Personal data is, to quote Anchorman’s Ron Burgundy, kind of a big deal. And it’s only going to get more important. Of all the types of data produced, the one users — understandably — feel most protective about is personally identifiable information (PII).
That means information that could be used for identifying, contacting, or finding a specific individual. It could be a physical address, an email address, a passport number or a scan of a driver’s license through handwriting samples, fingerprints, genetic information, or facial data. While users may be willing to hand over this information in certain contexts (think providing Amazon with your address for a Prime delivery or giving a fingerprint sample for biometric authentication), it’s of paramount importance that it is properly protected.
This isn’t just for the benefit of customers, either. Large numbers of people — around 42% according to one Experian study — believe that it is up to a company given a customer’s personal data to safeguard it. That number increases to 64% when customers were asked if they would be willing to put off using a particular company’s services in the aftermath of a data breach. Simply put, no one wants their personally identifiable information doing the rounds online.
And since many people believe it is the responsibility of companies to safeguard data (and, regardless of whether it is, it’s a good business move to do what you can to earn and keep the trust of your valued customers), lots of companies choose to create a Data Privacy Framework.
What is a Data Privacy Framework?
This Data Privacy Framework is a document that lays out the way that businesses or organizations protect sensitive information. This document makes it clear who’s responsible for data protection, what defines sensitive data, how sensitive certain data is to integrity and what happens if it is compromised, how this data is stored and deleted, and lays out the risk assessment measures, operational data practices and so forth to ensure that there is a formal workflow and process for data privacy on a company-wide level.
It can be useful for evaluating a company or other organizations’ systems in place for data protection, highlighting responsibility and possible gaps, and guaranteeing that you have a plan that fits with regulatory requirements and your own security budget.
In some cases, having a Data Privacy Framework in place will just be used for ensuring that you have a bespoke agreement in place regarding user data, even when this is not legally binding. (For example, the question of who is legally responsible for data privacy is contested around the world.) But in other cases, it is essential to have such a framework so that you can ensure regulatory compliance in any and all territories that you operate. Although there may be some broad, agreed-upon definitions for personally identifiable information, the devil — as they say — is in the details. While the United States considers personally identifiable information as information that can specifically trace a particular person’s identity, in the European Union, for instance, it also covers categories such as a person’s economic or cultural identity.
Having a Data Privacy Framework will make it simpler to handle compliance workloads. It will also make it easier to engender trust at the level of customers through to board members and authorities by proving accountability.
Put the right security measures in place
An organization’s Data Privacy Framework will additionally help inform the security controls needed in order to stop data loss and data leaks. For example, that could mean putting into place systems designed to track sensitive data transferred either inside or outside the organization, and spot unusual patterns potentially indicative of a leak. It might also mean privileged user monitoring in which all privileged access to files and databases is monitored, with blocks and alerts in place whenever potentially suspicious activity is identified.
Fortunately, you don’t have to do all of this yourself. Security experts will be able to provide you with specialist tools for putting in place uniform data security and compliance policies covering both your on-premises and cloud-based systems. That includes data warehouses, enterprise file stores, and Platform as a Service (PaaS) offerings like Amazon Relational Database Services (RDS).
Protect data, earn trust
This is the start of a new era for personal data. Privacy issues are increasingly on the radar for customers, while initiatives like the EU’s General Data Protection Regulation (GDPR) guidelines are formalizing and unifying measures across national borders. While there is still work to be done in this area, companies and other organizations that handle sensitive data shouldn’t wait until they are legally mandated to make provisions for data protection.
A comprehensive, organizational approach to data privacy will help demonstrate that you are a trusted ally in the fight to keep private data private. And it can even help you identify potential vulnerabilities and put systems into place to protect against possible breaches in the process!