Importance Of Data Privacy In The Digital Era
Privacy as a concept is elusive. It’s not because it is hard to define, but because it’s pretty dynamic, influenced by individual choices of privacy and their rights as defined worldwide by various regulatory authorities or governments and changes in the political and technological environment.
Data privacy is imperative for organizations that deal with data worth millions. It’s a reason why people put locks on cabinets with confidential files and rent lockers at banks. With passing time, as more and more data goes digital, data privacy takes on greater importance. Even if the data isn’t worth millions or the organization is a small enterprise, data protection is the responsibility of an organization that collects, stores, and processes personal data. Such an organization shall obtain consent from an individual while collecting such personal data by explaining the purpose, nature of data, how the data will be processed and protected. Comprehensive data privacy and protection brings businesses value, reduces risks, and should not be brushed aside or minimized in its level of importance.
Data privacy entails data protection which is the process of safeguarding personally identifiable information from unauthorized or accidental disclosure to unauthorized users. Data protection controls the access to data.
Privacy all in all is dependent upon and affects ethics, trust, and technology.
Organizations decide from beforehand, who gets access to what data.
The importance of having strategies set for data privacy and protection in an organization increases as the amount of data created and stored in the organization grows at an unprecedented rate and needs specific information security controls necessary for protecting personal data.
Personal Data
In this digital era, we usually apply the concept of data privacy to personal information which is critical, also called personally identifiable information (PII) and personal health information (PHI). This may include Social Security Numbers, health records, financial records, credit card information, and even basic but relatively still sensitive data like name, address, important days, et al.
Standards
International organization for standards ISO has recognized the need and introduced ISO/IEC 27701:2019 standard which specifies requirements and provides guidance for privacy information management system (PIMS) as an extension to ISO/IEC 27001 standard provides requirements for an Information Security Management System and ISO 27002:2013 standard provides guidelines for organizational information security standards and information security management practices.
Regulations and Laws
Recognizing the importance of data privacy and protection, different countries are implementing their respective data protection laws. Such data privacy laws differ from country to country and there are always new upcoming laws with changing times.
The most relevant data privacy legislation enacted to date is the General Data Protection Regulation (GDPR) by the EU. It governs the collection, use, transmission, and security of data collected from residents of any of the 28 member countries of the European Union. The law applies to all EU residents, regardless of the entity’s location that collects the personal data. Fines of up to € 20 million or 4% of total global turnover may be imposed on organizations that fail to comply with the GDPR.
In India, a Personal Data Protection Bill was first introduced as a first draft in 2018 and an updated draft was introduced in 2019 and soon to become an Act. The proposed PDPA of India governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with the personal data of individuals in India.
Apart from the above, the following are the few other data protection laws implemented worldwide.
- CCPA, California Consumer Protection Act, California, USA
- DIFC-DPL, Dubai International Financial Centre — Data Protection Law, Dubai, UAE
- LGPD, Brazilian General Data Protection Law, Brazil
- PDPA, Personal Data Protection Act, Singapore
An organization implementing the necessary technical and organizational controls, information security controls for the protection of personal data to meet the regulatory requirements can avoid personal data breaches and the risk of huge penalties ranging from approximately $3.9 million.
Privacy By Design
One of the key principles in implementing data protection is Privacy By Design which seeks to ensure that the technical and organizational measures or controls must be taken care of while planning the processing system to protect the data safely.
Principles or Obligations
The proposed PDPA of India enumerates the following principles as obligations of the organizations collecting and processing data:
- Lawfulness
- Purpose Limitation
- Collection Limitation
- Notice requirement
- Preservation of the Quality of Data
- Retention restriction
- Accountability of Data Fiduciary
- Consent Necessity
Even GDPR prescribes similar principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
By applying the Privacy By Design, and other Principles or Obligations as prescribed by the respective countries and their laws, or by adopting appropriate international standards an organization can plan and implement secured processing systems to protect the privacy and personal data.
Data privacy has been realized at the macro level and we, therefore, see government organizations and different corporations spending millions of dollars every year to protect their data from unwanted exposure.
Case Studies
Reports that focus on issues of data privacy and personally identifiable information have become increasingly prominent in media:
In September 2014, several celebrities reported that their personal photographs had been stolen from their Apple iCloud accounts.
Early July 2015 it was revealed that there was a breach in databases managed by the US government’s Office of Personnel Management which exposed confidential information of almost 22 million people.
Article References:
https://prsindia.org/billtrack/the-personal-data-protection-bill-2019
https://www.iso.org/standard/71670.html
https://www.iso.org/isoiec-27001-information-security.html
https://www.iso.org/standard/54533.html
Disclaimer: The views, thoughts, and opinions expressed in the text above belong solely to the author, and don’t reflect views of the author’s employer, organization, committee, or other group or individual.
