Data privacy and data security—are they the same? What about data governance? Are these simply different terms for different stakeholders? In this overview, let’s look at the ways we define data privacy on a business and personal level. Data privacy involves protection and transparency into data use, so one definition may be: Data privacy is a state of data protection focused on the proper handling and use of confidential data for managing risks related to inappropriate exposure.
This data could include personally identifiable information (PII), intellectual property (IP), or industry-specific subsets such as electronic protected health information (ePHI) patient records or financial data such as credit cardholder data.
Everyone may have a different standard on how data should be handled and used responsibly, and how much exposure creates too much risk of misuse. That’s usually where the friction lies—under what conditions should data be kept confidential and only shared with permission?
Download Best Practices to Drive and Adopt Data Privacy Governance, a 7-step guide to protecting data while unlocking its value.
Data privacy is not as clearly defined as its close neighbor, data security. And the primary reason is that most everyone has an opinion on privacy standards with some even declaring, “Privacy is dead!” It is a loaded term where trust can deteriorate over time. Until one day, a person wakes up surprised to experience identity theft when privacy risk exposure is realized.
Unlike data security where access to data is controlled or not, and can be validated, data privacy considers the nuances of how data is handled (even if it’s secured!) where exposure may not align to a person’s comfort level for meeting trusted use, but is perfectly acceptable to another.
Data privacy within a bigger picture of data governance tends to focus on various levels of risk exposure that need to be considered in light of enterprise policies and user rights. Most anyone can agree, exploiting risks is a bad thing. But calculated risk from data use comes with trade-offs in data utility, and that’s where privacy standards can be debated, based on personal views.
Consider a few questions and where you fall on the spectrum of acceptable data privacy risks:
There is no absolute right or wrong answer. However, increasingly due to the rise of data abuses and security breaches, global governments and states, and industry governing bodies, are setting baseline standards that we all can (hopefully!) agree on to offer a minimal level of trust assurance in how we share our data and what risks are not acceptable.
Over 90% of adults say that controlling what information is collected about them is important (Pew) and yet 81% of U.S. adults, for example, felt their social media privacy wasn’t secure (Pew). Clearly, there is room for improving our rights to privacy.
How did you answer the social media question #1 asked above and do you agree with the 90% who want to be in control? Do you feel social media, online commerce, your various digital vendors with whom you spend time and money should not have your trust? You’re not alone!
This is the gray area of defining privacy, since there is a subset of people who don’t believe it’s important to govern personal information, and perhaps blindly trust social media or their online shopping, banks, or others. But for the rest, a bar exists that needs to be met and done so, consistently. Let’s explore some of the confusion to help a better understanding:
Data privacy vs. data security – are they the same?
As highlighted earlier, It’s worth differentiating these two aspects of data protection to provide more context. And if you’d like a deeper dive, you can read further about the differences between data security and data privacy to test your understanding. However, briefly, data privacy is a risk exposure measure when using protected data, whereas data security is more closely associated with controlling data access.
In a scenario where personal data misuse occurs, you can begin asking the questions: Should the person or system have been granted access (was it secured?)? If so, how was it exposed?
We generally agree that access to personal information should have limits—a store cashier swipes a credit card (one-time access), but is not entitled to capture card details and reuse that card data without consent. While the data may be secure, it’s the specific unauthorized use that violates privacy expectations.
Data privacy and risk exposure
Data privacy has arguably more in common with managing risk exposure. In the realm of data governance, organizations are constantly trying to derive value from data, while minimizing privacy risks.
The catch phrase, “data is the new oil” highlights data has value and opportunity for monetization, but it also has liability due to risk of improper use. A common risk to personal data abuse is identity theft and multimillion-dollar regulatory fines. Therefore, data governance intends to apply controls to ensure responsible use that supports an organization’s policies, while also integrating consumer rights to require data protection, mandated by laws.
The Cambridge Analytica scandal provides a good reference and reminder. While the UK’s ICO determined Facebook did not protect personal data to keep it secured (i.e., access was provided to Cambridge Analytica), it was the exposure that violated consumer privacy expectations as data was used to influence a political campaign without consent of Facebook’s users. Should an entity have access is a security concern, but what is appropriate points to a failure in trust assurance over privacy.
Whether the risk exposure was acceptable to each Facebook user is debatable; however, since consent was not granted, the regulatory assumption assumes, “No!”
Data privacy and legislative standards
So, if it comes down to simply what level of risk exposure is acceptable, how do we agree on common standards and what rights are we granted to ensure data is sufficiently protected?
Governments, states, industries, and other governing bodies are increasingly asking the same question as volumes of personal data are growing and exposed in online commerce and media, and as increasingly major security breaches grab our headlines. At one point, privacy laws were somewhat weak, simply requiring disclosure of data breaches after the fact, too late. But today, laws are proactive and follow two major themes: 1) Individuals must have their data protected, and 2) they must have rights to transparency into how their data is used. Failure to do so includes consumer rights to revoke access and use if not aligned to personal privacy standards.
The EU’s General Data Protection Regulation (GDPR) was a significant milestone that many organizations are still marching towards today, as the GDPR offers new consumer rights to control how their personal data is used. In addition to requiring protection, the GDPR offered the “right to be forgotten” to end a relationship and use of personal data entirely, if that right was requested. A data subject access request (DSAR) legally enforces a 30-day response deadline for an organization to provide transparency into personal data use, so a consumer can decide if the relationship is worth potential privacy exposure risks. The GDPR, like the CCPA and other newer laws, offers consumers the ability to take control of their data and creates mandates for businesses to handle data more responsibly.
So, what can we do to get a better handle on data privacy risks, lower exposure to inappropriate uses, or worse, theft—and ensure data stays trusted and protected according to our individual standards?
Since the friction point of today’s newer data privacy legislation tends to focus on the trust relationship between businesses and consumers to handle data responsibly, let’s look at both perspectives for each role to explore best practices.
Five ways businesses can take control of data privacy
Businesses, governments, and other data stewards trusted by consumers and citizens need to ensure they avoid abuses that can harm reputation and lose brand loyalty:
Five ways consumers can take control of data privacy
Consumers need to be aware of their rights to data privacy, too, and evaluate the businesses they trust to handle their personal data on their behalf. Here are five best practices to consider:
While achieving data protection and transparency may seem daunting, there is an upside in discovering and managing data for business growth opportunities by ensuring it’s safe to handle. This is the case for SulAmérica—Brazil’s largest independent insurance company.
SulAmérica is a great example where enforcing data privacy controls has a return on investment by promoting the trusted and confident use of high-value data sets. Here’s their story:
SulAmérica needed to optimize system performance and trust when integrating data across insurance functions and departments. However, integration could lead to delays in patient authorizations for medical coverage, and impact wellness programs and value-based care.
To gain new insights, the Brazilian insurer brought together information from all over the company to enhance and accelerate decision making. To drive digital transformation and agile development, SulAmérica enabled its software developers to work directly with production data.
But to safeguard customers’ personal information and comply with Lei Geral de Proteção de Dados (LGPD), Brazil’s general data protection law, the data had to be masked to de-identify personal attributes.
“Our relationship with Informatica is so important because it’s helping us move to the next maturity level, addressing goals that are existential to our business in terms of how the Brazilian insurance industry is evolving,” says José Magalhães, SulAmérica. “Informatica is supporting the acceleration of our digital transformation, mitigating risks, and enabling a more efficient operation in today’s insurance environment.”
Read the customer success story in more detail here to learn how SulAmérica turned privacy laws into an opportunity to trust data, increase transparency, and deliver new consumer value.
While many organizations perceive data privacy compliance as a cost of doing business to protect data trust, more progressive organizations are enabling privacy to help drive their digital transformation agendas.
Data intelligence is critical to accelerating business value creation. And the intelligence gained from data discovery and risk assessment can be used to democratize safe data use – such as in self-service analytics and loyalty programs. But the challenge is navigating the fine line of trust and safe use, as more sensitive data is captured, accessed, and used to offer new products and services with the potential of abuse.
Informatica has helped global organizations across all industries navigate data privacy governance with best practices. For additional insights and tips, download Best Practices to Drive and Adopt Data Privacy Governance, a 7-step guide to protecting data while unlocking its value.