Data privacy: What it is and why it matters

In 2016, the European Union introduced the General Data Privacy Regulation (GDPR). Websites everywhere suddenly had very visible banners outlining cookie policies and commitments to data privacy.

The regulation’s roll-out highlighted just how much personal data businesses work with every day. Ongoing digital transformation has helped organizations of every size and in every sector reach more customers and clients than ever before—but it also means that all these businesses now have access to large amounts of sensitive information.

If this data is exposed to the public following an accidental data breach or a deliberate cyberattack, it can lead to serious harm. Exposed personal data may put customers and clients at risk of identity theft, financial fraud, or further cyberattacks.

Businesses that interact with personal data have a responsibility to safeguard this information. Taking steps to protect this data starts with understanding the concepts behind data privacy and what it means for businesses.

In this blog, you’ll learn:

• What data privacy is and why it’s important
• What your business needs to know about data privacy
• What you can do to safeguard data

What is data privacy?

Data privacy—sometimes referred to as information privacy—centers around how organizations collect, store, use, and share personally identifiable information (PII). Think of it as the set of controls that determine who gets access to what, and under what conditions.

Data privacy is closely related to consumer protection, giving individuals control over how organizations use and share PII. In fact, many of the laws and regulations governing data privacy emphasize the need for greater transparency and accountability; the GDPR, for example, explicitly outlines these principles.

There are several additional data privacy rights defined by the GDPR, which other regulations touch on:

• The right to be informed, which covers notification requirements for when personal data is collected.
• The right of access, concerning an individual’s right to confirm whether their data has been collected and their right to access this data.
• The right to rectification, or correction, of errors or issues in someone’s personal data.
• The right to erasure, also known as the right to be forgotten, wherein someone can request an organization erase or destroy personal data under certain specific conditions.
• The right to restrict processing which allows individuals to limit how organizations use their data.
• The right to data portability, where an individual can request their personal data in a structured, commonly used, machine-readable format. Individuals may also bring their data to another organization.
• The right to object to the collection of personal data.

What is personally identifiable information (PII)?

PII covers a wide range of data that can be used to identify an individual—either alone or in combination with other information.

Sensitive PII includes, but is not limited to:

• A person’s full name
• A social insurance number
• A driver’s license
• Passport information
• Credit card details
• Banking records
• Medical records, such as protected health information (PHI) and individually identifiable health information (IIHI)

On the other side of the coin, non-sensitive PII may include:

• A person’s postal code or zip code
• Details about someone’s race and/or gender
• Date and place of birth
• Religious affiliation
• Aggregate data
• Device type
• Cookies served

On its own, non-sensitive PII may not pose a significant risk. But when paired with sensitive information, it creates a fuller picture—one that’s valuable to cybercriminals.

Why data privacy matters

Data privacy isn’t just a checkbox for compliance. It’s a pillar of trust.

Beyond the requirements imposed by laws and regulations, data privacy protections are simply a good business practice. Protecting customer and client PII is a major factor in not just building, but maintaining, trust.

Are you ready for tomorrow’s cyber threats?

Dive into the past, present, and future of cyber security with The State of Cybersecurity eBook.

Download now

It’s not just trust, though: failure to protect sensitive data means businesses face severe legal and regulatory penalties. Businesses that don’t meet GDPR requirements, for example, could face fines up to €10 million or as much as 2% of the annual worldwide turnover of the preceding financial year.

That’s a lot of money for large enterprises—French authorities fined Google €150 million ($170 million USD) for issues with how the company manages cookies and for failing to provide users with a means of opting out.

GDPR isn't the only legislation that governs data privacy. Other regulations and laws include:

• The Personal Information Protection and Electronic Documents Act (PIPEDA): a Canadian privacy law that outlines requirements for organizations to obtain consent to collect personal data.
• The Health Insurance Portability and Accountability Act (HIPAA): a United States federal statute that stipulates how PII in the healthcare sector should be protected from fraud and theft.
• The Payment Card Industry Data Security Standard (PCI DSS): an information security standard that is reflected in numerous international laws, and outlines standards and practices for securing payment card information.

Put simply, data privacy is a big topic with massive ramifications for any business.

Risk tolerance: Striking the right balance

Every business collects data. That doesn’t mean every business has the same appetite for risk.

Retailers need to store payment information. Sales teams collect prospect data. But how much is too much—and how do you manage the risk that comes with it? Organizations must assess their tolerance for risks to find the right balance between collecting enough data to operate and the potential consequences of a data privacy breach. 

Aligning with accepted cybersecurity standards—like the Canadian Centre for Cyber Security Baseline Controls, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the International Organization for Standardization’s (ISO) ISO/IEC 270001 standard—is a great starting point for stronger data privacy practices.

5 steps to enhance data privacy right now

Not sure where to start when it comes to enhancing data privacy protections? Here are five steps for building stronger data privacy policies and procedures:

1. Map the threat surface

Organizations can't protect what they can't see.

Building a better understanding of the threat surface—all those attackable points in IT infrastructure that a cybercriminal may access—will help identify vulnerabilities and assess overall risk.

From there, it's easier to make informed decisions about what solutions, policies, and practices will reduce the threat surface while enhancing defense. Of course, this also directly reduces the odds of experiencing a data breach. 

2. Build a security-first culture

Privacy starts with people. Building security awareness into company culture won’t happen overnight, and requires regular updates, ongoing security awareness training, and proactive diligence.

Ensure that everyone understands they have a role to play in safeguarding company data. Fostering a security-first mindset helps staff know what to do when they get a suspicious email or think they’ve been targeted by a hacker.

3. Adopt zero-trust

The zero-trust security model operates on the assumption that there is no perimeter in security. Put simply, there are no trusted devices. Every user, device, and request must be authenticated and verified every time. 

4. Promote strong password practices

Strong, complex passwords will always be a major line of defense against an attacker, and should ideally include a unique combination of letters, numbers, and symbols (or a hard-to-guess passphrase).

The problem is that making and remembering these unique and complex passwords is challenging.

Using password managers automates the entire process—users only need to remember a single unique master password, and can easily create, store, and use highly complex phrases and pins for all other logins. This eliminates reused passwords, making it much harder for attackers to compromise an account and access sensitive data.

5. Enforce multi-factor authentication

On the topic of passwords and authentication, even strong passwords can be compromised. This is especially true with the help of automated hacking tools.

What’s more, social engineering techniques may still lead to a user accidentally sharing details with a malicious actor. That’s where multi-factor authentication (MFA) comes in.

MFA requires users to provide some additional unique token alongside their password to access an account or service. Even with a compromised password, an attacker will still require these additional tokens to access confidential information.

Final thoughts

Data privacy isn’t just a compliance issue—it’s a client expectation and a business advantage.

Strengthening data privacy protections may seem overwhelming at first glance, but taking the time to put some of the practices outline above can help build better defenses to safeguard confidential information.