Data privacy needs to be a big, swollen, red blip on your organization’s data governance radar. “But we encrypt everything, so we’re good.” “Privacy? Sure, we keep all our data confidential.” “Our IT department is outstanding, our policies are top-notch, and we know all about preventing data breaches.” If statements similar to these are how your company defines its data privacy practices, then: 1. You’re exposed to liability; 2. Your executives have a substantial gap in their understanding of data privacy; 3. You’re probably going to lose A LOT of current and potential clients or customers very soon; and 4. You’re not alone.
It’s common for organizations that collect or handle people’s personal information to believe they’re complying with data privacy requirements by having robust data security program. That’s simply not the whole truth. It is true that security and privacy are linked, and along those lines, I’ll state what has been stated so many times before: you can have security without privacy, but you can’t have privacy without security. Said differently, maintaining the confidentiality, integrity, and available of data is an indispensable aspect of data privacy. So while security and privacy are different concepts, they must co-exist. But here’s the main difference: data security focuses on the data while data privacy focuses on the individual.
To provide some context, let’s define data privacy. Many definitions are swirling around out there, and most are inadequate, so I’ve crafted my own: data privacy is the transparent handling of individuals’ personal data in accordance with the individual’s choice and consent and in a manner that prevents unauthorized disclosures while allowing permitted uses. This is actually a loaded definition, and it’s useful to unpack its several elements, which include:
- transparent handling
- individual’s personal data
- according to individual’s choice and
- individual’s consent
- that prevents unauthorized disclosures while
- allowing permitted uses.
Keep these element in mind while I talk about key privacy concepts, and then we’ll see how everything relates. You can’t understand privacy without understand 3 fundamental privacy rights – notice, choice, and access.
Notice is how an organization that collects individuals’ personal information tells those individuals how their information will be collected, used, disclosed, retained, shared, or otherwise handled. Companies commonly provide notice through their privacy policies and/or privacy notices.
Choice relates to the individual’s control over how their data will be used. Companies need to disclose how data will be used in its notice, and also provide the individual a choice to agree or disagree with that use. You know the “Yes! Send me Promotional Materials!” box you’re prompted to check when using online services? This is an example of choice because it gives the individual the power to affirmatively agree to receiving that particular’s company’s emails.
Access refers to an individual’s right to access their information held by an organization, and be able to change it, review it for accuracy, and interact with it in a meaningful way. The concept of access also allows individuals to lodge complaints against an organization for mishandling of that person’s data.
Given these fundamental privacy rights, we can better understand the above definition. The first element of transparent handling supports the notice requirements – make sure you’re honest and forthright with the people whose information you collect so they can really understand what you’re doing with it. Second (personal data) is more of a threshold concern, because if the information gathered and/or used is not “personal,” then data privacy obligations probably don’t fall on to the collecting organization. The third and fourth elements, choice and consent, should be obvious. And the final two elements plug into the broader categories of data security and industry-specific laws (data security capabilities, like encryption and access controls, can help keep malicious users away from personal information, and if an organization is subject to HIPAA, for example, there must be ways to disclose information through the legally mandated channels).
To sum it up, data security governs the technical and physical requirements that keep data secure and confidential. These data security capabilities play a substantial role in keeping personal information out of the hands of a malicious or unauthorized entity. But data privacy is much more than just maintaining data confidentiality, integrity, and availability. Data privacy governs the rights of the individual whose data you’ve collected, and requires the organization to provide individual notice about its privacy practices, provide individuals to choose how their data will be used and shared, and provides the individual access to his or her own data.
To get a better sense of how privacy controls have been distilled into a workable framework, take a look at:
- U.S. Fair Information Practice Principles (FIPPs)
- NIST SP 800-53 rev. 4 Appendix J
- OECD Guidelines
- Safe Harbor Provisions
- APEC Principles
- Generally Accepted Privacy Principles (GAPP).
Stay tuned for more data privacy posts. Next time I’ll discuss international data transfers and the issues surrounding them. If you want to speak with a privacy pro right now, contact us!