What is data privacy?

Data privacy is a form of data security concerned with ensuring that data is only being used by authorised persons and for its intended purpose.

Our ability to create, collect, share and analyse data is growing exponentially. In fact, it’s suggested that humanity produces as much as 2.5 quintillion bytes of data every day. And, every minute of every day, massive amounts of that data are being collected by organisations, who mine it for insights into trends, opportunities and glimpses into how their customers think.

Unfortunately, data collection is often a ‘cast a wide net’ approach, illegally capturing private, sensitive user information along with more public data, creating problems for consumers and companies alike. At the same time, even personal data that is shared willingly by customers may create major problems if it is not secured against unauthorised access. As such, the issue of data privacy is a relevant concern across all markets and industries.

Thanks to improvements in the scope and effectiveness of data digitisation, it’s a simple matter for organisations of all kinds to build personal profiles based on individuals’ captured data. And this goes beyond basic information such as name, age and address; today, nearly all forms of personal information exist digitally—from the seemingly innocuous (such as interests and hobbies, buying preferences, relationships, etc.) to the extremely private (such as social security numbers, credit information, health data, location and movements etc.).

In many cases, the information we share online, either knowingly or otherwise, is used by machines to make them smarter; the puppy photo we post on social media helps teach semi-intelligent algorithms to recognise a puppy when they see one. The searches we perform online teach machines how to better understand and replicate human language.

However, regardless of how the data is being used, the fact that it exists and is available to unknown users is becoming a major cause for alarm. Customers (not to mention legislators) around the world are beginning to demand that companies give the original data owners final say in how their data is collected and used.

As such, those organisations that establish and follow healthy data privacy policies are more able to establish trust with their customers. At the same time, they eliminate the legal risks associated with violating new and upcoming data privacy laws, standards and regulations. Facebook’s recent fine of $5 billion from the FTC is an example of just how steep the penalties for violating these laws can be.

Facebook’s $5 billion penalty is the largest ever imposed on any company for consumer privacy violations, but it will certainly not be the last of its kind. Government watchdogs in the United States, the European Union, South America and throughout the rest of the world are taking a firm stand against unauthorised data collection and use. Organisations that fail to update their data privacy policies run the risk of losing more than just the trust of their customers.

On the other hand, there are several benefits that may be enjoyed by companies that actively modernise their data protection playbooks, incorporating real-time, integrated and automated technology to ensure that data is being used ethically, legally and without violating the rights of data owners.

These advantages include the following:

Protection from fines and other penalties

As previously mentioned, one of the most relevant business benefits of data privacy is avoiding penalties and fines. The punishment for failing to respect privacy laws is becoming increasingly steep, and that’s to say nothing of compensation paid to affected customers if their sensitive data is illegally made public.

More than that, government groups are taking their mandate to protect user data seriously, enacting new legislation and increasing their policing activities to ensure that companies are not putting customer data at risk. Organisations that create and follow adequate data privacy policies don’t need to worry about facing criminal charges.

Improved customer and stakeholder trust

The consumer-company relationship is one that goes far beyond purchase transactions; when a customer chooses to do business with an organisation, they are trusting that organisation to respect and secure any personal data that may be exchanged in the process. And when that trust is betrayed, it’s a difficult thing to earn back.

Privacy breaches cause serious reputational and brand damage. Today’s customers have so many options and, in many cases, a single error in terms of data security is enough to send them into the arms of competitors. Conversely, businesses that clearly demonstrate their commitment to data privacy, give their customers unrestricted control over how their data is collected and used, and act transparently in their data practices see increased customer loyalty. This means improved brand value and expanded customer lifetime value.

Better business processes (data management)

Data privacy management forces organisations to take a more detailed look at their data and how it interacts throughout the business. Beginning with a detailed audit (and followed up on with regular ongoing audits) to determine how data is being collected and used, companies can easily identify and resolve data management inefficiencies. This creates a more data-focussed culture and helps streamline business processes, benefiting every department at every level.

Privacy initiatives may also encourage businesses to consolidate their data platforms, bringing all relevant data and data management tools into a single, centralised location. This cuts down on the dangers associated with data siloing, and allows for better data analysis, increased data integrity and more insightful business decisions.

To better serve customers, avoid reputational damage and remain in compliance with new and established legislation, many software developers are now embracing privacy by design (PbD).

PbD is a new, more deliberate approach to data privacy. PbD encourages system engineers to incorporate privacy checks and solutions into all products, services, infrastructures and business practices. These considerations should be integrated from the earliest stages of development and remain a continued focus throughout production and into rollout and post-rollout support.

PbD ensures that data privacy remains top of mind through the entire life cycle of development, rather than being included as an afterthought directly prior to launch.

Unfortunately, effective data privacy is not as simple as making the decision to handle customer data responsibly. Modern businesses face a range of hurdles that must be overcome or avoided to achieve successful data privacy management:

Data ethics

Advances in artificial intelligence (AI) are allowing organisations to more easily and accurately analyse large amounts of user data. But with these new capabilities come certain ethical issues that must be addressed. How far should data analysis be allowed to go? AI has the power to extract extremely personal, valuable and sensitive information based on otherwise innocuous data. Businesses must be fully aware of the ramifications of collecting this kind of data before they employ such tactics.

Insider threats

A major portion of the responsibility of data privacy falls to the employees who work with it. Poorly trained employees can easily misplace, expose or misuse data, putting customers at risk and opening companies up to possible repercussions. Likewise, untrustworthy employees may actively attempt to steal sensitive data. All employees should be fully vetted before they are given access to any customer information, and all employees should be trained in relevant data privacy policies and standards.

Ineffective data disposal

Many businesses focus on collecting and analysing data, but completely fail to follow through on their responsibility to that data once the business relationship ends. Personal data should only be kept in accordance with established standards, and only for as long as the customer (or employee) is associated with the business. Keeping personal data longer than necessary can result in fines and penalties while making potential data breaches more damaging.

Web application vulnerabilities

Web-and cloud-hosted software can create an unsecured data access point into an unsuspecting organisation. Data security demands that every new application be fully inspected and approved as secure before it may be deployed for use within the organisation.

Ineffective response planning

Data protection is essential, but if a data threat finds a way past security controls or an emergent event threatens data integrity, businesses need an effective incident response plan. Creating, sharing, improving and training so that the plan can be deployed at the first sign of a data breach will help limit the potential damage represented by such a threat.

Unnecessary data collection

New laws mandate that customers must provide explicit permission for organisations to use their data, with emphasis on the freedom to choose what kind of data is shared. Businesses that fail to limit their data collection practices beyond what is strictly necessary for the transaction are in danger of facing legal issues.

Unclear privacy terms and conditions

Gone are the days when unscrupulous organisations could hide their true intent behind legalese and complicated policy agreements. Now, data privacy terms and conditions must be presented in a way that every customer or other stakeholder can easily understand. If the user can demonstrate that what they were agreeing to was unclear, it’s the business that stands at fault.

Session expiry issues

When customers abandon online forms containing personal information, it can open the
possibility of other users gaining access to that data. Session-expiry safety features are
designed to cut access to sensitive forms and other information if the user has not taken a
specific action on the site within an allotted time. Including these safeguards on all
applications and computer systems can further secure data from exposure.

Unsecured data-transfer channels

We tend to think of digital data as travelling directly from point A to point B. But while it’s in
transit, that data may make an unexpected stopover, potentially exposing sensitive information
to unauthorised users. Unsecured channels are a major issue in data privacy; businesses
should only use secure channels (such as SFTP or TLS).

It’s clear that in today’s business landscape data privacy is a major issue. But how can
organisations overcome the challenges and create a culture of data privacy? Here, we outline
several best practices to help businesses get started:

Look at data privacy holistically

Data privacy is an issue and responsibility that affects the entire business; it shouldn’t be confined to the IT department. Take a holistic approach and involve every aspect of the organisation in establishing and following data privacy policies.

Map the data

Effective data privacy management depends on organisations having a clear idea of where the data is, what it includes, who has access to it and how up to date it is. Mapping the data creates a detailed picture of a business’ current data situation.

Match practices to promises

Having viable policies, terms and conditions in place is only half the battle. A business that fails to follow through on these policies, leaving promises unfulfilled and obligations unmet, opens the organisation to legal liability and customer disillusionment.

Regularly update data collection policies

Data collection is not a static process; the kind of data that organisations find relevant and useful may change from quarter to quarter, or even more often. That said, if those organisations decide to make updates to their data collection and usage practices, they must also update their policies to reflect those changes.

Evaluate vendors

No business is an island; third-party vendors and contractors might need to access sensitive customer data, so it’s vital that organisations fully vet these partners to ensure that they have reliable security practices in place. Otherwise, third-party entities become weaknesses through which data leaks may occur.

Every year, governments are taking a stronger stand against data privacy violations. Here is a list of several recent legislations aimed at strengthening data privacy in different areas around the globe:

GDPR (General Data Protection Regulation)

European Union: Secures increased control for EU citizens over their personal data, simplifies and establishes data regulations for businesses, and addresses the collection and transfer of personal data outside the EU and EEA areas.

CCPA (California Consumer Privacy Act)

California: Enhances data privacy rights and consumer protection for California citizens, regulating how businesses may handle and use personal data.

CPRA (California Privacy Rights Act)

California: Expands upon CCPA, strengthening data rights of California residents, establishing stricter business regulations, and expanding the requirement for consent to cover more scenarios.

CDPA (Consumer Data Protection Act)

Virginia: Gives Virginians more privacy control over their personal data, allowing them to access, modify and delete personal information collected by organisations. Also establishes data collection standards and regulations for businesses of all sizes.

LGPD (Lei Geral de Proteção de Dados)

Brazil: Includes similar provisions and regulations to the EU’s GDPR. Also establishes that Brazilian businesses must appoint data protection officers to ensure that policies are being followed correctly.

ServiceNow offers privacy management with Governance, Risk, and Compliance. Support privacy by design. Stay on top of risk and compliance in real time, and build trust with Privacy Management

Explore Process Optimization

Identify and manage privacy risk as part of a holistic risk programme across the enterprise. Stay compliant with evolving global privacy regulations.