Data privacy: everything you need to know
Data privacy is at the heart of cybersecurity.
Data is integral to modern life and it’s being collected everywhere: on the roads, at the doctor’s surgery, in travel agents, supermarkets, banks and theatres – even by the coffee-cart guy when you order a latte and pay via an app. As citizens get more savvy about their data rights and privacy regulations throughout the world muscle up, companies that fail to build robust, globally compliant rules around their data privacy do so at their peril. Attorney Sheila FitzPatrick is a worldwide data privacy expert and NetApp’s global chief privacy officer. She shares the key things every organisation needs to know (and do) about data privacy.
Don’t confuse data privacy with data security
Security is not privacy. If you think of a bicycle wheel, data privacy is the entire wheel. It’s the full life cycle of the personal data you collect, from the time you collect it to the time you destroy it. It’s all of the legal and regulatory obligations around that data: what you’re allowed to have, how transparent you are about its collection, how long you keep it for, where you store it and what type of customer consents you have in place.
Data security is one spoke on that wheel: the fortress that you build around the data (once you’re legally allowed to have it) to protect it from unauthorised access and use. But if you’re only looking at security, the wheel is not going to turn; it’s going to break because you’re only identifying one part.
Don’t be a data hog
Collect only the minimal amount of data you require. Do a very deep dive into what your organisation actually needs and ask: 1. What services am I providing? 2. What data do I need in order to provide these services? 3. What technology am I trying to build? 4. What problem am I trying to solve? 5. What data is involved in that problem?
Beware data scope creep
Data is your greatest asset but it can also be your greatest detriment. You need data to manage all sorts of relationships: with customers, patients, citizens and employees. But you must be transparent about what you’re doing with that data and what you’re collecting. Do not take liberties. Organisations find themselves in trouble when they have scope creep: they collect data for one purpose then use it for 15 others. But if you’re transparent about wanting to use it for those 15 purposes to begin with, and your customer gives you consent and willingly provides that information to you, then you don’t have a problem.
GDPR means get your data privacy sorted, stat
In Europe, privacy has always been at the forefront of thought, especially in countries such as Germany, Austria, the Netherlands and France. They’ve always had much more restrictive laws. That push for data minimisation is going to become even more critical under the European Union’s new General Data Protection Regulation (GDPR), which will be enforced from 25 May 2018. It’s the biggest overhaul of data privacy laws in more than 20 years and it’s going to have a significant impact on multinational organisations, even if they don’t have a physical presence in Europe, because the regulation is extraterritorial.
Wherever your company is located, if you have any type of access to the personal data of an EU resident, your organisation will be held accountable for complying with the GDPR, which mandates data minimisation.
Be more like South Korea, less like the United States
Companies need a global approach to privacy regulations. Don’t base your program on a liberal privacy model – I certainly wouldn’t point to the United States’ quasi-privacy laws as a model of excellence. Don’t give lip-service to your privacy framework.
When I built the NetApp data privacy program nine years ago, I looked at the most restrictive privacy laws in the world and said, “Let’s build the entire data privacy program around the most robust requirements.” That way, regardless of where we do business, where we have employees or where we have customers, we are automatically compliant with those laws. I looked at German, South Korean and New Zealand law and built our policies – our procedures, our consents, our data privacy agreements – around that framework. South Korea has one of the most robust and aggressive data privacy laws in the Asia-Pacific, while New Zealand is currently the only country in the region deemed by the EU to adequately protect personal data.