How Should Organizations Tackle Their Data Privacy Requirements?

Image

Data is among the most valuable assets that need to be safeguarded at all costs. But in the digitally-driven business world, cybercrimes are prevalent, making data protection and data privacy a main focal point. The increasing use of technology and the growing exposure to evolving cyber threats have dramatically changed the data security and privacy landscape. For these reasons, international regulatory bodies around the world have created stringent data privacy laws for businesses to meet.

The data privacy laws aim at securing individuals' data while also giving them control over their data. With multiple data privacy regulations in place, businesses are now required to meet the data privacy laws and ensure compliance with the requirements. In order for an organization to best accommodate these regulations, it is important to have a familiarity with some of the popular international data privacy laws existing globally. The need for a global view is necessitated by the global presence of all companies that conduct online business. Also, many regulations are built upon the precedents of those set in other countries.

International Data Privacy Laws

Data privacy has become highly prioritized, especially after many global regulators and governing bodies have established and enforced various data privacy laws. These laws were established to regulate and secure the data processing activities of organizations dealing with personal data. Currently, 128 countries have data security and data privacy legislation in force to protect personal data. Some of the well-known of these include the following:

• GDPR EU – The General Data Protection Regulation of the European Union is one of the most popular and comprehensive international data privacy laws. It governs the processing of the personal data of citizens of the EU. Organizations that process the personal data of citizens of the EU must comply with the EU GDPR. The regulation protects the data privacy rights of individuals of the European Union.
• GDPR UK – The United Kingdom General Data Protection Regulation Act is a fairly new and recently introduced data privacy law in the UK. Post-Brexit, the UK GDPR Regulation came into effect on January 1st, 2021. Under the new law, organizations that process the personal data of UK citizens are required to comply with the UK GDPR. It is a data privacy law that mirrors the EU GDPR with a few amendments specific to UK requirements.
• CCPA – The California Consumer Privacy Act seeks to protect the personal data of California residents. It is a one-of-a-kind law in the United States that regulates the processing of consumer data and gives consumers full control over the use of their data. 
• HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) is designed to protect sensitive Patient Health Information (PHI). Organizations that process PHI must be HIPAA compliant. It is a data protection law that organizations must comply with by implementing necessary administrative, technical, and physical safeguards to protect PHI and electronic PHI data.
• PIPEDA – The Personal Information Protection Electronic Documents Act (PIPEDA) is a Canadian data privacy law that protects the way private sector organizations handle personal information. The law governs the commercial processing activity, and it applies to all private sector organizations in Canada that process the personal data of citizens for commercial use.
• PDPA (Singapore) – The primary goal of the Personal Data Protection Act (PDPA) of Singapore is to “govern the collection, use and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”
• PDPA Malaysia – Malaysia’s Personal Data Protection Act (PDPA) regulates the processing of personal data by organizations for commercial business. The law came into effect on 15 November 2013, and it was enforced to ensure compliance with certain data privacy obligations and to protect personal data-conferring rights of the data subject. The law strengthens the data protection and privacy practice, thereby empowering data subjects control over their data. 
• Australia Privacy Act – The Privacy Act is a legislation of Australia. Established to protect the personal information of Australian citizens, it stands among the earliest of global privacy legislation. The law, enacted in 1988, governs the way private organizations and government organizations process personal information. The Act, which has undergone continual revisions since its original enactment, promotes the security and privacy of individuals, and it regulates the way organizations handle personal information.
• New Zealand Privacy Act – One privacy legislation that is often overlooked is New Zealand’s Privacy Act.  What makes this Act deserving of mention is that it contains a curious section that allows an agency to reserve the “decision to neither confirm nor deny personal information is held.” This is somewhat unusual when compared to all other privacy legislation.

Technologies for Data Protection

Organizations around the globe are expected to comply with various data privacy regulations within which they fall in scope. Non-compliance to such laws could result in fines, penalties, financial loss, and possible loss of reputation. Organizations must adopt advanced techniques and solutions to maximize data protection. Implementing technologies can help a company restrict and monitor access while also responding to threats. To prevent such incidents and ensure data protection, the following measures should be implemented:

• Data Loss Prevention (DLP) – Data Loss Prevention is software that detects, tracks, and monitors activities around sensitive data. The advanced technology can prevent serious incidents such as data breach, accidental data deletion, and data exfiltration.
• Identity & Access Management (IAM) – IAM is a method for verifying the credentials and permissions of all logins on selected systems. The technology ensures that the correct entity gets privileged access based on role-based access controls. The technology facilitates flexible authentication processes, multi-factor authentication as well as security, session logging and management, and such similar features that prevent unauthorized access.
• Encryption – Encryption is a data security technique that ensures only the user with the correct encryption key may decrypt data. This way, the data is protected against disclosure. It is one of the most secure ways of protecting and ensuring the privacy of the data, for even if the data is stolen, the information is unreadable for the unauthorized user.
• Tokenization – Tokenization is a technique that involves substituting sensitive data with random strings of characters, known as tokens. Without the token vault, a user cannot reverse or access the data. This is another way the sensitive data is secured against unauthorized access.
• Endpoint Protection Platform (EPP) – Endpoint protection software is deployed on devices to prevent security lapses such as malware, intrusion, data loss, and other malicious activity. The software helps detect and prevent threats at the endpoints such as servers, networks, desktops, mobile devices, printers, routers, and connected devices. Network ports can also be protected. EPP monitors the network perimeter and filters traffic for maximum security.
• Firewalls – Firewalls are network objects that may consist of both hardware and software. They're designed to monitor the inbound and outbound network traffic as well as filter it according to an established ruleset.
• Data erasure software – Data erasure is software that can be used for deleting electronic data from any storage device in a way that renders it unrecoverable. Once the data is deemed irrelevant, it may be eradicated using this technology. This way, organizations will remove the liability for storing unnecessary data. In fact, deletion of data is a requirement in many data privacy regulations.

Best Practices to Ensure Data Privacy

Data privacy and security is all about adopting and implementing the best practices. Following the best practices can help an organization streamline its processes for implementing the best data privacy measures. Some industry best practices include:

Data Privacy Policies

Data privacy policies are important documents in the compliance journey. It is a legal document that guides employees of the organization to follow specific rules and guidelines in alignment with various legislation. An organization should clearly define the scope of its policy as well as set clear rules towards facilitating data privacy and security. This includes defining processes and practices that ensure effective implementation.

Minimum Data Collection

The best way to ensure data security and privacy is by limiting data collection. Organizations must ensure that only data necessary for the execution of the business is collected and stored until which time it is no longer necessary. Thereafter, the organization must ensure the safe disposal of the data. Minimizing data collection can also reduce storage costs and diminish the scope of compliance.

Maintain Transparency

Customers always appreciate transparency when it comes to how their data is processed and stored. It is important, therefore, to ensure customers are included and offer their consent in the privacy process including consent, notification, and options for them to modify their choices in data collection.  This includes the opportunity for clients to opt out of data collection.

Data Inventory

One way to ensure data privacy is by creating an inventory of data and classifying it based on its sensitivity. Once an organization is aware of the data in its custody, the way it is handled, and how it is stored, it is easier to implement security and privacy measures around it. Policies can be defined based on how the information is collected, stored, and processed for establishing maximum security.

Privacy By Design

Data privacy by design is crucial to ensure that systems and processes are in alignment with the data privacy and security standards and regulations. Privacy by design should be the foundation on which the development lifecycle or business processes are set. An organization should strive to embed privacy as an essential component at every stage of development and process.

Training & Awareness

Data privacy and security should be embedded in the business culture and work process. To that end, every employee should be given adequate training about industry best practices, prevailing cyber threats, data privacy requirements, guidelines, and relevant data security principles. Moreover, employees should be aware of the business practices, and be held responsible for acknowledging the internal security policies and cybersecurity best practices in the organization.

Conclusion

Data privacy is essential, not just from the compliance perspective but also in terms of upholding the rights of the consumer. In a data-driven world, prioritizing data privacy is often recognized and greatly appreciated by consumers. It boosts their confidence in a business and their work process concerning their personal data. Setting privacy as a foundational pillar of business processes and policies will help organizations successfully achieve data privacy requirements in alignment with various industry standards and regulations.   

About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the United States, Singapore, & India. Mr. Sahoo has more than 25 years of experience in the IT industry with expertise in Information Risk Consulting, Assessment, and Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance and Audit, PCI PIN, SOC2, PDPA, and PDPB, to name a few. Since 1994, VISTA InfoSec has worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.