January 28, 2022
Data privacy: What it means and 5 ways to protect it
With contributions from Eric McDonald.
In 2016, the European Union introduced the General Data Privacy Regulation (GDPR). Websites everywhere suddenly had very visible banners outlining cookie policies and commitments to data privacy.
The regulation’s roll-out highlighted just how much personal data businesses work with every day. Ongoing digital transformation has helped organizations of every size and in every sector reach more customers and clients than ever before—but it also means that all these businesses now have access to large amounts of sensitive information.
If this data is exposed to the public following an accidental data breach or a deliberate cyber attack, it can lead to serious harm. Exposed personal data may put customers and clients at risk of identity theft, financial fraud, or further cyber attacks.
Businesses that interact with personal data have a responsibility to safeguard this information. Taking steps to protect this data starts with understanding the concepts behind data privacy and what it means for your business.
In this blog, you’ll learn:
- What data privacy is and why it’s important
- What your business needs to know about data privacy
- What you can do to safeguard data
What is data privacy?
In a nutshell, data privacy (sometimes called information privacy) is about how businesses and other organizations collect, store, manage, and share sensitive data. This data is often referred to as personally identifiable information (PII), and its use by third parties like your business is regulated and legislated, along with its misuse or unauthorized access.
Data privacy is closely related to consumer protection, giving individuals control over how organizations use and share PII. In fact, many of the laws and regulations governing data privacy emphasize the need for greater transparency and accountability; the GDPR, for example, explicitly outlines these principles.
There are several additional data privacy rights defined by the GDPR, which other regulations touch on:
- The right to be informed, which covers notification requirements for when personal data is collected.
- The right of access, concerning an individual’s right to confirm whether their data has been collected and their right to access this data.
- The right to rectification, or correction, of errors or issues in someone’s personal data.
- The right to erasure, also known as the right to be forgotten, wherein someone can request an organization erase or destroy personal data under certain specific conditions.
- The right to restrict processing which allows individuals to limit how organizations use their data.
- The right to data portability, where an individual can request their personal data in a structured, commonly used, machine-readable format. Individuals may also bring their data to another organization.
- The right to object to the collection of personal data.
What is personally identifiable information (PII)?
Personally identifiable information, or PII, is at the heart of data privacy concerns. PII comprises a wide variety of documents and information that, when used alone or in conjunction with other data, identifies an individual.
Sensitive PII includes, but is not limited to:
- A person’s full name
- A social insurance number
- A driver’s license
- Passport information
- Credit card details
- Banking records
- Medical records, such as protected health information (PHI) and individually identifiable health information (IIHI)
On the other side of the coin, non-sensitive PII may include:
- A person’s postal code or zip code
- Details about someone’s race and/or gender
- Date and place of birth
- Religious affiliation
- Aggregate data
- Device type
- Cookies served
Accessed in isolation, non-sensitive PII is largely harmless, and in fact may be released publicly once it has been anonymized. The risk to an individual comes when it is paired with sensitive PII, which would allow a criminal to identify an individual and further target them.
What does data privacy mean for your business?
Data privacy is an important aspect of any organization’s cyber security efforts and overall business strategy. Beyond the requirements imposed by laws and regulations, data privacy protections are simply a good business practice. Protecting customer and client PII is a major factor in building and maintaining trust.
Are you ready for tomorrow’s cyber threats?
Dive into the past, present, and future of cyber security with The State of Cyber Security eBook.
Your customers and clients expect that your business is already taking appropriate measures to safeguard the data they share with you. In 2020, Gartner recommended that businesses take proactive measures to build a comprehensive data privacy program to better build trust. As such, it’s much harder for an organization to rebuild trust and address reputation damage after a breach.
It’s not just about trust, though: failure to protect sensitive data means businesses face severe legal and regulatory penalties. Businesses that don’t meet GDPR requirements, for example, could face fines up to €10 million or as much as 2% of the annual worldwide turnover of the preceding financial year. That’s a lot of money for large enterprises—French authorities fined Google €150 million ($170 million USD) for issues with how the company manages cookies and for failing to provide users with a means of opting out.
That’s not the only legislation that governs data privacy. Other regulations and laws include:
- The Personal Information Protection and Electronic Documents Act (PIPEDA): a Canadian privacy law that outlines requirements for organizations to obtain consent to collect personal data.
- The Health Insurance Portability and Accountability Act (HIPAA): a United States federal statute that stipulates how PII in the healthcare sector should be protected from fraud and theft.
- The Payment Card Industry Data Security Standard (PCI DSS): an information security standard that is reflected in numerous international laws, and outlines standards and practices for securing payment card information.
Put simply, data privacy is a big topic with massive ramifications for any business.
Assessing your tolerance for risk
Businesses need to collect data to operate effectively. Retail companies, for example, collect and store credit card information, which brings them in scope of PCI DSS compliance. Similarly, sales teams for large enterprises must collect data on prospects.
But if either of these data sets are exposed or collected without proper consent, businesses are at risk of financial penalties, lawsuits, or additional regulatory action—all of which can cause massive damage to a company. Navigating data privacy best practices can feel overwhelming, especially for smaller organizations.
Organizations must assess their tolerance for their risks to find the right balance between collecting enough data to operate and the potential consequences of a data privacy breach. If you’re already thinking about data privacy and cyber security, you’re on the right track.
For example, if you’re focused on alignment with accepted cyber security standards—like the Canadian Centre for Cyber Security Baseline Controls, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the International Organization for Standardization’s (ISO) ISO/IEC 270001 standard—chances are you’re already doing plenty of work that indirectly enhances your data privacy protections.
5 steps to enhance data privacy right now
Not sure where to start when it comes to enhancing data privacy protections? Here are five steps your organization can take to build stronger data privacy policies and procedures:
1. Understand your threat surface
You can’t defend something if you don’t know what you’re defending. Building a better understanding of your threat surface—all the attackable points in your IT infrastructure a cyber criminal may access—will help you identify vulnerabilities and assess your overall risk. From there, you can start to make informed decisions about what solutions, policies, and practices will reduce your threat surface while enhancing your defence. By securing your IT assets and infrastructure, you’re also reducing the likelihood of a data breach.
2. Build a security-first culture
What do your employees think of security? Is it an afterthought, or a top-of-mind concern? Building security awareness into your company culture won’t happen overnight, and requires regular updates, ongoing security awareness training, and proactive diligence. By establishing that every employee and individual you work with has a responsibility to safeguard the data you handle, however, you can help foster that security-first mindset to make sure that staff will know what to do when they get a suspicious email or think they’ve been targeted by a hacker.
3. Adopt a zero-trust model
The zero-trust security model operates on the assumption that there is no perimeter in security. Put simply, even a user inside your network must prove that they are who they say they are—there are no trusted devices. Users and the network they interact with are constantly authenticating to ensure everything checks out.
4. Make better passwords
Strong, complex passwords will always be a major line of defence against an attacker, and should ideally include a unique combination of letters, numbers, and symbols (or a hard-to-guess passphrase). The problem is that making and remembering these unique and complex passwords is challenging. Using password managers automates the entire process—users only need to remember a single unique master password, and can easily create, store, and use highly complex phrases and pins for all other logins. This eliminates reused passwords, making it much harder for attackers to compromise an account and access sensitive data.
5. Use multi-factor authentication
On the topic of passwords and authentication, even a complex password can be guessed eventually, especially with the help of automated hacking tools. What’s more, social engineering techniques may still lead to a user accidentally sharing details with a malicious actor. That’s where multi-factor authentication (MFA) comes in. MFA requires users to provide some additional unique token alongside their password to access an account or service. Even with a compromised password, an attacker will still require these additional tokens to access confidential information.
Strengthening data privacy protections may seem overwhelming at first glance, but taking the time to put some of the practices outline above can help you build better defences that will help safeguard confidential information. The good news is that if you’re already working towards stronger cyber security, you’re on the right path with data privacy.
If you’re still not sure where to start, don’t worry—we’re here to help. Get a head start on data privacy practices with our Cyber Security Starter Kit.