Privacy, in the broadest sense, is the right of individuals, groups, or organizations to control who can access, observe, or use something they own, such as their bodies, property, ideas, data, or information.
Control is established through physical, social, or informational boundaries that help prevent unwanted access, observation, or use. For example:
- A physical boundary, such as a locked front door, helps prevent others from entering a building without explicit permission in the form of a key to unlock the door or a person inside opening the door.
- A social boundary, such as a members-only club, only allows members to access and use club resources.
- An informational boundary, such as a non-disclosure agreement, restricts what information can be disclosed to others.
The exponential growth of a global information economy, driven by new technologies and disruptive business models, means that an ever-increasing amount of personal data is being collected, used, exchanged, analyzed, retained, and sometimes used for commercial purposes. It also means there is an ever-increasing number of accidental or intentional data breaches, incorrect or lost data records, and data misuse incidents.
As a result, the demand for data privacy — the right to control how personal information is collected, with whom it is shared, and how it is used, retained, or deleted — has grown, as has the demand for data security.
Balancing the individual’s right to data privacy and an organization’s desire to use personal data for its own purposes is challenging, but not impossible. It requires developing a data privacy framework.
Developing a Data Privacy Framework
Although there isn’t a “one-size-fits-all template” for a framework, there are several universal processes that can help you develop one relevant to your business:
Discovering and classifying personal data — Determining what types of data is collected (e.g., medical, financial, or personally identifying data such as Social Security numbers), where and how the data is collected, where data is stored, who has access to the data and where are they physically located, data flows within and across a business unit, and data transfers within and between countries.
Conducting a Privacy Impact Assessment (PIA) — Determining how and where data is stored, backed up, and disposed, what data security measures are currently implemented, and where systems may be vulnerable to a data privacy breach. Examples of data security measures include the following:
- Change management — Monitors, logs, and reports on data structure changes. Shows compliance auditors that changes to the database can be traced to accepted change tickets.
- Data loss prevention — Monitors and protects data in motion on networks, at rest in data storage, or in use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests, and unusual activity to prevent data theft.
- Data masking — Anonymizes data via encryption/hashing, generalization, perturbation, etc. Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational and statistical accuracy.
- Data protection — Ensures data integrity and confidentiality through change control reconciliation, data-across-borders controls, query whitelisting, etc.
- Ethical walls — Maintains strict separation between business groups to comply with M&A requirements, government clearance, etc.
- Privileged user monitoring — Monitors privileged user database access and activities. Blocks access or activity, if necessary.
- Secure audit trail archiving — Secures the audit trail from tampering, modification, or deletion, and provides forensic visibility.
- Sensitive data access auditing — Monitors access to and changes of data protected by law, compliance regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an audit trail for forensics.
- User rights management — Identifies excessive, inappropriate, and unused privileges.
- User tracking — Maps the web application end user to the shared application/database user and then to the final data accessed.
- VIP data privacy — Maintains strict access control on highly sensitive data, including data stored in multi-tier enterprise applications such as SAP and PeopleSoft.
Understanding marketing issues — Determining cross-border marketing issues (e.g., whether products or services are directly marketed to residents of other countries, the language used on a website, or a deployment of mobile applications), and third-party marketing issues (e.g., sharing of information for marketing purposes).
Analyzing compliance requirements — Determining applicable compliance requirements, based on the results gathered in understanding the personal data and conducting a PIA.
- Legislative Regulations — State, country, or governmental agency laws regulating personal data collection, use, storage, transport, and protection. Examples include General Data Protection Regulation (GDPR — European Union), Personal Information Protection and Electronic Documents Act (PIPEDA — Canada), Information Technology Act 2000 (ITA — India), Privacy Act 1993 (New Zealand).
- Industry-specific Regulations — Laws or mandates defining how a specific industry, type of business, or government agency will treat and secure personal data. Examples include Health Information Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), Payment Card Industry Data Security Standards (PCI DSS).
- Third-Party Obligations — Agreements among business partners defining how a contractor, vendor, or other external agency will treat and secure personal data collected by the ‘parent’ organization. For example, an agency located in India providing credit card services for a U.S. based vendor must observe PCI DSS data protection requirements.
Developing privacy policies and internal controls — Creating external privacy statements (e.g., website, mobile app, and offline privacy policies); internal and external privacy policies and procedures related to data governance, data privacy and security breaches; and data privacy training.