This article was written by Informatica and originally appeared on the Informatica Blog here: https://www.informatica.com/blogs/what-is-data-privacy-plus-five-practical-tips.html
Data privacy and data security—are they the same? What about data governance? Are these simply different terms for different stakeholders? In this overview, let’s look at the ways we define data privacy on a business and personal level. Data privacy involves protection and transparency into data use, so one definition may be: Data privacy is a state of data protection focused on the proper handling and use of confidential data for managing risks related to inappropriate exposure.
This data could include personally identifiable information (PII), intellectual property (IP), or industry-specific subsets such as electronic protected health information (ePHI) patient records or financial data such as credit cardholder data.
Everyone may have a different standard on how data should be handled and used responsibly, and how much exposure creates too much risk of misuse. That’s usually where the friction lies—under what conditions should data be kept confidential and only shared with permission?
Data privacy definitions—your mileage may vary
Data privacy is not as clearly defined as its close neighbor, data security. And the primary reason is that most everyone has an opinion on privacy standards with some even declaring, “Privacy is dead!” It is a loaded term where trust can deteriorate over time. Until one day, a person wakes up surprised to experience identity theft when privacy risk exposure is realized.
Unlike data security where access to data is controlled or not, and can be validated, data privacy considers the nuances of how data is handled (even if it’s secured!) where exposure may not align to a person’s comfort level for meeting trusted use, but is perfectly acceptable to another.
Data privacy within a bigger picture of data governance tends to focus on various levels of risk exposure that need to be considered in light of enterprise policies and user rights. Most anyone can agree, exploiting risks is a bad thing. But calculated risk from data use comes with trade-offs in data utility, and that’s where privacy standards can be debated, based on personal views.
Consider a few questions and where you fall on the spectrum of acceptable data privacy risks:
- Are you willing to compromise some degree of data confidentiality by engaging in personal discussions on social media that anyone can publicly and freely read?
- Could you be incentivized to reveal your preferred brands and track your buying behavior with an online vendor in order to receive product discounts?
- Have you answered online surveys, but skipped questions about your age, zip code, income, preferences, etc. as too overly sensitive to reveal—why is that?
There is no absolute right or wrong answer. However, increasingly due to the rise of data abuses and security breaches, global governments and states, and industry governing bodies, are setting baseline standards that we all can (hopefully!) agree on to offer a minimal level of trust assurance in how we share our data and what risks are not acceptable.
Data privacy: Enter the gray zone
Over 90% of adults say that controlling what information is collected about them is important (Pew) and yet 81% of U.S. adults, for example, felt their social media privacy wasn’t secure (Pew). Clearly, there is room for improving our rights to privacy.
How did you answer the social media question #1 asked above and do you agree with the 90% who want to be in control? Do you feel social media, online commerce, your various digital vendors with whom you spend time and money should not have your trust? You’re not alone!
This is the gray area of defining privacy, since there is a subset of people who don’t believe it’s important to govern personal information, and perhaps blindly trust social media or their online shopping, banks, or others. But for the rest, a bar exists that needs to be met and done so, consistently. Let’s explore some of the confusion to help a better understanding:
Data privacy vs. data security – are they the same?
As highlighted earlier, It’s worth differentiating these two aspects of data protection to provide more context. And if you’d like a deeper dive, you can read further about the differences between data security and data privacy to test your understanding. However, briefly, data privacy is a risk exposure measure when using protected data, whereas data security is more closely associated with controlling data access.
In a scenario where personal data misuse occurs, you can begin asking the questions: Should the person or system have been granted access (was it secured?)? If so, how was it exposed?
We generally agree that access to personal information should have limits—a store cashier swipes a credit card (one-time access), but is not entitled to capture card details and reuse that card data without consent. While the data may be secure, it’s the specific unauthorized use that violates privacy expectations.
Data privacy and risk exposure
Data privacy has arguably more in common with managing risk exposure. In the realm of data governance, organizations are constantly trying to derive value from data, while minimizing privacy risks.
The catch phrase, “data is the new oil” highlights data has value and opportunity for monetization, but it also has liability due to risk of improper use. A common risk to personal data abuse is identity theft and multimillion-dollar regulatory fines. Therefore, data governance intends to apply controls to ensure responsible use that supports an organization’s policies, while also integrating consumer rights to require data protection, mandated by laws.
The Cambridge Analytica scandal provides a good reference and reminder. While the UK’s ICO determined Facebook did not protect personal data to keep it secured (i.e., access was provided to Cambridge Analytica), it was the exposure that violated consumer privacy expectations as data was used to influence a political campaign without consent of Facebook’s users. Should an entity have access is a security concern, but what is appropriate points to a failure in trust assurance over privacy.
Whether the risk exposure was acceptable to each Facebook user is debatable; however, since consent was not granted, the regulatory assumption assumes, “No!”
Data privacy and legislative standards
So, if it comes down to simply what level of risk exposure is acceptable, how do we agree on common standards and what rights are we granted to ensure data is sufficiently protected?
Governments, states, industries, and other governing bodies are increasingly asking the same question as volumes of personal data are growing and exposed in online commerce and media, and as increasingly major security breaches grab our headlines. At one point, privacy laws were somewhat weak, simply requiring disclosure of data breaches after the fact, too late. But today, laws are proactive and follow two major themes: 1) Individuals must have their data protected, and 2) they must have rights to transparency into how their data is used. Failure to do so includes consumer rights to revoke access and use if not aligned to personal privacy standards.
The EU’s General Data Protection Regulation (GDPR) was a significant milestone that many organizations are still marching towards today, as the GDPR offers new consumer rights to control how their personal data is used. In addition to requiring protection, the GDPR offered the “right to be forgotten” to end a relationship and use of personal data entirely, if that right was requested. A data subject access request (DSAR) legally enforces a 30-day response deadline for an organization to provide transparency into personal data use, so a consumer can decide if the relationship is worth potential privacy exposure risks. The GDPR, like the CCPA and other newer laws, offers consumers the ability to take control of their data and creates mandates for businesses to handle data more responsibly.
Five ways to get ahead in data privacy and take control
So, what can we do to get a better handle on data privacy risks, lower exposure to inappropriate uses, or worse, theft—and ensure data stays trusted and protected according to our individual standards?
Since the friction point of today’s newer data privacy legislation tends to focus on the trust relationship between businesses and consumers to handle data responsibly, let’s look at both perspectives for each role to explore best practices.
Five ways businesses can take control of data privacy
Businesses, governments, and other data stewards trusted by consumers and citizens need to ensure they avoid abuses that can harm reputation and lose brand loyalty:
- Discover and classify sensitive and personal data
Organizations capture exponential volumes of data. Not all of it is useful and could be a liability, offering no real value, but instead create legal scrutiny. Any privacy journey begins with knowing the data you have by discovering and classifying it. This can help refine policies when you know data is subject to privacy laws, including consumer rights.Today data discovery can be fast, automated, and efficient with tools that apply AI and ML to accelerate performance. Every organization should use these tools regularly as their environment evolves to stay ahead of increasing data volumes and change.
- Assess risk for how sensitive data is used
As we’ve detailed how privacy is a function of risk exposure, it’s critical to put a dollar amount or other similar value measure behind personal and sensitive data types, and volume (exposure impact). By assessing risk, you can begin to determine whether the next incremental ask to use sensitive data in your organization for a new business application outweighs the downside.Evaluating data use along a risk-reward spectrum can help indicate whether privacy risks are legitimate or go beyond an organization’s reasonable policies. Like data discovery, there are automated tools that help simplify risk assessment and quantify exposure.
- Disposition sensitive data to protect and lower risks
Data privacy governance is a function within governance, risk and compliance programs that focuses on managing privacy risk exposure. Discovering data and evaluating risks is important, but it won’t matter if no remediation is taken to lower risk exposure.The ability to implement controls is fundamental to privacy governance with tools that orchestrate protection such as data anonymization, minimization and deletion; alerting and reporting; and scripting and other actions that make data safe to handle and use.
- Review data privacy controls in place
Like security controls intended to manage data access, privacy controls should help actively enforce appropriate uses of sensitive and personal data. Organizations must work on constantly raising the bar for safe data handling and avoid losing consumer trust.Identifying blind spots in data protection, re-evaluating risks as new data-hungry applications are deployed, monitoring access and use behavior, adjusting controls based on changes in policies and privacy laws, are all in need of routine review. And controls may be subject to formal audit if a privacy violation occurs, so it is better to get ahead of the problem than be unexpectedly blindsided later.
- Develop a scalable, flexible long-term approach
Privacy laws and legal definitions are constantly evolving. It’s too much of a challenge to reinvent a data privacy solution each time legislation evolves, as change is constant.A reliable data privacy governance framework can maintain a repeatable, scalable, approach to managing data privacy risks with each new law or policy update. You should not have to deviate too far from a trustworthy routine to maintain business continuity.
Technology vendors that offer a single platform to discover data, manage risks and remediate exposure can help accelerate time to value and minimize gaps in controls.
Five ways consumers can take control of data privacy
Consumers need to be aware of their rights to data privacy, too, and evaluate the businesses they trust to handle their personal data on their behalf. Here are five best practices to consider:
- Know your definition of privacy
While we all expect data to be secure for sharing it, it’s still possible that your “secured” data is used irresponsibly. It’s important to have a standard in mind for how you treat your personal data and how you expect it to be used by others with your permission.If organizations with whom you do business cannot be trusted, you can decide where to take your digital presence. Look for alternatives that offer trust contracts and guarantees to your rights, so that assurances satisfy your data privacy standards.
- Determine what personal data is valuable
Privacy is a matter of degree—while you may not mind sharing your name, you wouldn’t give it to anyone on the street who asks in most cases, either. It’s worth considering other types of personal data and whether it should be shared, under what conditions—your family, financial, home, personal contacts, education, and more. How valuable are these attributes of your identity and what is the downside of sharing them?If your data is valuable to you, it can also be equally valuable to cyber thieves, marketing teams or state bad actors. By assessing its worth, you can better understand “what if…” of whether appropriate to share and under what conditions that are acceptable trade-offs to maintain data utility.
- Review your locations and sources where you share data
Data privacy not only requires tracking what data you have, but how it’s shared, with whom or what, and where. The concept of data lineage or proliferation is important for businesses to understand risk—and it should be considered on a personal level, too. Do you know what data your banks have on you? What about social media and your online commerce sites? How comfortable are you for what’s been shared?Today’s regulatory mandates help you take control by opting out of relationships with untrusted vendors and limit consent to tracking, such as via web browser cookies. But it’s also important to do a self-assessment and determine whether your current level of data proliferation is aligned with your standards by evaluating how you share your data today.
- Lower your risk exposure
Today’s consumers need to take advantage of personal rights empowered by newer data privacy laws, such as the GDPR, CCPA and others. Modern legislation not only requires data protection, but transparency into personal data use with revocation rights.Consumers may submit a data subject access request (DSAR or DSR) and gain insights into how an organization handles their data. If not comfortable, revoking access to data and having it deleted. While it’s important that organizations comply with these laws, there’s no replacement for taking personal initiative to minimize the amount and type of data use that does not meet your individual privacy standards. And of course, follow sound security practices too, such as automated password managers to control access.
- Review your status regularly
Over 20 years ago, “data privacy” was often limited to a few data points connected to personal or financial attributes, such as a social security number, credit card account info, birth date, and so on. However, today with the explosion of online commerce and social media, the range of personal and sensitive data digitization has exploded.Consider IoT smart devices, your geo location, your vehicles, the place you met your spouse (used for password resets), and other personal identifiers. All these devices and data points build a picture of your identity, track your buying behavior, and possibly influence you and others in ways you did not intend.
Although you may find your privacy definition acceptable today, consider how your attitude may change as more of your identity is captured online, or your family and friends share in your data. Once the genie is out, it can no longer go back in the bottle!
SulAmérica case study: A data privacy challenge and business modernization opportunity
While achieving data protection and transparency may seem daunting, there is an upside in discovering and managing data for business growth opportunities by ensuring it’s safe to handle. This is the case for SulAmérica—Brazil’s largest independent insurance company.
SulAmérica is a great example where enforcing data privacy controls has a return on investment by promoting the trusted and confident use of high-value data sets. Here’s their story:
SulAmérica needed to optimize system performance and trust when integrating data across insurance functions and departments. However, integration could lead to delays in patient authorizations for medical coverage, and impact wellness programs and value-based care.
To gain new insights, the Brazilian insurer brought together information from all over the company to enhance and accelerate decision making. To drive digital transformation and agile development, SulAmérica enabled its software developers to work directly with production data.
But to safeguard customers’ personal information and comply with Lei Geral de Proteção de Dados (LGPD), Brazil’s general data protection law, the data had to be masked to de-identify personal attributes.
“Our relationship with Informatica is so important because it’s helping us move to the next maturity level, addressing goals that are existential to our business in terms of how the Brazilian insurance industry is evolving,” says José Magalhães, SulAmérica. “Informatica is supporting the acceleration of our digital transformation, mitigating risks, and enabling a more efficient operation in today’s insurance environment.”
Data privacy increases trust with greater data intelligence
While many organizations perceive data privacy compliance as a cost of doing business to protect data trust, more progressive organizations are enabling privacy to help drive their digital transformation agendas.
Data intelligence is critical to accelerating business value creation. And the intelligence gained from data discovery and risk assessment can be used to democratize safe data use – such as in self-service analytics and loyalty programs. But the challenge is navigating the fine line of trust and safe use, as more sensitive data is captured, accessed, and used to offer new products and services with the potential of abuse.