Data Privacy & Data Protection

The Importance of Data Privacy in Ethics & Compliance

Data protection legislation has evolved and increased over the past few years, but the vast amounts of personal data and the ease of accessing it has kept pace. In the UK alone, the Information Commissioner's Office (ICO) received more self-reported incidents and concerns last year than any other year prior. They also saw a 31.5 percent increase in data protection reports. While the ICO handles these reports and issues fines where appropriate, taking a proactive approach to protect customer and employee data is a far better approach for businesses that want to be seen as trusted partners, suppliers and vendors.

Data privacy and data security are particularly important considerations for those working in ethics and compliance. Given the nature of data provided through a whistleblower hotline or an investigation, organisations must handle this information with the utmost sensitivity. For example, hotlines and helplines may record both anonymous and identifying information on employees -- such as name, role, gender or department -- that either directly or indirectly identifies an individual.

Learn How NAVEX Global Protects Your Data

Data privacy and data security are closely interconnected, so much so that people often think of them as synonymous. But the distinctions between privacy and security are fundamental to understanding how one complements the other. Data security is about protecting data against unauthorized access. Data privacy is about authorized access — who has it and who defines it. Data privacy concerns arise wherever personally identifiable information is collected, stored or used.

Privacy legislation, such as the European Union’s General Data Protection Regulation (GDPR), is often referred to as data protection legislation because the primary goal is to set expectations for how personal data may be collected and used, who should have access, how it should be secured and disposed of and what rights individuals have with respect to their personal data. The ultimate goal of these laws and regulations is to protect individuals from lapses in security which would result in improper use of their personal data.

THE PRINCIPLES OF DATA PRIVACY

Collection Limitation

Personal data should be collected lawfully and fairly with the consent of the data subject.

Data Quality

Personal data must be relevant to the purpose for which it was collected, accurate and updated.

Security Safeguards

Personal data should be protected using reasonable security safeguards to prevent loss, unauthorised access, destruction, use, modification or disclosure.

Use Limitation

Personal data should not be shared or disclosed other than for the purpose specified unless the data subject has consented or as otherwise required under applicable law.

Purpose Specification

Personal data should only be collected when the purpose for such collection is disclosed at the time of collection and its subsequent use limited to the intended purpose or use that is not incompatible with the stated purpose.

Openness

Personal data should be subject to a general policy of openness about developments, practices and policies, including a way to identify personal data, the purpose for its use and the identity of the controller of the personal data.

Individual Participation

Kept in a manner that allows an individual to confirm whether a data controller has their personal data, have information about the personal data communicated to the individual promptly, be provided a reason if the request for information is denied, and have the data erased, rectified, completed or amended.

Accountability

A data controller should be held accountable for complying with the Principles. These Principles are built on the Organisation for Economic Co-operation and Development's (OECD) eight foundational Principles.

The GDPR, which is enforceable beginning 25 May, 2018, is a comprehensive reform of existing EU data protection law, expanding the rights of EU individuals and placing more stringent requirements on organisations that provide goods and services to individuals in the EU.

The new law applies not only to organizstions that are located in the EU, but also those located outside the EU that offer goods or services to individuals in the EU. Any organisation that fails to comply with the GDPR can be subject to a fine of 2% - 4% of global annual revenue. Naturally, the more serious the infringement, the higher the anticipated fine. Some other important aspects of GDPR are:

Organisations that are deemed "controllers" under the law must notify an authority within 72 hours of becoming aware of a breach of personal data
Privacy by design is the default for products and services
Controllers are required to conduct Privacy Impact Assessments, including assessing its vendors and suppliers
Relevant training must be provided to employees reflective of their access to personal data and their job responsiblities
Organisations must determine whether they are required to appoint a data protection officer (DPO)
Compliance must be demonstrable—organisations must determine how they can demonstrate their compliance with the requirements

What is Data Privacy?

What is the European Union (EU) General Data Protection Regulation (GDPR)?