Data Privacy

What is Data Privacy?

Data privacy, sometimes also referred to as information privacy, is an area of data protection that concerns the proper handling of sensitive data including, notably, personal data[1] but also other confidential data, such as certain financial data and intellectual property data, to meet regulatory requirements as well as protecting the confidentiality and immutability of the data.

Roughly speaking, data protection spans three broad categories, namely, traditional data protection (such as backup and restore copies), data security, and data privacy as shown in the Figure below. Ensuring the privacy of sensitive and personal data can be considered an outcome of best practice in data protection and security with the overall goal of achieving the continual availability and immutability of critical business data.

Security becomes an important element in protecting the data from external and internal threats but also when determining what digitally stored data can be shared and with whom. In a practical sense, data privacy deals with aspects of the control process around sharing data with third parties, how and where that data is stored, and the specific regulations that apply to those processes.

Almost all countries in the world have introduced some form of legislation concerning data?privacy in response to the needs of a particular industry or section of the population.

Data Sovereignty

Data sovereignty refers to digital data that is subject to the laws of the country in which it is located.

The increasing adoption of cloud data services and a perceived lack of security has led many countries to introduce new legislation that requires data to be kept within the country in which the customer resides.

Current concerns surrounding data sovereignty are related to governments trying to prevent data from being stored outside the geographic boundaries of the originating country. Ensuring that data exists only in the host country can be complex and often relies on the detail provided in the Service Level Agreement with the Cloud Service Provider.

Data Privacy - Geographical variations in terms

In the European Union, privacy is recognised as an absolute fundamental right and in some parts of the world privacy has often been regarded as an element of liberty, the right to be free from intrusions by the state. In most geographies, privacy is a legal concept and not a technology, and so it is the term data protection that deals with the technical framework of keeping the data secure and available.

Why is Data Privacy important?

The answer to this question comes down to business imperatives:

1. Business Asset Management: Data is perhaps the most important asset a business owns. We live in a data economy where companies find enormous value in collecting, sharing and using data about customers or users, especially from social media. Transparency in how businesses request consent to keep personal data, abide by their privacy policies, and manage the data that they’ve collected, is vital to building trust with customers who naturally expect privacy as a human right.
2. Regulatory Compliance: Managing data to ensure regulatory compliance is arguably even more important. A business may have to meet legal responsibilities about how they collect, store, and process personal data, and non-compliance could lead to a huge fine. If the business becomes the victim to a hack or ransomware, the consequences in terms of lost revenue and lost customer trust could be even worse.

Data Privacy is not Data Security

Businesses are sometimes confused by the terms and mistakenly believe that keeping personal and sensitive data secure from hackers means that they are automatically compliant with data privacy regulations. This is not the case. Data security?protects data from compromise by external attackers and malicious insiders whereas data privacy governs how the data is collected, shared and used.

Differing legal definitions of Data Privacy

If there is agreement on the importance of data privacy to a business, then the legal definition can be extremely complex.

None of the most prevalent regulations (GDPR, CCPA, HIPAA etc) define precisely what is meant by data privacy and it is left to businesses to determine what they consider best practice in their own industry. The legislation often refers to what is considered ‘reasonable’ which may differ between laws, along with the respective fines.

In practice, this means that companies who work with sensitive and personal data should consider exceeding the legal parameters to ensure that their data practices are well above those outlined in the legislation.