Quick
Reference
Guide for
Data Privacy
Learn about keeping your data safe as rules and technologies
change. This guide explains key concepts like data privacy
laws, how to label and protect data, and how AI fits in.
Written by: Ian Horowitz
Get Started
INTRODUCTION
Today, IT folks are expected to excel in a range of technologies and practices. One big thing they have to know
about protecting personal and sensitive information – in other words, data privacy.
Data privacy is growing important because of several factors, including:
Stricter government rules about how organizations must protect people’s data.
More cyber threats and frequent data breaches.
Companies are collecting more sensitive data about customers and employees.
Organizations often rely on other companies to securely manage their data.
If you work in IT, you might be tasked with making sure your organization follows data privacy rules. This could
mean things like making sure sensitive information is kept safe and regularly checking that data is handled
correctly.
This guide is here to help IT pros understand the basics of data privacy. In the following sections, we’ll explain
concepts and tools to help you do your job better.
Data privacy is a key piece of cybersecurity, so check out our guide Cybersecurity Basics: A Quick Reference Guide
for IT Professionals to learn more.
TABLE OF CONTENTS
1. Examples of Regulations and Compliance Requirements
a. General Data Protection Regulation (GDPR)/ California Consumer Privacy Act (CCPA)/
Health Insurance Portability and Accountability Act (HIPAA)
2. Data Classification
a. Public Data/ Personal Data/ Confidential Data
3. User Authentication and Access Control
4. Encryption
5. Data Minimization
6. Third-Party Risk Management
7. “Privacy by Design”
8. Data Audits and Monitoring
9. What Is a Data Privacy Officer?
10. Data Privacy and AI
EXAMPLES OF REGULATIONS & COMPLIANCE REQUIREMENTS
To make sure we’re following the rules and doing things the best way possible, we can refer to various
regulations and standards for help. Depending on the kind of work your organization does, there are specific
rules for keeping personal and business information private and secure.
For example, if your organization handles medical data, you likely need to comply with a law called the Health
Insurance Portability and Accountability Act (HIPPA).
General Data Protection Regulation (GDPR)
The GDPR is a set of laws for handling the personal data of European Union citizens.
Even if your organization is not in Europe, it helps to know the GDPR’s basic framework.
Here are a few tenets of the legislation:
Consent: Always seek explicit permission before using someone’s data.
Minimize Data Collection and Usage: Only collect and use the data you really need.
Consumer Rights: Let people see their data, correct it if it’s wrong, and delete it if
they want.
Transparency: Report a breach within 72 hours.
EXAMPLES OF REGULATIONS & COMPLIANCE REQUIREMENTS
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) aims to protect California residents’
data. Familiarize yourself with the regulations and review enforcement case examples
to understand its requirements. Some important things to know about CCPA’s
requirements:
Transparency: Organizations must inform California consumers how they collect,
use, and share their data.
Consumer Rights: Allow consumers to see, delete, and say no to selling their data.
Minors: Get permission before selling data of users under 16.
No Punishment: Organizations can’t punish consumers for exercising their CCPA
rights.
Potential penalties for CCPA non-compliance:
Fines: Up to $7,500 each time you break the rules.
Legal Action: Consumers can sue for data breaches or violations of their rights
under the CCPA.
EXAMPLES OF REGULATIONS & COMPLIANCE REQUIREMENTS
Health Insurance Portability and Accountability Act (HIPAA)
For personal medical data in the U.S., the Department of Health and Human Services
(HHS) instituted HIPAA regulations. The professional guidance, compliance, and
enforcement materials available on HHS's website are particularly useful for IT
workers in healthcare. Here’s what HIPAA’s about:
Privacy: Organizations must keep medical information private.
Security: Abide by standards for securing electronic protected health information
(ePHI).
Transparency: Notify people when there’s been a problem with their protected
health information (PHI).
Potential penalties for HIPAA non-compliance:
Fines: From $100 to $50,000 per violation, up to $1.5 million per year for
repeat offenses.
Criminal Charges: For severe violations.
DATA CLASSIFICATION
Now that we've covered some of key data privacy regulations, let's take a closer look at how to sort data properly. It’s
important for organizations to classify the different types of data they handle; that way, they can determine the correct
safeguards. Data generally falls into three categories depending on how sensitive it is: public, personal, or confidential.
PUBLIC PERSONAL CONFIDENTIAL
This is data that anyone can see without This classification covers any data that can identify This is the most sensitive type of data, as it
causing problems. It should be easy to find people, like their name or address. Personal data could cause a lot of trouble if it gets out.
and look up. requires special protection and explicit permission to Confidential data calls for security measures
use. In discussions about personal data, you may like encryption, and only certain people
Examples can include things like a stock price hear the term “data subject,” which means the should be able to access it.
of a publicly traded company; a weather person whose information is handled. In this context,
“consent” means that people (or data subjects) agree Examples include private customer info
forecast; content from newspapers, blogs,
to let an organization use their data. collected by a company, secret business
and social media (if set to public); government
strategies and proprietary algorithms, legal
data like census information; a published Examples of personal data include contact details, ID
info like contracts and litigation materials,
research paper; and information provided on a numbers like Social Security or driver’s license
numbers, financial info like bank account numbers or employee records such as their personnel file
company’s website.
credit card details, and health info like medical or salary details, and intellectual property like
records and prescription history. It can also include a new idea for a product or technology that
internet-related data like a user’s cookie information. hasn’t yet been shared.
USER AUTHENTICATION AND ACCESS CONTROL
To keep data private, it’s important to use strong authentication
methods to stop people who shouldn’t be accessing it.
Here are some of the tools commonly used for this purpose:
Multifactor authentication
Strong password policies
Captchas
Biometric verification on devices
Additionally, implementing strategies like the Principle of Least
Privilege (PoLP) and Zero Trust Network Access (ZTNA) in networks
and systems can make it even harder for unauthorized people to
access data. These strategies, which we explained in our Quick
Reference Guide for Cybersecurity, boost security by ensuring users
only get access to what they really need for their jobs and by
continuously checking their access rights.
03
ENCRYPTION
There are two main types of encryption used to protect
data:
1. At Rest Encryption: This protects data when stored
on devices or physical storage like hard drives.
2. In Transit Encryption: This keeps data safe while
being sent across networks.
A good strategy for protecting data should incorporate
both types of encryption. That way, data stays safe
whether sitting on a hard drive or traveling across the
network.
DATA MINIMIZATION
Data minimization is a principle that says you should
collect only the data you need for a given purpose. This
helps protect people’s privacy, lowers the chance of data
getting stolen, and makes it easier to follow data privacy
regulations.
When you only collect the data you need, it’s easier to
manage and less likely that someone will get access to
private information without permission.
THIRD-PARTY RISK MANAGEMENT
Third-party risk management focuses on the vendors and partners
that have access to an organization’s data.
In any third-party agreement, it’s important to take these precautions:
Learn About Them: Understand how the third party accesses and
uses your data.
Ask Questions: Don’t be afraid to ask about how they handle data
and what security measures they have in place.
Keep an Eye on Them: Regularly check if third parties are
maintaining regulatory compliance.
To mitigate risks associated with third parties, organizations should
do their due diligence before sharing any data, set up clear
agreements about data protection, and regularly ensure that third
parties follow your organization’s privacy rules.
“PRIVACY BY DESIGN”
"Privacy by Design" is an approach that focuses
on making data privacy a big part of designing
and building systems and processes. In practical
terms, this means proactively building in privacy
measures from the start, rather than treating
privacy as an afterthought.
The approach makes sure that privacy is always
thought about and followed throughout the data
life cycle – from when data is collected to when it
is deleted.
DATA AUDITS AND MONITORING
Organizations should do regular audits of how they handle
data. Doing so can verify that they’re complying with data
privacy rules, find any vulnerabilities, and make sure that data
protection measures still work. Audits and monitoring include
checking logs of who’s accessed data and analyzing how data
moves around the network.
Being proactive helps organizations spot any suspicious
access or behavior patterns early on. It’s generally
recommended that organizations keep detailed records of
how they process data.
WHAT IS A DATA PRIVACY OFFICER?
You might have heard of Data Privacy Officers (DPOs) but aren’t sure exactly
what they do. DPOs make sure that organizations follow the data privacy laws
they need to.
Their responsibilities usually include:
Checking that data-handling practices meet the defined standards.
Serving as the go-to person if anyone has questions about data privacy.
Act as a liaison with legal teams and regulators if there’s a legal problem.
Doing check inside the organization to make sure everyone follows the
rules.
Teaching employees about data privacy.
Ensuring data privacy is part of how the organization’s computer systems
are set up.
DATA PRIVACY AND AI
As the use of AI becomes more prevalent in different industries, there are important questions about how to keep
the data these systems use safe. A primary concern is the companies that develop AI systems might have different
rules about privacy than the companies using their technology. Another worry is that some AI systems, especially
the ones that use Deep Learning, make decisions that can be hard to explain. This can be a problem because it’s
unclear how they make decisions. (You can explore this concern further in our Quick Reference Guide for
Understanding AI).
Additionally, there are different rules about data privacy in different places. For example,
GDPR laws in Europe give people strong rights about their data, but CCPA rules in
California are somewhat more relaxed. If a company in Europe uses AI from a company in
California, there might be conflicts about how data gets handled.
Furthermore, certain AI use cases, such as Computer Vision (CV) used for surveillance and
facial recognition, could potentially violate privacy rights in some jurisdictions.
Dealing with how AI is using our information will require new rules. The ultimate goal is to
use AI to make businesses run better, but we also need keep people’s information safe.
Thank you
for reading.
For more content like this
visit our website
ITPROTODAY.COM