Data privacy or information privacy is a branch of data security concerned with

the proper handling of data – consent, notice, and regulatory obligations. More
specifically, practical data privacy concerns often revolve around:

1. Whether or how data is shared with third parties.

2. How data is legally collected or stored.
3. Regulatory restrictions such as GDPR, HIPAA, GLBA, or CCPA.

Why is Data Privacy Important?

There are two drivers for why data privacy is one of the most significant issues
in our industry.

Data is one of the most important assets a company has. With the rise of the
data economy, companies find enormous value in collecting, sharing and
using data. Companies such as Google, Facebook, and Amazon have all built
empires atop the data economy. Transparency in how businesses request
consent, abide by their privacy policies, and manage the data that they’ve
collected is vital to building trust and accountability with customers and
partners who expect privacy. Many companies have learned the importance of
privacy the hard way, through highly publicized privacy fails.
Second, privacy is the right of an individual to be free from uninvited
surveillance. To safely exist in one’s space and freely express one’s opinion
behind closed doors is critical to living in a democratic society.
“Privacy forms the basis of our freedom. You have to have moments of
reserve, reflection, intimacy, and solitude,” says Dr. Ann Cavoukian, former
Information & Privacy Commissioner of Ontario, Canada.

Dr. Cavoukian knows a thing or two about data privacy. She is best known for
her leadership in the development of Privacy by Design(PbD), and now it
serves as a cornerstone for the many data protection regulations including the
most recent one that became law, the EU General Data Protection
Regulation.

Data Privacy vs. Data Security

Organizations commonly believe that keeping sensitive data secure from
hackers means they’re automatically compliant with data privacy regulations.
This is not the case.

Data Security and data privacy are often used interchangeably, but there are
distinct differences:

 Data Security protects data from compromise by external attackers and

malicious insiders.
 Data Privacy governs how data is collected, shared and used.
Consider a scenario where you’ve gone to great lengths to secure personally
identifiable information (PII). The data is encrypted, access is restricted, and
multiple overlapping monitoring systems are in place. However, if that PII was
collected without proper consent, you could be violating a data privacy
regulation even though the data is secure.

Data Privacy Cannot Exist Without

Data Protection
While you can have data protection without data privacy, you cannot have data
privacy without data protection.
Ensuring data privacy means that you’re not the creepy company that greedily
collects all of your customer’s personal data – whether it is with passive
location tracking, apps secretly absorbing your personal address book, or
websites recording your every keystroke.
Instead, employees should be regularly trained on data protection so they
understand the processes and procedures necessary to also ensure proper
collection, sharing, and use of sensitive data.
Information privacy also includes the regulations required for companies to
protect data. And as more data protection regulation grows worldwide, global
privacy requirements and demands will also expand and change. However,
the one constant is adequate data protection: it’s the best way to ensure that
companies are both complying with the law and guaranteeing information
privacy.

Data Privacy Acts and Laws

Fortunately, lawmakers have recognized the importance of having data
privacy regulation and the need to hold companies responsible for end-user
data.

Companies are now required to determine what data privacy acts and laws
affect their users. For instance, you must know where the data originated
(country and state), what personally identifiable information it might contain
and usage methodology.

Let’s take a closer look at how the most recent data privacy regulations impact
users and companies.

GDPR (General Data Protection

Regulation)
Enacted in May 2018, the GDPR aims to protect EU citizen personal data.
There are many action items that companies in scope need to take to be
become compliant, including but not limited to:

 Explicit opt-in consent

 The right to request their data
 The right to delete their data
GDPR gives consumers certain rights over their data while also placing
security obligations on companies holding their data. For companies, one
challenging aspect of the GDPR is the requirement to respond to subject
access requests.
The reality is that most organizations can’t easily locate, provide, or delete an
individual’s personal data on request. Many CIOs and data privacy officers
rely on GDPR compliance software that automatically discovers and classifies
personal data in order to keep it protected and to help expediate data subject
access requests.

HIPAA (Health Information Privacy and

Portability Act)
While the EU has GDPR, one of the most prominent US data protection and
privacy laws at the federal level is HIPAA—a data privacy regulation that was
put in place to safeguard patient personal health information.
Healthcare providers have always been an attractive target for data breaches.
In fact, health records are extremely valuable—approximately 10-20 times
more valuable than credit card numbers.

What is Data Privacy in Healthcare?

Even though Congress passed HIPAA in 1996, calls for even greater data
privacy protection has increased when data breaches and how companies
use and sell the data they collect on their patients are now at an all-time high.

Fortunately, in December 2000, the U.S. Department of Health and Human

Services(HHS) issued the Privacy Rule to carry out HIPAA’s mandate to
safeguard the privacy of individually identifiable health information.
The goal of the Privacy Rule is to ensure that a patient’s health data is
properly safeguarded while allowing covered entities to process health
information as needed, conduct high quality health care while protecting the
patient’s health records and care.

Meanwhile, patients understand the benefits of having convenient access to

their health data, but also desire data privacy. And that’s why GDPR adapted
and integrated PbD lingo into law. PbD doesn’t compromise business goals.
You can have privacy, revenue, and growth. You’re not sacrificing one for the
other.
If you’re curious how GDPR and HIPAA compare, keep in mind that GDPR
covers an even broader scope than HIPAA and does not focus exclusively on
health data. GDPR calls for protecting “sensitive personal data” which
includes protecting health data. Bottom line: GDPR is comparable to HIPAA’s
regulatory requirements.

GLBA (Gramm-leach-Bliley Act)

Another regulation that should be on your radar is the Gramm-Leach-Bliley
Act(GLBA). The GLBA requires financial institutions to safeguard consumer
financial data. To do this, leverage classification to quickly identify where your
sensitive financial data is stored.
The benefits of achieving GLBA compliance is multi-fold. It reduces potential
fines and reputational harm due to the unauthorized sharing or loss of
sensitive financial data. Sure, the GLBA isn’t the same as the EU’s GDPR, but
it won’t be long before America gets their own.

CCPA (California Consumer Privacy

Act)
Businesses operating in the state of California need to be ready on January 1,
2020 for the CCPA to identify and discover personal information, fulfill data
subject access requests, and protect consumer data. The CCPA gives
consumers a right to control how companies collect and use their personal
data. This means that companies need to be able to quickly and accurately
find and classify sensitive data so that they can identify data that falls under
the CCPA and fulfill data subject access requests (DSARs).

How Varonis Helps with Data Privacy

To achieve data privacy nirvana, organizations need a data
security solution that protects enterprise data, prevents data breaches,
reduces risk, and helps achieve compliance. At Varonis, our approach to data
security as it relates to enhancing data privacy includes:
1.Manage access to sensitive and regulated data
You’ll never hear anyone complain of having too much access. That’s why
regular entitlement reviews with DatAdvantage and DataPrivilege ensure that
only the right people have access to the right data: unrestrained access leave
companies at risk of a data breach, theft or misuse. If you want to achieve
least privilege and compliance faster, the Automation Engine helps you get
there – so that you can automatically remediate global access and fix file
system permissions.
2.Follow proper compliance requirements
Love it or hate it, compliance requirements hold a baseline that enforces data
privacy goals to sustain freedom, intimacy, and solitude. With Data
Classification Engine, you’ll find and classify regulated and sensitive content.
After, you’ll have the option to automatically transport data to where it needs
to be and also fulfill data subject access requests as needed.
3.Monitor and detect suspicious behavior on
sensitive data
Arming your organization with DatAlert means that you’ll have continuous
monitoring and alerting on all your organization’s data. This means companies
can identify and monitor consumer personal data, track who is accessing it,
highlight unusual activity and report on odd behavior that’s regulated and
sensitive. Ultimately, knowing that your data is always safe and secure also
ensures data privacy.
Get a 1:1 demo to see how customers use Varonis as part of their data
security strategy – it’s a requirement for data privacy!