The impact of globalization on privacy of identity is growing. The fact that more and more Data Protection, comprising data security and data privacy, has emerged as a major challenge in cross-border data flows means that data breaches often affect people in multiple countries and may result in financial frauds.
Customers are demanding more security as their worries about privacy and user identity of the data that are being processed or used. For a global organization, experts recommend having a data protection policy that complies with the most stringent set of rules the business faces, while at the same time using a security and compliance framework that covers a broad set of requirements. The guidelines for data protection and privacy apply across the board and include the following:
- safeguarding data;
- getting consent from the person whose data is being collected;
- identifying the regulations that apply to the organization and the data it collects; and
- ensuring employees are fully trained in the nuances of data privacy and security
Although some businesses use the terms data protection, data security and data privacy, they have different purposes:
- Data protection safeguards information from loss through backup and recovery. Data protection is the process of safeguarding important information from corruption, compromise or loss. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates. Consequently, a large part of a data protection strategy is ensuring that data can be restored quickly after any corruption or loss. Protecting data from compromise and ensuring data privacy are other key components of data protection
- Data security refers specifically to measures taken to protect the integrity of the data itself against manipulation and malware. It provides security from internal and external threats by implementing controls by different Regulatory agencies using framework.
- Data privacy refers to controlling access to the data. Organizations must determine who has access to data. Understandably, a privacy breach can lead to data security issues.
Data Protection and Privacy Laws and Regulations are vary from country to country, and even from state to state — and there’s a constant stream of new ones. China’s data privacy law went into effect June 1, 2017. The European Union’s General Data Protection Regulation (GDPR) went into effect in May 2018.
In the United States, the California Consumer Privacy Act supports the right for individuals to control their own personally identifiable information. Compliance with any one set of rules is complicated and challenging. The GDPR defines an array of legal terms at length. Below are some of the most important ones are:
‘Data processing’ or ‘Processing’ means any automated or manual operation(s) carried out on personal data. In essence, this covers almost any relevant action word that could possibly be performed on information including collecting, recording, organising, classifying, storing, modifying, amending, retrieving, using or revealing such data by broadcasting, publishing, transmitting, making available to others, integrating, blocking, deleting or destroying.
Personal Information (PI) is generally defined as any information relating to an identified or identifiable natural person. It may be referred to as personal data, personal information, non-public personal information, etc.
Examples include, Name, Address, Date of Birth, Telephone Number, Fax Number, Email Address, Government Identifier (e.g., PAN Number, PF account number, etc.), Account Number (Bank Account, Credit Card, etc.), Driving License Number, IP Address, Biometric Identifier, Photograph or Video Identifiable to an Individual and any other unique identifying number, characteristic or code.
A definition of Privacy, on the other hand is “the claim of individuals, groups, or institutions to determine when, how, and to what extent information about them is communicated to others” by Dr. Alan F. Westin (Privacy and Freedom, 1967)
A ‘Data Subject’ or ‘Individual’ is defined as the person to whom the personal data relates
‘Data protection authority’ or ‘Authority’ is the national body established to be responsible for upholding the rights of individuals to the protection of their personal data through the enforcement and monitoring of compliance with the local data privacy laws.
‘Sensitive personal data’ is a subset of personal data and is defined as information that directly or indirectly reveals a person’s race, ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or sexual life
Controllers ‘determine the purpose of the processings’. This means that they make decisions about what information is captured and why
Processors process personal data on behalf of a controller and in line with the given instructions. If a processor subcontract some or all of the processing to another organisation, the latter is referred to as a sub-processor.
The Data Protection Officer, or DPO, is an organization’s GDPR focal point and will have to possess expert knowledge of data protection law and practices
Data protection Principles
The key principles of data protection are to safeguard and make available data under all circumstances. If you process data, you have to do so according to seven protection and accountability principles:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g., by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Accountability
- Designate data protection responsibilities to your team.
- Maintain detailed documentation of the data you’re collecting, how it’s used, where it’s stored, which employee is responsible for it, etc.
- Train your staff and implement technical and organizational security measures.
- Have Data Processing Agreement contracts in place with third parties you contract to process data for you.
- Appoint a Data Protection Officer.
Data Security
The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.
Technical measures mean anything from requiring your employees to use two-factor authentication on accounts where personal data are stored to contracting with cloud providers that use end-to-end encryption.
Organizational measures are things like staff trainings, adding a data privacy policy to your employee handbook, or limiting access to personal data to only those employees in your organization who need it.
Consent
There are strict new rules about what constitutes consent from a data subject to process their information.
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
GENINVO & it’s Privacy Principles
The underlying philosophy of privacy protection is that that the data subject be informed about the Personal Information (PI) that may be collected by the processor whose services one is availing of, or the website that one is visiting. The company is expected to do so by declaring its privacy policy.
We at GENINVO follow the general principles & ensure a transparent privacy policy. Generally, the following eight principles cut across all geographies: Notice, Consent, Collection Limitation, Use Limitation, Access & Corrections, Security/Safeguards, Data Quality and Openness. APEC, EU, and Canada include two more principles namely, Accountability and Enforcement. US Safe Harbour Program also includes these principles.
The GDPR recognizes a litany of new privacy rights for data subjects, which aim to give individuals more control over the data they loan to organizations. As an organization, it’s important to understand these rights to ensure you are GDPR compliant.
Below is a rundown of data subjects’ privacy rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Conclusion
Any organization that is processing any Personal Information, It is strongly recommend to be GDPR compliant.