Data Privacy: Must Know for Digital Manager
Data privacy is a right of the citizen, to have control over how personal information is collected and used. Data protection is a subset of privacy. This is because protecting user data and sensitive information is the first step to keeping user data private. Data Breach is a major concern of Data Privacy. ‘Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Few instances of a data breach in day to day operations are:
- Sharing organization’s / client’s critical data with a wrong recipient
- Deleting an organization’s / client’s authentic data
- Unauthorized access to organization’s / client’s critical/personal data records
- Unauthorized storing of critical/personal data on local systems or personal storage location
?Why Data Privacy is important for an organization?
?An organization needs to ensure relevant Data Protection Authority monitors compliance: The cost of falling foul of the rules can be high. Cost of non-compliance includes warning issue, Reprimand, Suspension of data procession and fine up to 20 million euros or 4% of global annual turnover
?Data Privacy is applicable for both Data Controller and Data Processors types of organizations:
- Data Controller - Collects, uses, stores, and disposes of personal information of the data subjects for business purposes
- Data Processors/ Sub Processors - Uses, stores, and disposes of personal information as agreed in the agreement or related Statement of Work
?Privacy Law
?Privacy is a sensitive subject. There are multiple Regulation or laws that exist on data protection and privacy for all individuals across the globe, few of them are:
?- PDPB – India’s Personal Data Protection Bill (PDPB) is currently in draft form and set to be tabled in Parliament. The PDPB looks set to be one of the strictest and most comprehensive data privacy laws in the world.
- GDPR – The General Data Protection Regulation is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
- The Privacy Act – The Privacy Act was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and some other organizations, handle personal information.
- PIPEDA – The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
- CCPA – There is no single principal data protection legislation in the United States. Rather, a jumble of hundreds of laws enacted on both the federal and state levels serves to protect the personal data of U.S. residents. The California Consumer Privacy Act (CCPA) is one such law.
?Privacy Definition
?To understand Data Privacy completely we need to understand a few jargons related to it:
?- Data subject is the individual to whom personal information/information belongs.
- Data controller determines the purposes and means of processing personal data.
- Data processor is responsible for processing personal data on behalf of a controller.
- Data sub-processor is responsible for processing personal data on behalf of a data processor and in agreement with Data Controller.
- Personally Identifiable Information (PII) is any data that could identify a specific individual directly, or indirectly.
- Sensitive Personal Information (SPI) - is any data that could potentially identify a specific individual’s racial or ethnic origin, political opinions, religious beliefs, physical or mental health, sex life or sexual orientation, etc.
- Data processing is any operation/set of operations that are performed on PI, such as collecting; recording; organizing; storing; adapting or altering; retrieving; consulting; using; disclosing by transmission, dissemination, or otherwise making the data available; aligning or combining data, or blocking, erasing or destroying data that are not limited to automatic means.
- Privacy Incident means any activity performed in contravention to applicable privacy and data protection laws and regulations of the country
- Privacy Breach is when the information compromised reveals any type of Personal Information. It may occur due to unauthorized access, unauthorized disclosure, misuse, theft or loss, etc.
?Core Privacy Principals?
?The GDPR sets out seven principles for the lawful processing of personal data. Below are the Privacy Principles extracted from GDPR:
?- Lawfulness, fairness, and transparency: Lawfulness and fairness mean that at least one of the legitimate processing criteria (i.e. Contractual necessity, Legal obligation, Legitimate interest, or consent) to process Personal Information is met to and fulfilled reasonably. Transparency means that it should be clear to the individual whose Personal Information is processed, for what purposes and to which extent.
- Purpose limitation: Personal Information must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.
- Data minimization: Personal Information that is processed must be adequate, relevant, and limited to what is necessary for relation to the purposes for which the data are processed.
- Storage limitation: Personal Information must be kept in a form that permits identification of the data subject for no longer than necessary for the purposes for which the data are processed.
- Accuracy: Personal Information must be accurate and kept up to date, thus, ensuring the data quality of the Personal Information the company has.
- Integrity and confidentiality: Personal Information must be processed in such a way that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage, by using appropriate technical and organizational measures.
- Accountability: Company is responsible for compliance with the relevant Privacy/Data Protection regulations and can demonstrate how compliance is achieved.
?Privacy in Information Lifecycle
?As a digital professional, it is our responsibility to ensure Data Privacy in Information Lifecycle. Below are the few measures which need to be taken care of to ensure Data Privacy:
??- Collection: Give notice to the user at the point of data collection and provide an option to choose or take consent from individuals for it. Ensure secure transfer of personal information over the internet and collection of PI from reliable sources.
- Use: Please ensure the usage of data in compliance with regulations with limitations on use. Secondary uses of collected data should be avoided. Implement controls around user authentication, access control, and maintenance of audit trails.
- Disclosure: Anonymize and minimize data when disclosing outside the organization. Define limitations on disclosure and ensure robust Vendor Management Programs. Create Inventory and Transfer data through secure means.
- Retention: Retain personal data as per regulatory limitations and legal restrictions, ensure secure transfer to archiving, and secure storage of information. Be mindful of business continuity and data recovery considerations.
- Distraction: Ensure destruction of digital content, portable media, and hard copies. Secure Transfer and Disposal of information and media following Regulatory requirements. Need to properly define destruction standards and periodicity.
?Privacy Techniques
?4 major privacy techniques that an organization can use to ensure a robust privacy landscape are:
?- Authentication techniques - Implement a strong username and password policy and single/multi-factor authentication. Use biometrics and portable media supporting authentication.
- Identifiability - Use labels that point to individuals. implement Pseudonymize and Anonymize the PII of the data subjects and define the degrees of identifiability of the PII.
- Privacy by Design (PbD) - PbD framework is based on its 7 foundational principles:
o Proactive, not Reactive
领英推荐
o Preventive, not Remedial
o Privacy by Design and Default Setting
o Full Functionality – Positive Sum not Zero-Sum
o End to End Security – Full Lifecycle Protection
o Visibility and Transparency – Keep it Open
o Respect for User Privacy – Keep it User-Centric
?- Privacy by ReDesign (PbRD) - Privacy by Redesign is an extension to the principles of PbD. The process introduces three R’s: Rethink, Redesign and Revive.
?Data Subject Rights
?- Right to be Informed - Provide PI information including purposes for processing their data, retention periods for that personal data, and who it will be shared with.
- Right to Access - Data Subject has the right to access their data. It helps individuals to understand how and why the controller/processor is using their data, and check if this is being done lawfully.
- Right to rectification - The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete. This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
- Right to Erasure - Data subjects have the right to have their data erased. The right to erasure is also known as "the right to be forgotten".
- Right to Restriction of Processing - Individuals have the right to request the restriction or suppression of their data. This right has close links to the Right to Rectification (Article 16) and the Right to Object (Article 21).
- Right to Data Portability - Data subjects have the right to obtain and reuse their personal data for their purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another
- Right to Object - The GDPR gives individuals the right to object to the processing of their personal data. Individuals have an absolute right to stop their data from being used for direct marketing.
- Right regarding Automated Decision Making - Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling.
?Data Classification/ Labelling
?To ensure Data Privacy, it is ensuring the labeling of each data objects like:
?- Confidential: Information that is highly sensitive and is available only to specific named individuals or positions and/or would seriously jeopardize business interests if divulged to unauthorized persons.
- Restricted: Information that is sensitive for the individual, within the Company or for the business, is available only to a specific individual, function, group, or role and/or would negatively impact the business if revealed to unauthorized persons.
- Internal: Information that is not for public consumption but can be shared with staff members and third parties on a “Need to Know Basis”
- Public: Information that can be freely shared with the public, including third parties and staff members
?Ensure Data Privacy (Do’s and Don’ts)
?Below are the few steps which need to be ensured for data privacy:
?- Ensure that personal data is not shared outside the client environment
- Follow necessary safeguards while handling personal data
- Follow incident management guideline to report any data breach incident
- Do not store/print the client data locally unless permitted
- Do not Share PII of suppliers, clients, employees, or any 3rd party on social media
- Do not collect or access client’s data when it is not required
- Privacy considerations in Systems/ Applications
- Formalize the organization’s Privacy Policy and Privacy Notice
- Formalize organization Security Policies, such as data classification, retention, and deletion
- Create strong Incident response mechanisms
- Privacy and Security Considerations in the SDLC process
- Create Data Flows to highlight the flow of data within the organization (DFD)
- Conduct Privacy Impact Assessments (PIAs)
- Maintain Data Inventory (RoPA)
?Tools
?There are various tools available to help implement Data Privacy in the organization??
?- IBM StoredIQ
- Azure Information Protection
?Data Privacy is a part of the data protection area that deals with the proper handling of data, including how data should be collected, stored, and shared. Data privacy ensures customer data is used only based on their intended purpose. It is an organization’s responsibility to ensure the Data Privacy of users.
----------------------------------------------------------------------------------
Start your project management journey today! If you wish to learn more about Agile concepts and are looking for training on Agile Project Management Certification program (PMP, PMI-ACP, PSM I), reach out to me on the given contact:
Mobile - +91 9891819681
WhatsApp - https://wa.me/919891819681
Email - [email protected]
#PMP #PMIACP #PSM #Agile #projectmanagement #certification