MKKPRO

Fundamentals of Data Privacy

Published On: 03/06/2017 Author: MKK

Fundamentals of Data Privacy  

We share vast amounts of personal information with other individuals, businesses, and governments in our daily lives. For example: to do personal banking transactions or receive a credit or debit card, we must provide Personal Data to the financial institution.

   

Regardless of the sensitivity of the information, we would likely still expect the bank to safeguard all our information adequately. The bank is required by law to protect your Personal Information and handle it in compliance with applicable data privacy laws.

Typically, data privacy refers to the appropriate management of personal data or personally identifiable information (PII), such as names, addresses, date of birth, Race, or ethnicity, Religious or philosophical beliefs, Social Security numbers, health or sexual orientation, Criminal background, and debit/credit card numbers.

  However, the concept also applies to other sensitive or important data, such as financial data, intellectual property, and health information. Data privacy and data protection initiatives, as well as the legislative needs of various governing bodies and territories, are frequently governed by vertical industry rules. Data protection is not a singular notion or strategy. Instead, it is a discipline comprised of rules, procedures, standards, and tools that assist companies in establishing and maintaining privacy compliance. Data privacy typically comprises the following six components:     Data protection includes privacy. Data security and backups are included. Data protection safeguards critical company data by ensuring its availability, consistency, and immutability. Why is data privacy important?   Data privacy impacts company value. Businesses of all sizes are collecting and storing more data from more sources than ever before due to the data economy. Business uses for data include:  
  • To find, understand, and serve customers.
  • Network and device data to analyse company infrastructure, facilities, and human behaviour.
  • To learn from databases and data sources
  • To train AI/ML systems.
  Data privacy prevents unauthorised access, theft, and loss. Data must be managed well and protected from unauthorised access to avoid loss, alteration, or theft.   For people, the exposing of personal data might lead to erroneous account charges, privacy breach or identity theft. Unauthorized access to sensitive data can compromise intellectual property, trade secrets, and confidential communications, as well as data analytics.   Data privacy breaches can harm all parties. Data breaches can lead to fraudulent financial and credit activity, compromised social media accounts, and more. Fines, lawsuits, and catastrophic brand harm may result from regulatory violations. A business may need a reaction strategy if its data is hacked.

 

What are the laws of data privacy?

  In May 2018, the General Data Protection Regulation (GDPR) overhauled data protection laws for the first time in the history of IT industry. It emphasises data subjects knowing, understanding, and consenting to data use. It protects both individuals and businesses with greater control.   Similarly, there are plenty of other data privacy laws introduced across the globe and in U.S. data protection laws are enacted at federal and state level as well.

 

What does it mean for organizations?

 

Organizations values employee and client data. Not simply Personal Data. Loss determines the value of all knowledge. This rule requires enterprises to report data breaches within 72 hours.  If they violate the GDPR, corporations might be fined €20 million or 4% of their global revenue (whichever is greater).   Breaching this policy on data privacy may lead to disciplinary action, including termination of employment as well as civil and/or criminal penalties.   Other effects of not protecting Personal Data are:
  • We risk losing clients and business if we don’t protect their data in a right way.
  • Failure to secure Personal Data can be quantified financially and legally.
  • Predicting reputational loss is difficult. Trust is difficult to earn but simple to lose. It is a two-way street based on competent, secure, and safe procedures.
  Hence protecting the personal data is extremely sensitive for organizations

 

What are the key components of data privacy?

  Below mentioned are the key components of data privacy program and to protect these organizations generally build some data privacy principles and deploy the same via awareness training, policies, procedures etc.,  
  • Management
  • Compliance
  • Assessment
  • Training
  • Identity
  • Retention
  • Inventory
  • Documentation
  • Remediation
  • Third parties
  • Consent
  • Restriction
  • Monitoring
  • Communication
  • Governance
  • Classification
  There is a tracking mechanism or tool would also be deployed when data privacy implementation happens.  Data Controller and Data processor are the two predominant roles to handle data privacy in any organization.  
  • Data Controller: Determines how and why Personal Data is treated & processed in an organization.
  • Data Processor: Any person or organisation processing data for the Data Controller must follow the Data Controller’s instructions, safeguard the data, and not violate Data Piracy Act.

 

What is data security?

 

Data security is focusing only on the protection part, by configuring strict access control policies, applied encryption in the storage and TLS during transit and applied various monitoring counters in and around the same to track, remediate and troubleshoot when required.   Organizations follows native tool for the first line security defense and external 3rd party tool for second line of defense.   Data privacy is a subset of data security, cannot exist without data security. It takes care of compliance with data protection laws and regulations.  Focus on how to collect, process, share, archive and delete data.

 

What to do if there is a breach?

 

If you or suspect a data breach the first thing you should do is report it in accordance with your office processes.   Keeping us all safe means making sure the right people know when you suspect a data breach. This might be
  • You have lost your office laptop and it contains lots of sensitive data
  • It could be a malware threat from clicking on an email link or attachment
  • Sent your personal data to a wrong person via an email
  • It could be that your login credentials have been revealed to someone else
  • Someone shoulder surfing when you work in the train/bus
  • Someone eavesdropped when you are talking about an audit in public place
  • It could be a data breach from an unauthorized network access
  Some organizations are obligated to report certain breaches to regulators with 72 hours of occurrence.  So please read through your org policies well.   If the breach is client related, immediately let your security team and Risk Management team know. Do not talk to the client about the issue. Instead, wait for advice from your security team and Risk Management team   If the breach is not client related, follow your local office’s procedures. This will normally be handled by your local security and privacy department unless the incident needs to be escalated.  

Leave A Comment

Tags

You cannot copy content of this page