Data privacy is part of the data protection area that focuses on compliance with data privacy regulations by dealing with the proper handling of privacy and the expectation of privacy by the public.
Data privacy encompasses three elements:
- Data privacy compliance with data protection laws.
- The right of an individual to be left alone and have control over their personal data.
- The procedures for proper handling, collecting, processing, and sharing of personal data.
With cyber-attacks being the biggest threats facing businesses across the world, the need for privacy and data is even more urgent. Research shows that hackers try to break into a computer every 39 seconds on average -- and this alarming rate continues to rise.
Industries where massive amounts of all types of data are stored, such as personal data, credit card information, and social security number, need to take steps to ensure that their client's data is protected.
Data protection laws have been put in place around the world to give back individuals control over their personal information, sensitive data, and empowering them to know how their data is being used, by whom as well as why.
If you want to get your company compliant with data privacy laws, try our data privacy training, We'll show you all the best practices for stored information, and keep your business following all the compliance laws as well as legal requirements for privacy and data security.
The Shift of Consumer Data Privacy Laws & Regulations In Recent Times
In this digital age, governments have the intent of protecting individual consumer privacy by cultivating stringent data protection laws and regulations. We are seeing tech giants such as Google and Apple and new players in the tech field alike currently taking proactive measures to address the emerging consumer data privacy law regulations coming from the State and Federal levels.
The rollout of data privacy laws such as the California Consumer Privacy Act( CCPA) in the United States and the General Data Protection Regulation (GDPR) in the European Union has affected personal data privacy laws, practices, and regulations across all industries.
Data privacy laws have been acting as oversight in the financial and health sectors for ages now. So, while the specific policies are not new, the additional pending regulations are new and when passed, they will cover more consumers in other parts of the world and across all of the United States.
Read more on the pros and cons of privacy laws here
The various types of data breaches
Countless companies have reported cases of data breaches and password leaks in recent years.
The increased rate of data breaches is mainly because most websites and companies track everything that people do online. The various websites, social networks, and online ads collect information about individual browsing habits, their location, personal data, and more (read up on the Facebook data privacy scandal here
Websites that people visit regularly often provide all the data that advertisers need to know what type of person you are. This is what makes targeted marketing such a nightmare.
There are various ways that breaches of personal data can happen. Here are the most common types of security and privacy breaches that internet users are most likely to encounter:
Hackers usually get access to your online accounts through installed malware from links and emails that people open. They usually send links that contain malicious software and viruses that get installed without the user’s knowledge.
The users are usually tricked into clicking on links and emails that seem genuine, and once they do, the malware gets into your information on your database. This gives hackers access to your credentials and a way to hack your account.
Denial of Service Attacks (DOS)
DOS attacks occur when third parties or hackers overload your networks and servers to interrupt your system services. They do this by sending huge amounts of data and numerous links that overload your system, making it stop functioning temporarily.
The user loses access to their system temporarily and the hackers use this moment to get into their systems and access their data.
Phishing scams are in the form of genuine-looking emails and links sent from networks that look like they could be from authentic and trustworthy brands or sources. The links and emails trick users into entering their account credentials. or other sensitive personal information, therefore giving full access to hackers. This breach of personal data can allow hackers to take out and collect loans. Workers can accidentally leak sensitive data, so that is why employees should be required to be trained in data privacy
Snooping or sniffing
Sniffing occurs when users send data over networks that are not always encrypted. There are usually individuals who constantly monitor and review these networks and the type of data sent over them. This makes it easy for hackers to trace the data packets to the sender accounts.
This data breach usually happens when the IP addresses that networks and computers use to authenticate and identify users are falsely assumed. If a hacker gains valid access from an IP address, they then have full access and authority as the owner of the IP address has.
Global Data Protection and Privacy legislation
The digital age has revolutionized the way that industries operate with the ease of access to data being both an asset and a threat. There has been a call for data privacy regulations around the world and now about 100 countries, spanning all 6 continents, have actively made legislative changes and enacted privacy policies that seek to protect data/consumer information.
Here are a few data privacy laws and acts from around the world to protect personal information:
General Data Protection Regulation (GDPR) - The European Union
As one of the biggest names in data privacy, GDPR
has set the strictest and far-reaching standards for handling user data by companies, governments, and businesses. This legislation governs EU law on data protection, privacy and security in the European Union and the European Economic Area (EEA).
GDPR requires all companies to protect the privacy of their customers. This includes keeping all Personally Identifiable Information (PII) safe. The Act contains a set of principles that organizations, governments, and businesses need to adhere to in order to keep their consumers safe from a data breach, secure and use it lawfully. These include:
- Data is kept safe and secure
- Data is not stored longer than necessary
- Data is used within the confines of the law
- The data is used in specific stated and relevant ways
Personal Data Protection Bill 2018- India
India’s first-ever data privacy law was created in 2017 after the supreme court determined that personal information and privacy is a fundamental human right. This legislation introduced mandatory data audits every year and set data protection and privacy standards.
California Consumer Privacy Act (CCPA) & Online Privacy Protection Act - USA
The CCPA demands that companies must inform the users of data processing and protect the user information, allowing the users to have a say in what data is collected and how it is used. New York also passed a set of data privacy laws
and regulations similar to the CCPA.
This legislation went into effect on January 1st, 2020 with accountability, transparency, and control as its 3 guiding principles.
The Children’s code- The EU
Also known as the Age Appropriate Design Code, the Children’s Code is a data protection code of practice for online services such as online games, apps, and social networks that are likely to be accessed by children. This is for the benefit of children's online privacy protection.
Protection of Personal Information Act (POPI/A)- South Africa
This Act went into effect in 2014 and sets the standards of accountability for data collection and requires that all South African organizations get customer consent to access and use their data for direct marketing outreach.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)- USA
addresses the disclosure and use of individual physical condition information ( known as Protected Health Information) by entities that are subject to the privacy rule.
This is a federal law that led to the creation of national standards to protect sensitive patient information from being disclosed to third parties without the patient’s consent. US data privacy laws and regulations are enforced at the federal level.
Lei Geral de Proteção de Dados Pessoais (LGPD)- Brazil
The LGPD is modeled after the European Union’s GDPR but it is less strict. The legislation addresses the data processing standards and the 10 bases on which the collected data can be processed.
The Privacy Act 1988- Australia
This Act has undergone numerous amendments since its inception in 1988. The law establishes Information Privacy Principles (IPPs) for all Australian citizens when their data is collected by health service providers, government agencies, and organizations that work with the government.
E privacy- EU
Usually referred to as the cookie law, the e privacy directive requires that websites gain user consent to launch non-essential cookies.
Data Privacy 101: How to protect your data
With compliance laws and regulations such as GDPR demanding more stringent data security controls and measures, individuals, and industries can help the process by employing the use of several personal data security solutions. The laws stress the importance of data privacy and security to consumers and providers of services. These will help improve their security and compliance posture. They include:
Anti-virus software detects malicious codes, heuristics, and signatures. They detect and remove rootkits, trojans, and other viruses that steal, damage, and modify sensitive data. Anti-virus software is the most used security tool for consumer and personal information data privacy use.
Firewalls exclude undesirable traffic from entering a network, acting as the first line of defense against malware. They isolate one network from another so that the user can only open certain ports at a time. Organizational firewall policies can be customized to disallow some or all traffic or perform a verification.
3. Backup and recovery
In the case that data is deleted or destroyed accidentally or purposely by hackers or malicious software, a backup and recovery system helps users restore their data quickly.
4. Access control
Access control involves the manipulation of data remotely. This means that users are not allowed to copy or store sensitive information and data locally, in a portable system. It allows for all systems to have a login of some kind with conditions set to lock the system in case of unusual or suspicious logins.
Most industries usually have systems in place that help to make sure that personal data is only accessible to authorized personnel. They have an Access Control List (ACL) which specifies the individuals that can get information and at what level. ACLs are typically based on a whitelist; a list of items that are allowed and a blacklist; a list of prohibited items.
5. Data encryption
Data privacy encryption ensures that a user’s data cannot be easily accessed even if it is stolen. Encrypted communication protocols ensure that sensitive and common data such as passwords and credit card numbers are secure.
For companies that use desktop systems to store proprietary and critical information, they should consider encrypting their hard drives to prevent the loss of such critical information.
Hard-ware-based privacy data encryption such as the Trusted Platform Module (TPM) when enabled can be used to help generate the hash key thereby protecting smartphones and PCs as well.
6. Security Information and Event Management (SIEM)
Generally used for data privacy security investigations, SIEM
provides real-time analysis of security logs recorded by servers, software applications, and network devices.
SIEM solutions also remove multiple reports on the same instance, acting based on trigger and alert criteria.
the importance of data privacy cannot be ignored. Before an individual can even think of protecting their privacy, they need to be aware and understand how their data is being used by a business or abused by the different organizations that collect their data. If an individual disagrees with how their data is being used, then they can take action, usually in the form of discontinued use of the services offered by the organization.
Striving for a decentralized society where the power lies with the consumer is ideal. This makes organizations realize that, if they continue to violate their user’s data privacy, they will not survive long in the industry