Risk Management Dashboard

What is data privacy?

Data privacy is a form of data security concerned with ensuring that data is only being used by authorized persons and for its intended purpose.

Things to know about data privacy

Our ability to create, collect, share, and analyze data is growing exponentially. In fact, it’s suggested that humanity produces as much as 2.5 quintillion bytes of data, every day. And, every minute of every day, massive amounts of that data are being collected by organizations, who mine it for insights into trends, opportunities, and glimpses into how their customers think.

Unfortunately, data collection is often a ‘cast a wide net’ approach, illegally capturing private, sensitive user information along with the more-public data, creating problems for consumers and companies alike. At the same time, even personal data that is shared willingly by customers may create major problems if it is not secured against unauthorized access. As such, the issue of data privacy is a relevant concern across all markets and industries.

Coworkers looking at data

The pressing need for comprehensive cyber risk management

Download this eBook to learn more about the growing need to assess and mitigate cybersecurity risks associated with IT environments in organizations.

Thanks to improvements in the scope and effectiveness of data digitization, it’s a simple matter for organizations of all kinds to build personal profiles based on individuals’ captured data. And this goes beyond basic information such as name, age, and address; today, nearly all forms of personal information exist digitally—from the seemingly innocuous (such as interests and hobbies, buying preferences, relationships, etc.) to the extremely private (such as social security numbers, credit information, health data, location, and movements, etc.).

In many cases, the information we share online, either knowingly or otherwise, is used by machines to make them smarter; the puppy photo we post on social media helps teach semi-intelligent algorithms to recognize a puppy when they see one. The searches we perform online teach machines how to better understand and replicate human language.

However, regardless of how the data is being used, the fact that it exists and is available to unknown users is becoming a major cause for alarm. Customers (not to mention legislators) around the world are beginning to demand that companies give the original data owners final say in how their data is collected and used.

As such, those organizations that establish and follow healthy data privacy policies are more able to establish trust with their customers. At the same time, they eliminate the legal risks associated with violating new and upcoming data privacy laws, standards, and regulations. Facebook’s recent fine of $5 billion from the FTC is an example of just how steep the penalties for violating these laws can be.

Facebook’s $5 billion penalty is the largest ever imposed on any company for consumer-privacy violations, but it will certainly not be the last of its kind. Government watchdogs in the United States, the European Union, South America, and throughout the rest of the world are taking a firm stand against unauthorized data collection and use. Organizations that fail to update their data privacy policies run the risk of losing more than just the trust of their customers.

On the other hand, there are several benefits that may be enjoyed by companies that actively modernize their data protection playbooks, incorporating real-time, integrated, and automated technology to ensure that data is being used ethically, legally, and without violating the rights of data owners.

These advantages include the following:

Protection from fines and other penalties

As previously addressed, one of the most relevant business benefits of data privacy is avoiding penalties and fines. The punishment for failing to respect privacy laws is becoming increasingly steep, and that’s to say nothing of reparations to affected customers if their sensitive data is illegally made public.

More than that, government groups are taking their mandate to protect user data seriously, enacting new legislation and increasing their policing activities to ensure that companies are not putting customer data at risk. Organizations that create and follow adequate data privacy policies don’t need to worry about facing criminal charges.

Improved customer and stakeholder trust

The consumer-company relationship is one that goes well beyond purchase transactions; when a customer chooses to do business with an organization, they are trusting that organization to respect and secure any personal data that may be exchanged in the process. And when that trust is betrayed, it’s a difficult thing to earn back.

Privacy breaches cause serious reputational and brand damage. Today’s customers have so many options, and in many cases, a single error in terms of data security is enough to send them into the arms of competitors. Conversely, businesses that clearly demonstrate their commitment to data privacy, give their customers unrestricted control over how their data is collected and used, and act transparently in their data practices see increased customer loyalty. This means improved brand value and expanded customer lifetime value.

Better business processes (data management)

Data privacy management forces organizations to take a more-detailed look at their data and how it interacts throughout the business. Beginning with a detailed audit (and followed up on with regular ongoing audits) to determine how data is being collected and used, companies can easily identify and resolve data-management inefficiencies. This creates a more data-focused culture and helps streamline business processes, benefiting every department at every level.

Privacy initiatives may also encourage businesses to consolidate their data platforms, bringing all relevant data and data-management tools into a single, centralized location. This cuts down on the dangers associated with data siloing, and allows for better data analysis, increased data integrity, and more insightful business decisions.

To better serve customers, avoid reputational damage, and remain in compliance with new and established legislation, many software developers are now embracing privacy by design (PbD).

PbD is a new, more-deliberate approach to data privacy. PbD encourages system engineers to incorporate privacy checks and solutions into all products, services, infrastructures, and business practices. These considerations should be integrated from the earliest stages of development and remain a continued focus throughout production and into rollout and post-rollout support.

PbD ensures that data privacy remains top of mind through the entire lifecycle of development, rather than being included as an afterthought directly prior to launch.

Unfortunately, effective data privacy is not as simple as making the decision to handle customer data responsibly. Modern businesses face a range of hurdles that must be overcome or avoided to achieve successful data privacy management:

Data ethics

Advances in artificial intelligence (AI) are allowing organizations to more easily and accurately analyze large amounts of user data. But with these new capabilities come certain ethical issues that must be addressed. How far should data analysis be allowed to go? AI has the power to extract extremely personal, valuable, and sensitive information based on otherwise-innocuous data. Businesses must be fully aware of the ramifications of collecting this kind of data before they employ such tactics.

Insider threats

A major portion of the responsibility of data privacy falls to the employees who work with it. Poorly trained employees can easily misplace, expose, or misuse data, putting customers at risk and opening companies to possible reprisal. Likewise, untrustworthy employees may actively attempt to steal sensitive data. All employees should be fully vetted before they are given access to any customer information, and all employees should be trained in relevant data privacy policies and standards.

Ineffective data disposal

Many businesses focus on collecting and analyzing data, but completely fail to follow through on their responsibility to that data once the business relationship ends. Personal data should only be kept in accordance with established standards, and only for as long as the customer (or employee) is associated with the business. Keeping personal data longer than necessary can result in fines and penalties while making potential data breaches more damaging.

Web-application vulnerabilities

Web- and cloud-hosted software can create an unsecured data access point into an unsuspecting organization. Data security demands that every new application be fully inspected and approved as secure before it may be deployed for use within the organization.

Ineffective response planning

Data protection is essential, but if a data threat finds a way past security controls, or an emergent event threatens data integrity, businesses need an effective incident response plan. Creating, sharing, improving, and training so that the plan can be deployed at the first sign of a data breach will help limit the potential damage represented by such a threat.

Unnecessary data collection

New laws mandate that customers must provide explicit permission for organizations to use their data, with emphasis on the freedom to choose what kind of data is shared. Businesses that fail to limit their data collection practices beyond what is strictly necessary for the transaction are in danger of facing legal issues.

Unclear privacy terms and conditions

Gone are the days when unscrupulous organizations could hide their true intent behind legalese and complicated policy agreements. Now, data privacy terms and conditions must be presented in a way that every customer or other stakeholder can easily understand. If the user can demonstrate that it was unclear what they were agreeing to, it’s the business that stands at fault.

Session-expiration issues

When customers abandon online forms containing personal information, it can open the
possibility of other users gaining access to that data. Session-expiration safety features are
designed to cut access to sensitive forms and other information if the user has not taken a
specific action on the site within an allotted time. Including these safeguards on all
applications and computer systems can further secure data from exposure.

Unsecure data-transfer channels

We tend to think of digital data as traveling directly from point A to point B. But while it’s in
transit, that data may make an unexpected layover, potentially exposing sensitive information
to unauthorized users. Unsecured channels are a major issue in data privacy; businesses
should only use secure channels (such as SFTP or TLS).

It’s clear that in today’s business landscape data privacy is a major issue. But how can
organizations overcome the challenges and create a culture of data privacy? Here, we outline
several best practices to help businesses get started:

Look at data privacy holistically

Data privacy is an issue and responsibility that affects the entire business; it shouldn’t be confined to the IT department. Take a holistic approach and involve every aspect of the organization in establishing and following data privacy policies.

Map the data

Effective data privacy management depends on organizations having a clear idea of where the data is, what it includes, who has access to it, and how up to date it is. Mapping the data creates a detailed picture of a business’ current data situation.

Match practices to promises

Having viable policies, terms, and conditions in place is only half of the battle. A business that fails to follow through on these policies, leaving promises unfulfilled and obligations unmet opens the organization to legal liability and customer disillusionment.

Regularly update data-collection policies

Data collection is not a static process; the kind of data that organizations find relevant and useful may change from quarter to quarter, or even more often. That said, if those organizations decide to make updates to their data-collection-and-usage practices, they likewise must update their policies to reflect those changes.

Evaluate vendors

No business is an island; third-party vendors and contractors might need to access sensitive customer data, so it’s vital that organizations fully vet these partners to ensure that they have reliable security practices in place. Otherwise, third-party entities become weaknesses through which data leaks may occur.

Every year, governments are taking a stronger stand against data privacy violations. Here is a list of several recent legislations aimed at strengthening data privacy in different areas around the globe:

GDPR (General Data Protection Regulation)

European Union: Secures increased control for EU citizens over their personal data, simplifies and establishes data regulations for businesses, and addresses the collection and transfer of personal data outside the EU and EEA areas.

CCPA (California Consumer Privacy Act)

California: Enhances data privacy rights and consumer protection for California citizens, regulating how businesses may handle and use personal data.

CPRA (California Privacy Rights Act)

California: Expands upon CCPA, strengthening data rights of California residents, establishing stricter business regulations, and expanding the requirement for consent to cover more scenarios.

CDPA (Consumer Data Protection Act)

Virginia: Gives Virginians more privacy control over their personal data, allowing them to access, modify, and delete personal information collected by organizations. Also establishes data collection standards and regulations for businesses of all sizes.

LGPD (Lei Geral de Proteção de Dados)

Brazil: Includes similar provisions and regulations to the EU’s GDPR. Also establishes that Brazilian businesses must appoint data protection officers to ensure that policies are being followed correctly.

Man reading pricing on mobile device

Pricing for ServiceNow Governance, Risk, and Compliance

Get pricing here for ServiceNow Governance, Risk, and Compliance, which will manage and prioritize enterprise risk in real time for your digital business.

ServiceNow offers privacy management with Governance, Risk, and Compliance. Support privacy by design. Stay on top of risk and compliance in real time, and build trust with Privacy Management

Get started with ServiceNow Governance, Risk, and Compliance

Manage risk and resilience in real time with ServiceNow.
Loading spinner