Data is the fuel that powers modern business, streamlining daily operations and empowering data-driven decision-making. Yet, any organization collecting, storing, or using consumer data will be subject to a web of data privacy regulations. As a result, controlling privacy compliance risk has become a significant enterprise challenge.
This guide will explain data privacy, provide examples of privacy regulations, and highlight a framework for privacy compliance.
What is the difference between data privacy and data security?
Privacy and security are different, but closely-related, subsets of the data protection function.
Data privacy processes manage PII collection, storage, and access authorization.
Data security, on the other hand, consists of safeguards that protect any sensitive data and information systems from unauthorized access.
A security system may prevent data breaches, but will not necessarily protect data privacy. However, an effective data privacy system requires strong data security.
What are examples of data privacy? Data privacy laws
By the United Nations’ count, 71% of countries have data privacy laws on the books. Many have multiple laws at the national and provincial levels. This fragmentation complicates compliance for any company doing business internationally.
For example, Canada has several national data privacy regulations. The Privacy Act and Access to Information Act apply to the Government of Canada, while the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the private sector. Alberta, British Columbia, and Quebec have enacted consumer data protection laws, while other provinces protect health or financial data.
American federal privacy regulations are industry-specific. Healthcare organizations must protect patient health information under the Health Insurance Portability and Accountability Act (HIPAA). The Federal Trade Commission’s Privacy Rule requires financial institutions to protect credit card data, social security numbers, and other consumer data. State regulations like the California Consumer Privacy Act (CCPA) provide general information privacy protections.
Fragmented and overlapping privacy legislation complicates compliance. However, these laws define similar privacy principles that can guide organizations to create more effective controls.
These principles include:
Permission and consent
Before collecting, using, or sharing PII, companies must obtain the consumer’s explicit and informed consent. In many cases, people have the right to retract their permission at any time.
Transparency and rights
A prerequisite of informed consent is a clear explanation by the company of its data collection, use, and sharing practices. Privacy laws often require companies to include notices of consumers’ data privacy rights.
Data protection and minimization
To protect the public’s PII, companies must implement privacy practices and technologies that limit unauthorized access and use. Another way to protect PII is by minimizing the data companies collect and store. Ideally, customer home addresses are collected once and stored in a single location. Data minimization simplifies access control and reduces the risks of data loss.
Right to be forgotten
Privacy legislation often grants consumers the right to have their personal information deleted from corporate databases. Companies must provide a process for consumers’ deletion requests and act on those requests promptly.
What is the purpose of the GDPR? Examples of GDPR articles that pertain to data privacy
The European Union adopted its General Data Protection Regulation (GDPR) in 2016, establishing a template many countries have since followed. Before GDPR’s enactment, privacy regulation varied from member state to member state. Some did not regulate PII at all. Those that did adopted different philosophies for enforcing those rules.
GDPR systematized privacy regulations within the European Economic Area (EEA), which includes EU-member states plus Iceland, Liechtenstein, and Norway but not Switzerland, Turkey, the United Kingdom, or non-EU Balkan or Eastern European countries.
Any business, European or otherwise, must comply with GDPR if it offers goods or services to people within the EEA. Services can include providing Europeans information on a website. As a result, almost any organization could find itself responsible for GDPR compliance. Key GDPR articles include:
Article 5: Principles relating to processing of personal data
This article establishes six fundamental principles organizations must adopt to protect personal information. For example, Article 5’s data minimization clause states that collected data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
Data minimization gives European residents control over how much personal data companies may collect. Compliance with data minimization may seem like a burden. However, limiting data collection is good data management practice. Collecting less data reduces the attack surface, risks of security breaches, and data storage costs.
Article 17: Right to erasure
Popularly known as the “right to be forgotten,” Article 17 gives European residents the right to request organizations delete their PII and sets expectations for these organizations to erase that data “without undue delay.”
Individuals use the right to erasure to reduce their digital footprints and to scrub incorrect or out-of-date online information. However, this is not an absolute right. Article 17 establishes conditions where people cannot have their data deleted. For instance, companies can keep data for public health, scientific, historical, and other public interest purposes.
Article 25: Data protection by design and by default
This article requires organizations to take “appropriate technical and organizational measures” when implementing data protections. Article 25 puts into practice the privacy-by-design concept developed by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, Canada.
This systems engineering framework makes privacy principles central design criteria. For example, privacy by default requires designing systems based on principles of least privileged access.
NIST Privacy Framework: a tool for improving privacy through enterprise risk management
There’s no universal solution for navigating this complex web of data privacy regulations. Every company’s risk exposure is a unique product of its consumer relationships, information architecture, geographic reach, and other factors. At the same time, companies must collect data to manage operations and innovate.
To help companies resolve this privacy vs. insight dilemma, the National Institute of Standards and Technology (NIST) developed its NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.
This voluntary tool can guide organizations as they develop appropriate consumer protection initiatives. NIST built this framework around five core functions: Identify, Govern, Control, Communicate, and Protect.
Identify
These activities help companies establish a risk baseline. One of the first actions is to survey how they collect, store, and use PII. Combined with an estimate of their regulatory exposure, this inventory lets companies conduct privacy risk assessments.
Govern
Data privacy must be integral to a company’s data governance structure, starting at the top with a declaration of the company’s privacy priorities and risk tolerance. Named process owners, often mandated by regulations, will lead the development process and monitor future compliance activities.
Control
This function comprises the data management policies, processes, and technologies that enforce data privacy.
Communicate
Privacy must be ingrained in the company culture. Regular communications and training must help individuals understand the importance of data privacy, the risks associated with personal data, and their roles in data protection.
This privacy culture must foster transparency into the company’s practices, compliance, and risk exposure.
Protect
Companies must implement privacy safeguards appropriate to their size, the amount and type of data they collect, and regulatory exposure. Central to protecting PII are systems for identity management, authentication, and authorization. In addition, the company’s cybersecurity practices play a crucial role in preventing unauthorized access to PII.
How Starburst reinforces data privacy practices
Starburst’s modern data lake analytics platform simplifies the creation and management of an effective data privacy practice. By virtualizing your various data sources, Starburst unifies your company’s data within a virtual access layer where you can enforce privacy policies. Let’s look at Starburst’s role within the NIST privacy framework.
Identify
Putting every data source at your fingertips makes discovering and mapping PII by location and regulatory jurisdiction easier. Starburst also helps identify duplicate data — the first step in data minimization.
Govern
Centralizing data access through Starburst’s single point of access lets you implement privacy governance policies programmatically. At the same time, Starburst streamlines the design of compliance dashboards and other data products.
Control
Starburst’s role-based and attribute-based controls let you implement fine-grained policies for granting appropriate access to consumer data at the catalog, schema, table, view, or column level. For example, data tags can flag GDPR exposure to ensure the correct handling of data about European residents.
Communicate
Users benefit from increased data visibility, including the provenance and lineage of every dataset. At the same time, they know that clear, consistent policies govern their access through Starburst.
Protect
Starburst’s built-in access controls and integrations with third-party security solutions help protect sensitive data from inappropriate access.
