Watch the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by upskilling and scaling citizen developers. Watch now.
If you ask most techies about the difference between security and privacy, they probably won’t be able to tell you the difference unless they work on one of those teams. Given that much of our lives are now online, this is an issue that can lead to corporate liability and multimillion-dollar fines, especially from European regulators. With this increased focus, what is the difference between security and privacy, and how should employees think about these issues?
To begin with, let’s look at Twitter Announcement this summer that a hacker had been in his system for over six months and offered to sell user data from 5.4 million accounts. (In 2020, a Florida teen was also accused of taking over accounts). Hackers entering Twitter’s system pose a security threat. But since these hackers may have had access to millions or billions of records, that’s also a privacy concern.
This summer, Meta was fined $403 million by Ireland’s General Data Protection Regulation (GDPR) authority. Last year, European regulators fined Amazon $888 million. This is a big deal for major platforms, but it can affect almost any company these days: California recently fined Sepora $1.2 million for violating the CCPA (California Consumer Privacy Act).
To reduce the impact of fines and breaches, software companies need to focus on privacy as much as security, and make sure their employees know the difference. When you go to the doctor, your doctor will know exactly what HIPAA regulations allow them to disclose. Every truck driver on the road knows exactly how many hours they can drive based on the DoT Hours of Service regulations. But if you ask tech workers what they can and can’t do under CCPA, most may not even recognize the acronym.
Privacy is about creating trust in your organization. It’s about how you handle personal information and making sure you handle it responsibly and in line with what consumers expect of you.
TL;DR on the GDPR
AVG guidelines require data to be stored in a way that ensures that users can request that their information be corrected, deleted as part of the “right to be forgotten”, or that the user knows what data the company has collected about the user, along with various other privacy rights requests. But when data is stored in multiple disconnected databases, staying compliant is much more challenging, as requests require multiple steps and coordination between databases.
Rules also focus on where data is stored, with the aim of regulating the flow of data between the US and European countries. Facebook is challenging this policy, but swears”meta is aabsolutely no threat of leaving Europe.” To prepare for this new regulation, companies must ensure they have a comprehensive record of data processing activities and a data inventory to demonstrate regulatory compliance.
Ten Pillars of Privacy Awareness
Providing ongoing training in your company is very important for all employees who have access to personally identifiable information (PII). Given the pace of announcements about new fines and updated policies, you may need to update your staff on a regular basis.
At Fivetran, I conduct training company-wide, at least every 12 months, but additional reinforcement for regulatory requirements is a year-round job. Awareness includes teaching the fundamentals of privacy, rather than a long list of legal requirements, and explaining how these principles apply to each team and team member. I have a checklist of focus areas. Here’s what people need to know.
- Accountability: Senior leadership should designate one person who is ultimately responsible for an organization’s compliance with privacy laws. Many companies will designate a data protection officer, but either way, the goal is to designate someone who focuses on and is responsible for compliance with the GDPR (and other regulations).
- Identify purposes: Companies should indicate in their privacy statements how they will use customer data, but they should also consider consumer expectations. Most people expect video footage from a store’s security camera to be accessible only if there has been a break-in. But if the camera sends a live stream to the company’s homepage, it could surprise customers and lead to privacy concerns.
- Consent: Proper consent is an essential requirement. But remember that data subjects also have the right to withdraw their consent and your data systems must support this possibility.
- Collection limitation: As tempting as it is to collect as much data as possible, the more you collect, the greater your risk. Focus on tracking and collecting data that you can actually use in your business, based on the goals you’ve identified.
- Limit Use, Disclosure, and Retention: Privacy laws require companies to limit access to data for identified purposes and prevent disclosure to unauthorized personnel. But too many companies still give general employees access to personal data. When a hacker breaks into a system with a compromised account, you can minimize the extent of the damage by limiting internal access to those who need it. Also, do not retain data longer than necessary, taking into account local retention laws and legitimate business purposes, and consider how you would react if you were ever given legal notice.
- Accuracy: Ensuring customer data is accurate is a legal requirement and a business priority for success. Accuracy is also a priority when integrating data from multiple sources, so make sure you can verify the reliability of your processes and the data.
- Safeguards: Ensure good governance and data access safeguards, both from a privacy and security perspective. This includes using the “CIA triad,” of IT security programs that maintain the confidentiality, integrity, and availability of the consumer data you’ve collected.
- Openness: If your company has a unique way of using customer data, don’t bury that policy in the Terms of Service; someone will eventually notice. Meta agreed to pay users $37.5 million because the company was geotracking users based on their IP addresses after consumers turned off location tracking on their phones. Be transparent about your data practices and make information available in policies that use clear, concise, plain English language.
- Individual Access: Upon request, data subjects must be notified of the existence, use, and disclosure of their personal information, and must be able to access and contest the accuracy of that information. Organizations must be prepared to handle these types of privacy rights requests.
- Challenge compliance: Ultimately, anyone subject to the GDPR and CCPA has the right to challenge a company’s compliance with these regulations. If challenged, a company may be required to demonstrate compliance with applicable privacy requirements, including relevant policies and procedures. By role-playing with your privacy team how you would respond to such a request, you can uncover any gaps in your data privacy program before regulators start looking.
With the importance of data for modern businesses, making sure your employees are familiar with privacy laws puts your company in a much better position in the event of an incident. Thinking about how data is captured and stored helps minimize risk. Privacy is your company’s promise to consumers that you are a trusted partner and that you take their interests into account. Use the checklist above to ensure that data processing teams know their data privacy responsibilities as well as a physician knows the HIPAA requirements to build awareness around privacy.
Seth Batey is a senior privacy attorney at Fivetran.
Data decision makers
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people who do data work, can share data-related insights and innovation.
To read about advanced ideas and up-to-date information, best practices and the future of data and data technology, join DataDecisionMakers.
You might even consider contributing an article yourself!
Read more from DataDecisionMakers