Data Privacy Day (known in Europe as Data Protection Day) is an international event aimed at raising awareness about data privacy and protection practices among businesses as well as internet users. In this blog series, we’ll attempt to do the same. This first blog post will shed light on data privacy as a whole, important data privacy laws, and some data collection practices that can help you adhere to these laws.
What is data privacy?
Every organization collects some data from consumers, customers, prospects, or employees. They do this to maintain records of their customers, gain a deeper understanding of the market, or identify ways to improve individuals’ experiences. This data can be anything that pertains to an individual such as their name, Social Security number, date or place of birth, mother’s maiden name, location, race, ethnicity, religion, genetic data, or biometric records or even medical, educational, financial, or employment information.
Data privacy, or information privacy, deals with the proper handling of this data by enforcing protective measures and focusing on complying with data protection regulations. Every business, big or small, must pay attention to and take responsibility for how they collect, store, manage, and share consumer data.
The history of Data Privacy Day
Data Privacy Day is celebrated on January 28 every year to honor the introduction of the first binding international treaty, Convention 108, that protected individuals against intrusive data collection and the processing of personal data. It also sought to regulate the trans-frontier flow of personal data.
The Council of Europe launched Data Protection Day in order to raise awareness and promote privacy and data protection practices among organizations. This was later adopted by other countries. Currently, Data Privacy Day is observed in the United States, Canada, Israel, and 47 other European countries.
Now that you know what Data Privacy Day is all about, let’s take a look at some landmark data privacy regulations and laws.
Complying with data privacy laws
Many countries have laws to protect the privacy rights of their citizens. Organizations within these countries’ jurisdictions are required to comply with these laws failing which they may face legal action.
Below, we’ve covered a few important data privacy regulations:
General Data Protection Regulation (GDPR)
The GDPR is a regulation on data protection and privacy in the European Union (EU) and the European Economic Area (EEA) aimed at enhancing an individual’s control and rights over their personal data. It also addresses the transfer of personal data outside the EU and EEA areas.
This regulation is directly binding and applies to any enterprise processing the personal information of individuals inside the EEA regardless of the enterprise’s location and the individuals’ citizenship or residence. As of 2021, the United Kingdom also follows the law.
Adopted on April 14, 2016, the GDPR quickly became a precedent for laws across the world, including in Turkey, Mauritius, Chile, Japan, Brazil, South Korea, South Africa, Argentina, and Kenya.
For more information on meeting GDPR compliance requirements, check out our security admin’s survival guide for the GDPR.
California Consumer Privacy Act (CCPA)
The CCPA, adopted on June 28, 2018, has many similarities with the GDPR and is a state law intended to enhance privacy rights and consumer protection for residents of California, United States. Under this law, organizations are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.
The CCPA applies to any business, including any for-profit entity that collects individuals’ personal data, that does business in California, subject to criteria specified in the Act.
Check out our free e-book, A simple guide to the CCPA, to learn more.
California Privacy Rights Act (CRPA)
The CRPA, proposed in November 2020, is an extension of the CCPA. The proposition enshrines more provisions in California state law, allowing consumers to prevent businesses from sharing their personal data, correct inaccurate personal data, and limit businesses’ use of sensitive personal information such as their location, race, ethnicity, religion, genetic data, and private communications.
The CRPA will take effect on January 1, 2023, applying to personal data collected on or after January 1, 2022.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is another law in the United States which mandates that all financial institutions must have a policy in place to protect consumer information from foreseeable threats in security and data integrity.
It also enforces consumers’ rights to privacy by requiring financial institutions to provide a privacy notice that explains what the company gathers about the client, where this information is shared, and how the company safeguards it.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA is a United States federal law that mandated the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Assessing data collection practices: Are you observing these fair information practices?
Despite today’s data-driven world, ensuring data privacy requires minimized data collection. As a first step towards that, companies should implement practices to limit what’s being collected and why.
Many data privacy regulations, such as the GDPR and the CCPA, are built on the Fair Information Practice Principles, a set of eight guidelines that can greatly help organizations prudently collect data and comply with privacy laws.
The Fair Information Practice Principles are:
Collection limitation: A limited amount of personal data should be collected.
Data quality: Only data relevant to the stated purpose should be collected. This data should be accurate and up to date.
Purpose specification: The purpose of collecting the data should be specified.
Use limitation: Data shouldn’t be used for purposes other than what was specified.
Security safeguards: Data should be protected from risks such as loss, unauthorized access or use, destruction, modification, or disclosure.
Openness: Personal data collection and usage shouldn’t be kept secret from individuals. Organizations should be open about what data is being collected, its purpose, and where it’s stored.
Individual participation: Individuals have the right to know who has their data, have their data communicated to them, know why a request for their data is denied, and have their data modified or removed.
Accountability: Organizations that collect data should be held accountable for implementing these principles.
In the next part of this blog series, we’ll be discussing the challenges in securing personal information and how to overcome them.