Introduction

In this post, we’ll provide an all-encompassing run down of data security and data privacy, why it’s important, real-world examples, and key tips for your organization to keep your data secure and private.

Data security and data privacy are strongly interconnected but not the same. Knowing the differences is important to better understanding how they work, and what they each mean to your business.

With GDPR over a year old, and the California Consumer Privacy now in effect, it’s now more important than ever for organizations to make sure they understand what these two things are, why they matter and how to address them in their day to day business operations.

It’s especially important for industries with strict compliance laws such as healthcare, legal services, finance, and biotech, however, it does apply to anyone collecting data. It also should be noted that this doesn't just apply to the IT or Compliance department, but really the entire organization from marketing and sales to customer service.

What’s the difference between data security and data privacy?

Data privacy is a part of data security and is related to the proper handling of data - how you collect it, how you use it, and maintaining compliance.

Data security is about access and protecting data from unauthorized users through different forms of encryption, key management, and authentication.

Why is Understanding the Difference Important?

With all the legalities now in place protecting consumer’s privacy and data, it’s critical that your business understands the implications of not understanding nor addressing these two items. Now that we’ve covered what they actually are, let’s dive into what it means for you.

As a business, it is your responsibility to keep your data secure and as a result, that also means protecting your employees’, customers’, partners’, and any other contacts’ data safe and secure. Without proper measures in place for this, there are a variety of scenarios that can happen:

1. If you don’t have proper security measures in place such as Multi-Factor Authentication, Multi-Device Management, Identity Management, your business could be at risk for a breach. Aside from employees, your data is your most critical asset. If it becomes compromised, the business will suffer dramatically and may even cease to exist.

About 60% of hacked small and medium-sized businesses go out of business after 6 months. 

2. Without proper measures in place to keep your employee or customer data private, you could be in violation of a variety of regulations. For example, healthcare companies must abide by HIPPA and not share sensitive patient information. This personal information should also not be sold or redistributed without consent. In doing so, you could be 1) violating the law and 2) end up with disgruntled customers who end up leaving you for a competitor. Either way, it has a significant impact on your revenue between fines and loss of customers. Not to mention the reputation you will form that could have lasting effects.

What Are The Legal Implications? GDPR & CCPA Compliant

What GDPR Means for Your Business

With the EU’s General Data Protection Regulation (GDPR) now in place, businesses need to protect the “personal data and privacy of EU citizens for transactions that occur within the EU.” Now, even though this might seem like something similar to the US, there is a significant difference concerning how the EU and US look at identification information.

While under GDPR compliance, companies need to use the same level of data security for both stored personally identifiable information such as social security numbers, as well as cookies. And even though the GDPR applies to the EU, it also applies to anyone that has dealings within the EU.

To learn more about GDPR, here is a checklist we created to make sure your organization is protecting your data.

What CCPA Means for Your Business

The California Consumer Privacy Act (CCPA) took effect in January of 2020. The reasoning behind this bill was to protect the privacy and data of consumers. Essentially, it gives people the right to determine how their data is stored and shared.

With this law in place, and other states starting to follow, it’s critical for businesses in California to understand the legal ramifications and how to abide by the new law. This new law “creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses” meaning California residents have the right to:

1. Know what personal data is being collected, access to that data and the ability to request that their data is deleted
2. Know if that data is being sold and to whom as well as the ability to opt-out of having their data sold

The CCPA applies to the following businesses (must meet only one of the following):

1. Annual gross revenue greater than $25M
2. Buy or sells the personal information of 50,000+ consumers/households
3. Earns more than half its annual revenue from selling consumer information

While this may not apply to you now, there are other states and even discussions at the federal level where data privacy rights will be more commonplace. Data isn’t going anywhere, in fact, it’s only growing, so regardless if you fall into today’s thresholds, it can’t hurt to start thinking about it for the future.

Here are a few more tips for being CCPA compliant.

One Real-World Example of Not Abiding By Data Privacy Laws

In January 2019, Google was fine $57M under the new GDPR law. This shows that even the biggest companies are still struggling with what this means to them and how to incorporate the right security and compliance measures within their business ecosystems.

The complaint came from a privacy group that accused Google of not properly adjusting their data collection policies with the new GDPR regulations. While the fine may be “immaterial,” it goes to show how much they’re really cracking down on this new law.

3 Tips and Reminders for [Staying Data Secure]

1. 1. Enable Multi-Factor Authentication whenever and wherever possible. This allows you to have better access control with your logins
   2. Research and make sure you’re aware not only of your industry regulations but state-wide, national, and global laws that may impact you as well.
   3. Work with your IT team to make sure measures and policies are in place to protect user access controls.

Data Governance and Identity Lifecycle Management

One of the best places to start is making sure you're governing your data and enabling the right individuals to access approved resources, resulting in lowering your security risk. How do you do this? It starts with identity management. Identity management is the security and discipline that enables the right people to access the right resources at the right time for the right reasons. There are many tools that allow for this - our favorite being Azure Active Directory. By implementing Identity Management across your systems and network, you ensure all employee activity and data are monitored and managed in a secure way. For example, so many people are working remotely and still collaborating today - documents are being sent back and forth and shared in a variety of ways. Identity Management allows your employees can do this safely.

Conclusion

In conclusion, while data privacy and data security are certainly interconnected, there are different ways to properly address both.

As a reminder, data security focuses on the technology and tools required to deter cybercriminals from getting their hands on your information such as social security numbers, credit cards, accounts, etc.

Data privacy is complying with local and federal laws within and also outside your industry to ensure the data you’re collecting and the processes behind obtaining and what you do with that data are law-abiding.

Both are incredibly important, so I hope this article helped point you in the right direction.

If you wish to learn more, check out our tips on preparing for the CCPA. If you wish to learn more about how we can help you, learn more about our Compliance Management and Identity Management solutions.

[vc_row][vc_column][vc_empty_space][vc_column_text]San Diego, CA, February 6, 2019. Athena San Diego hosted a panel of data privacy experts to discuss how changes in privacy, General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) affect businesses in the US.

Data privacy experts that shared their knowledge and experience with the audience:

• Reem Allos, Senior Associate, KMPG
• Robert Meyers, Director of Systems Architecture, Managed Solution
• Marines Mercado, Sr Privacy Analyst, ResMed
• Chris Vera, Manager, Office of Customer Privacy, SDGE

The field of privacy is changing. Consumers are now demanding privacy and noticing how their data is being used, and as a result they are taking back the control over their own data.  In addition, the laws are holding companies more accountable to respect the privacy of their consumers.

The reality is, data privacy laws are going to apply to your business sooner or later, no matter where you are in the world. Therefore, being informed and ready to comply with the laws is crucial for your business to thrive in the future and establish trust with your consumers.

Robert Meyers, Director of Systems Architecture at Managed Solution explained that the number one challenge that companies face is knowing what data they are collecting in the first place: “The challenges arise when you are keeping data that you do not need anymore. Do not be a data pack rat, know what you have and delete what you do not need.”

The debate was very lively as the audience had a lot of questions and examples for the panel, demonstrating that new data privacy laws bring uncertainty. Therefore, every business should make sure they know in what way the privacy laws affect them and the data they collect and store.[/vc_column_text][grve_callout button_text="Apply here" button_link="url:https%3A%2F%2Fmanagedsolut.wpengine.com%2Fcontact-us%2F||target:%20_blank|"]To help you make first steps towards the CCPA, we offer a free 30 min consultation with our data privacy guru Robert Meyers, CISM, CIPP/E.[/grve_callout][/vc_column][/vc_row]

The purpose of the California Consumer Privacy Act of 2018 is to force changes onto enterprises that deal in personal data. The Act was passed by the California state legislature and was signed by its governor in June 2018. The bill grants consumers the right to request a business to disclose specific pieces and categories of personal information that they collect about them, the types of information sources, and the business purposes for collecting or selling the information. The bill becomes active on January 1st, 2020.

States and countries are taking consumer rights and personal data privacy more seriously.

Who is Liable for Compliance with the Consumer Privacy Act of 2018?

If your business meets these thresholds, then it is liable for compliance:

• Annually receives for business’ commercial purposes, buys, shares or sells for commercial purposes, in combination or alone, the personal information of 50,000 consumers, devices, or households.
• Derives 50% or more of its annual revenues from selling personal information of their consumers.
• Has annual gross revenues larger than $25 million.

Here are some details of the Consumer Privacy Act of 2018, both from the business and consumer standpoint.

The Business Standpoint

• The Consumer Privacy Act applies to any business that collects consumer’s personal information. It includes both large corporations (with brick-and-mortar and online stores) and smaller companies that meet the above thresholds. Even if a business doesn’t fit the monetary limit (i.e., small business with a modestly popular app or website), the Act may be applied.
• For a business to comply with this new legislation, it will need to implement new infrastructure to handle their consumer request. Also, it will need to alter their website to comply with the bill. It will increase the cost of doing business for some companies.
• Can a business charge differently based on consumers choosing to exercise their rights? There’s some confusion about that. A part of the bill says that businesses cannot charge different prices if a consumer exercised their right, but nothing seems to prevent a company from doing that. We’ll have to wait to see what will unfold over time.
• An enterprise can offer consumers an incentive for collecting, selling and deleting personal information. To achieve this, consumers would have to provide their consent (which they can revoke at any time.)

The Consumer’s Standpoint

• A consumer has the Right of Access – they can request a business that collects personal information to disclose the specific pieces and categories of personal information that the company has collected.
• Also, a consumer can exercise the Right of Deletion. They can request the business to delete any personal information it has collected.
• A consumer has the right to know to whom their personal information was sold. Businesses are obligated to release information about how and to whom they disclosed or sold the consumer’s personal information.
• The consumer gains more control over how their personal information is collected, sold, or used.

Businesses need to be prepared, as the California Consumer Privacy Act of 2018 is coming into compliance in about a year. The majority of companies will be affected by these changes in conducting business in California (and other states will inevitably follow.) Businesses can’t afford to delay their response both to the GDPR and the 2018 Consumer Privacy Act.

Contact Managed Solutions to get help in preparing for the California Consumer Privacy Act of 2018 compliance.

Despite their importance, not everyone knows what data privacy laws are. In short, data privacy laws are all about prohibiting the disclosure or misuse of information of private individuals, and being compliant with data privacy laws is extremely important.

To date, there are over 80 countries that have varying degrees of data security laws in place. Most noteworthy is the European Union's recent enactment of the General Data Protection Regulation (GDPR). The United States, on the other hand, is somewhat notorious for not having a similar, comprehensive set of data privacy laws, but instead, some limited sectoral laws in some areas, based on the Fair Information Practice.

Basic Principles of Data Privacy

Despite the differences that may occur, some basic principles apply everywhere in the US.

• There needs to be a stated purpose for all data collected.
• The data collected cannot be disclosed to other individuals or organizations unless authorized by law or by consent.
• Record keeping should be accurate and up-to-date.
• There need to be specific mechanisms that will allow private individuals to review their data to ensure its accuracy.
• When the stated purpose is no longer relevant or needed; delete all the collected data.
• It is prohibited to send data where the same data privacy laws do not apply.
• Except for some extreme circumstances, data such as religion or sexual orientation cannot be collected.

Special Conditions for SMEs

SMEs are concerned whether they are, in fact protecting their client's data and whether they are in compliance with Data Privacy Laws. Here are several other conditions/reasons why SMEs are concerned.

• Their IT budgets may not be big enough or may be lacking the specialized workforce to implement sophisticated security solutions correctly.
• SMEs may be using cloud-based services
• Even if the cloud provider may handle the data, the responsibility to provide security still falls on the SME.

What's more, many of these businesses may not even be aware that they use cloud-based services - in which case they need to comply with these regulations. If you are using Gmail or Outlook.com, you are using the cloud.

All of the requirements presented above will only become more binding and rigorous with time, right alongside the seriousness of the data breaches, themselves.

It is also important to remember that a data breach can also cause more damage to a business than the direct value of the loss. First, there are the personnel costs related to the recovery. Then, we have others such as post-incident costs used for improving customer relations, the brand image, the investigation, plus the many years needed to protect your customer's credit.

The legal costs involved, such as fines, fees, and civil suits should also be mentioned here. Also, let's not forget about the value of lost customers which can quickly send an SME out of business.

Conclusion

Going forward, SMEs need to remember that there are many clearly defined requirements, both legal and financial, for providing adequate protection for your clients' data. As times goes on and digital threats become more and more prevalent, security measures will become more stringent, while providing data security will become another cost of doing business.

If you want to keep yourself up-to-date, please feel free to check out our website. Our IT professionals and engineers have 23 years of combined experience and are more than qualified to find solutions to all of your security concerns. Contact us today to schedule an assessment.