What Is Data Privacy?
Data Privacy is a broad term that applies to the concept that personal data should be protected from breach, unauthorized use or sharing, and improper or illegal collection; and provides the foundation for most privacy laws worldwide. From General Data Protection Regulation (GDPR) in the European Union, to the California Consumer Privacy Act (CCPA), to the Health Insurance Portability and Accountability Act (HIPAA) across the United States, Data Privacy is defined by the scope and legal boundaries of how and what personal data can be collected or used.
There are some key distinctions between data privacy and data security. Data privacy is about the rights of the individual or entity to maintain a certain level of expectation that information will be:
- Collected as needed for reasonable use of products or services
- Collected only when known to the individual and to the extent expressly permitted
- Shared with other persons or entities only as needed
- Not shared unless required by law or policy, or authorized by the individual
- Not collected from or about minors
- Not sold, shared or transmitted without authorization by the individual
- Properly protected and secured by the entity
It is at this last stage that data privacy expectations and regulation shift to data security requirements and policies, often defined by specific compliance regulations. While there are more well-known data privacy laws mentioned here, many states and countries have their own data privacy laws that govern the collection, use, storage, and transmission of personal data. Many of these laws apply to governments, others to businesses and some apply to both.
Why It Is Important
Data privacy has many different definitions as it applies to data privacy laws and acts. There have been significant changes to data privacy laws over the past twenty years, largely due to the digital shift in not only how information is gathered, but the massive increase in the amount and personally identifiable information (PII) that is created, stored, and accessible through our use of mobile and internet connected devices. Complex and previously difficult-to-gather information, like geolocation and biometric data are now carried in our pockets and worn on our wrists.
Data Privacy And Data Security
While Data Privacy focuses on what should be protected, Data Security focuses on how it should be protected, specifically the methods, policies, and procedures that need to take place in order to protect data. This includes the technical components of cybersecurity tools and the human component of preventing the breach, unauthorized access or sharing of private data according to policies set forth by laws and regulations.
The combination of people, process, and technology is necessary to effectively protect PII, as well as protect the organization (business, government entity, hospital, etc.) from legal penalties from failing to properly safeguard private data.
Data Privacy Challenges And Penalties
Every law and regulation that applies to data privacy is founded on data protection and the requirement that organizations not only secure and protect an individual’s data, but are also subject to penalty for failure to do so. Additionally, many regulations levy penalties for non-compliance with the policies set forth in them, even without the event of a breach, misuse, or exposure of PII.
The goal is to prevent the leak of PII data first, but in the event of an error or breach, the data should be encrypted whether at rest (stored in digital form), during transmission (secure upload to a cloud service), or transit (encrypted drives or other physical storage devices). Encryption is a fundamental best practice that not only helps protect data, but for many regulations, having data encrypted minimizes or even eliminates penalties and fines an organization would otherwise be subject to in the event of a breach.
Employees must be trained, and in most instances the training must be timely, repeated, topic-specific, comprehensive to the broad nature of cybersecurity threats, and documented. Enterprises often struggle with cybersecurity training as many laws and regulations provide only “what” needs to be done, but rarely prescribe “how” - leaving organizations to guess at what constitutes proper training. This leads to a methodology of training to the minimum compliance requirement instead of focusing on improving or changing user behavior.
Common Challenges With Compliance-based Training
When the goal is to complete training to satisfy compliance requirements, security awareness training becomes the goal - when in reality, better user recognition and user response to threats is what is needed.
Many organizations struggle to solve for the greatest challenge in cybersecurity - that we throw the best technology (the average enterprise has 75 different security products) at the problem, even though human error accounts for 90% of breaches. This is due to the fact that most trainings are boring, look only to check-the-box that compliance training has taken place, but do little to measure whether it actually made a difference in employee behavior.
What Does Good Look Like
Living Security is built on an entirely different premise - that people are your greatest asset. Our solution measures strengths and weaknesses for employees, identifies potential gaps, then delivers timely, engaging, individual and team-based training that creates proven, lasting change. If your organization has ever struggled with challenges like: everyone has completed phishing training, but hundreds of employees still click on our phishing simulations over and over, you need a better solution.
A top five global telecommunications company ran an internal test and found that “end users who went through the LS Escape Rooms were 45% less likely to click on a phishing simulation vs. all others”.
The Escape Room is one example of a team training that explores phishing, Data Privacy, and other security concepts through team puzzle solving. Paired with an engaging storyline based on real life scenarios, the experience delivers a more impactful learning experience.
The goal of security awareness compliance shouldn’t just be to check the box that employees have completed training, it should be to prevent breaches and minimize risk and exposure due to human error.
What Makes Living Security Better
Data privacy is the foundation of all personal data security regulations. Whether defined as PII, protected health information (PHI), it demands that personal information be treated as confidential and the responsibility to safeguard that data rests on the organization that collected it. This is why laws and acts are put in place to protect this information, to encourage responsible collection, use and management of this data, and are structured with compliance regulations that guide what needs to be done in order to successfully protect it.
Living Security makes it easy to meet compliance with training modules, that include, but are not limited to:
- Data Privacy specific content
- PII-specific content
- PHI-specific content
- Passwords (maintaining strong passwords, use of a password manager)
- Phishing (and other forms, vishing, smishing)
- Physical security (device security, document access and disposal)
- How to report an incident
- Removable devices/USBs
- Mobile devices
- Social media usage and risks of oversharing
- … many, many more
Our modules range from quick-hit 1-3 minute training per topic to full CyberEscape room series that cover multiple topics all-in-one. Your compliance checklist can easily support several complex topics in under 15 minutes.
Meet Your Compliance Requirements
Learn more about how Living Security can help you meet your compliance requirements, and actually help your employees make better cybersecurity decisions.