates and Australia are keeping pace with their own privacy regulations.

GDPR – General Data Protection Regulation

In 2016, the European Union General Data Protection Regulation (GDPR) (effective on 25 May 2018) was adopted to replace the Directive 95/46/EC to implement a legally binding regulation that will be considered the EU data protection law.

GDPR applies to any organization that stores or processes personal information about EU citizens (even if they do not have a business presence within the EU). Specific criteria for companies required to comply are:

1. A presence in an EU country.
2. No presence in the EU, but it processes personal data of European residents.
3. More than 250 employees.
4. Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.

In simple terms GDPR is:

1. The GDPR is designed to allow individuals to more effectively control their personal data.
2. Controls what can be done with personal information
3. Requires that consent is given to process or store personal information.
4. Gives a person a right to know what information is held about them.
5. Allows a person to request information about them is erased
6. Makes sure that personal information is properly protected. New systems must have protection designed into them (Privacy by Design). Access to data is strictly controlled and only given when required (Privacy by Default).
7. If data is lost, stolen or is accessed without authority, the authorities must be notified and possibly the people whose data has been accessed may need to be notified also.
8. Data cannot be used for anything other than the reason given at the time of collection.

CCPA – California Consumer Privacy Act

CCPA is also unofficially referred as the American GDPR, is an act intended to enhance privacy rights & consumer protection for Californian residents. The GDPR was first to set the precedent and the CCPA drew inspiration from the EU regulation.

California Consumer Privacy Act (CCPA) applies to for-profit entities that do business in CA and meet one of the following criteria:

1. Global revenue is greater than $25M; or
2. Collect PI information of 50K consumers (globally); or
3. Derives 50% of revenue from selling data

In simple terms, CCPA introduces the following rights:

1. Right to know all data collected by a business on you
2. Right to say NO to the sale of your information
3. Right to DELETE your data
4. Right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection.
5. Mandated opt-in before sale of children’s information (under the age of 16)
6. Right to know the categories of third parties with whom your data is shared
7. Right to know the categories of sources of information from whom your data was acquired
8. Right to know the business or commercial purpose of collecting your information

Private right of action when companies breach your data

In a Nutshell

Data Subject – A data subject is any person whose personal data is being collected, held or processed

Data Controller – The data controller determines the purposes for which and the “means” by which personal data is processed. They shoulder the highest responsibility for compliance

Data Processor – Data processor is a person or organization who deals with personal data as instructed by a data controller

Closing Thoughts

Governments across the globe have begun to take data privacy seriously and will roll out geography specific / country specific privacy laws. Organizations should be prepared to face it and comply, failing which there would be lots of complications.

As time progresses, we may see these multiple regulations getting streamlined & will start sharing a common DNA irrespective of the geography, which would spice up the entire data privacy spectrum.

A buy in from the top management & clear demarcation in roles & responsibilities to set up data privacy polices & frameworks can help organizations propel ahead in this data privacy journey.

Alas… let’s not forget that “Personal Information belongs to individuals”!!!!