Everyone has a right to privacy
You shouldn't need to hide away in a mountainside hideaway to expect a degree of privacy.
It is reasonable to expect that businesses will respect the need to protect and respect personal data. However, with the increased reliance on such data (being processed, transmitted and stored on company-owned and maintained systems) these organizations have either become complacent at the inherent risks or they have abused the data they hold. This is despite there having numerous data privacy laws, across the globe.
Consequently, the criminals quickly identified that they could take advantage of this disregard or apathy for personal data and established very successful business models, through the monetarism of these data assets. Thus, consumers/employees became increasingly distrusting of how organizations were protecting or treating their personal information; often being the victims of identity theft or fraud.
In a bid to enhance data privacy regulations, making them more relevant to today's threats and technology environments, and increasing the business accountability, and responsibilities, on 25 May 2018 the EU General Data Protection Regulation (GDPR) came into effect. The GDPR considerably increases the maximum fines for non-compliance and, more importantly, makes it mandatory for the reporting of high-impact data breaches.
GDPR is designed to be an evolution of data privacy for business and with the benefits having been seen by other countries, they too have started to follow suit, with some countries already looking to enhance their legislation. For example, the UK Data Protection Act 2018, supplements the GDPR and introduces the concept of negligence or complacency as being a criminal offense (Section 198 UK DPA):
"Liability of directors etc
(1)Subsection (2) applies where—
(a)an offence under this Act has been committed by a body corporate, and
(b)it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of—
(i)a director, manager, secretary or similar officer of the body corporate, or
(ii)a person who was purporting to act in such a capacity.
(2)The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
(3)Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member's management functions in relation to the body as if the member were a director of the body corporate.
(4)Subsection (5) applies where—
(a)an offence under this Act has been committed by a Scottish partnership, and
(b)the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner.
(5)The partner, as well as the partnership, is guilty of the offence and liable to be proceeded against and punished accordingly"
Confused as to the difference between Data Privacy, Information Security or Cyber Security?
This is an easy confusion, as they all require formal documents (Policies & Procedures), security awareness training, audit, technical defences, incident response, etc. for the protection of data, across their data life-cycles. However, the main difference is that with Data Privacy the businesses are only the temporary custodians of this data, provided to them (on loan) from the Data Subjects (the information used to identify that person). Whereas, other business critical data will, typically, belong to the business (e.g. Intelectual Property, Salaries, etc.) or be of a financial nature and so the importance of this data is relatively easy to understand.
Personal data, on the other hand, comes in various shapes, sizes and vary in the potential impact, and much like a virus, has spread and mutated through business environments. Being the custodians of the personal data, you need to inform the Data Subjects how you intend to use their information (obtaining their Consent, when needed) and ensuring that you use this information with respect and securely disposing of it, once the legitimate purpose has expired (avoiding 'Data Hoarding').
The Data Life-Cycle commences with Consent or Legitimate use and without which you are not able to comply with the data privacy principles and should refrain from the further use, transfer or storage of such data, moving straight to the final stage of the data life-cycle (Secure Disposal).
At the Heart of Data Privacy
Any 'forward-thinking' business will recognise that data privacy should not be seen as a 'tick box' (do the minimum) approach but as an opportunity to demonstrate to their customers/employees that they value the trust placed on them to safeguard and use their data respectfully. The 4 primary activities should include:
Consequently, to commence any privacy programme you need to see to what extent that personal data has migrated through the veins of your business and identify the most potent strains of the data privacy processes. Once you have achieved this, you will be able to evaluate and prioritise the these business environments.
Having identified the business process areas, you will know the Personnel, Systems and Environments involved in their associated data-lifecycles and the maintenance of the supporting IT systems. Consequently, all the identified personnel will need to be educated as to the business expectations for interacting with this data and ensuring the management of the supporting IT systems, ensuring that the data is being legally and safely processed, and that the IT systems remain secure.
Key to the continued success (or failure) of a privacy programme is 'Teamwork' and Governance to ensure that there is a continual programme of review and report, ensuring that the need for any timely remediation can be implemented and that are suitably prepared for the worst case event (Thinking WHEN, not IF!). The output of the periodic reviews need to be communicated to senior management for their approval and input - demonstrating that the programme is supported and embraced at the very top (setting the direction and example).
The most under-appreciated, but most important, element is being able to articulate in writing the businesses rules, expectations and guidance (policies, processes, standards), along with evidencing that you understand the full extent of your personal data processing envronments and their associated risks (Data Privacy Impact Assessments (DPIAs), Data Flow Diagrams, Benchmarks, etc.
Many businesses have struggled to design and develop a suitable data privacy programme, which aligns to the business objectives and meets the requirements of their applicable privacy legislations. I have frequently heard businesses say that GDPR compliance is too expensive, too difficult to achieve and not worth the hassle.
However, when planned correctly, the benefits are easily realised when you understand the value of the data, the measures needed to safeguard that data and the benefits of making the correct decisions.
Treat your data privacy programme like servicing and maintaining a motor vehicle:
The larger the vehicle : The greater the potential impact and the more expensive the parts (i.e. The Braking system on a HGV)
The more precious the cargo : The more protective measures applied (i.e. Child Seat for a new born baby).