Corporate Data Privacy: Who’s Responsibility is it?

Have you ever wondered what happens to your personal information once you click on that “Agree” button when your mobile device wants to pull the latest software update from the OEM (Original Equipment Manufacturer, which is basically the software or hardware that comes pre-installed on a new device)?   

Very few people can confidently state that they have read the terms and conditions relating to data privacy being presented by the OEM of their mobile device, and yet we give our consent to the organization automatically. One might assume that your data is safe and is being curated in such a way that your identity will not be compromised. 

One of the core security responsibilities businesses and organizations have is Data Loss Prevention (DLP). This can, for the most part, refer to client data. It does, however, also include any data generated from within the organization. Data such as sensitive financial information, strategic marketing plans, and project proposals, among others. Many organizations partner with industry leaders and specialists in the field of DLP to provide specialist tools that are aimed at managing DLP and Corporate Data Privacy.    

Because confidentiality is part of the Cyber Security triad, many employees believe they should not be concerned about DLP and Data Privacy.

Framing Corporate Data Privacy

Although data security might seem like it’s conceptually identical to data privacy, it is, in fact, not. Data privacy can be framed the same way, though. When we consider the cyber security triad – Confidentiality, Availability, and Integrity; we can translate them to Access Control, Data Integrity, and Accountability. 

Corporate Data Privacy has a distinct focus on information that is either derived from or generated about people (usually personally identifiable information). This means that privacy deals with the correct handling of sensitive information.  

Data privacy practices are based on policies, legislation, and at times, service-level agreements such as the terms and conditions of the aforementioned software update.

Data Privacy Policies

When we talk about data privacy policies, we are referring to the written guidelines that have been put into place to protect clients’ privacy. Clients would typically be expected to agree with the policy before using a particular service. Here is an example from Google’s data privacy policy: “When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.”.

Another aspect that comes into play with data privacy policies is Data Sovereignty. Because more businesses and organizations are expanding their online presence, they might attract clients from various countries around the world, which means international data privacy laws need to be taken into account.

The General Data Protection Regulation (GDPR) enacted by the European Union in 2018 is the most important and widespread data privacy law in the world. With hundreds of millions of internet users in the European Union, this standard can impact nearly all organizations that collect data from clients over the internet. Violation of the GDPR will result in severe sanctions with fines of up to 20 million Euros. The European Union has defined data privacy as a basic human right allowing owners of the data to dictate to what extent data may be retained and repurposed.

So Who is responsible for upholding Corporate Data Privacy?

As far as Data Privacy in a corporate environment is concerned, everyone is responsible for upholding the rules and regulations enacted through policies. Businesses and organizations never own the Personally identifiable information (PII) of any of their clients, to begin with. This implies that while entrusted with PII, any employees and/or agents can be held liable. 

In Conclusion

A key takeaway from all we have spoken about is the concept of consent. Organizations are, by law, required to curate client data concerning their privacy in line with their consent. Corporate policy dictates how information should be used, and the consent is derived from the privacy policy, like CCPA (California Consumer Privacy Act), for example, that the client has signed. Everyone whose digital fingerprint appears on the data is responsible for it – from protecting data against cyber breaches to protecting personally identifiable client information from insider threats and negligent employees.      

A corporate culture that has client data protection at its core is a corporate culture that understands the importance of data privacy and that everyone has the obligation to protect it.       

For more information about Data Loss Prevention and DLP best practices, visit this blog.