Data Protection Training & Solutions

The Importance of Data Privacy in Ethics & Compliance

The EU’s General Data Protection Regulation (GDPR) catalysed data privacy laws across the globe. A growing host of local, federal and international regulations and standards have placed a direct emphasis on how organisations govern, protect and secure customer and consumer data. And as regulations mature and expand, customers and consumers are increasingly looking for more transparency into how their information is being handled and used.

The recent COVID-19 pandemic has compounded data privacy challenges. The rapid move to remote workforces gives risk, compliance and information security teams another layer of security and compliance to manage. They now must regulate how employees handle, store and transfer PII outside of the company network. As organisations continue to work remote or transition to remote/in-office hybrid model, privacy risks and the potential for breaches continue to grow.

Data privacy holds priority for those working in risk and compliance. The heightened consumer awareness of data privacy, remote workforces and the increasing number of new and impactful privacy regulations are changing the way organisations handle their data. However, there is no consistent approach outlined by regulators or adopted by organisations that address these challenges. Companies must understand what data is collected, how the business uses that data, understand the risks to that data and then implement the necessary information security and privacy measures to ensure that data is protected in accordance with regulations and guidelines. Failure to do so can be a detriment to the business and have a lasting effect on their financial posture and their reputation.

Learn How NAVEX Global Protects Your Data

Data privacy and data security are closely interconnected, so much so that people often think of them as synonymous. But the distinctions between privacy and security are fundamental to understanding how one complements the other. Data security is about protecting data against unauthorised access. Data privacy is about authorised access — who has it and who defines it. Data privacy concerns arise wherever personally identifiable information is collected, stored or used.

Privacy legislation, such as the European Union’s General Data Protection Regulation (GDPR), is often referred to as data protection legislation because the primary goal is to set expectations for how personal data may be collected and used, who should have access, how it should be secured and disposed of and what rights individuals have with respect to their personal data. The ultimate goal of these laws and regulations is to protect individuals from lapses in security which would result in improper use of their personal data.

THE PRINCIPLES OF DATA PRIVACY

Collection Limitation

Personal data should be collected lawfully and fairly with the consent of the data subject.

Data Quality

Personal data must be relevant to the purpose for which it was collected, accurate and updated.

Security Safeguards

Personal data should be protected using reasonable security safeguards to prevent loss, unauthorised access, destruction, use, modification or disclosure.

Use Limitation

Personal data should not be shared or disclosed other than for the purpose specified unless the data subject has consented or as otherwise required under applicable law.

Purpose Specification

Personal data should only be collected when the purpose for such collection is disclosed at the time of collection and its subsequent use limited to the intended purpose or use that is not incompatible with the stated purpose.

Openness

Personal data should be subject to a general policy of openness about developments, practices and policies, including a way to identify personal data, the purpose for its use and the identity of the controller of the personal data.

Individual Participation

Kept in a manner that allows an individual to confirm whether a data controller has their personal data, have information about the personal data communicated to the individual promptly, be provided a reason if the request for information is denied, and have the data erased, rectified, completed or amended.

Accountability

A data controller should be held accountable for complying with the Principles. These Principles are built on the Organisation for Economic Co-operation and Development's (OECD) eight foundational Principles.

The GDPR, which became enforceable on 25 May, 2018, is a comprehensive reform of existing EU data protection law, expanding the rights of EU individuals and placing more stringent requirements on organisations that provide goods and services to individuals in the EU.

The new law applies not only to organisations that are located in the EU, but also those located outside the EU that offer goods or services to individuals in the EU. Any organisation that fails to comply with the GDPR can be subject to a fine of 2% - 4% of global annual revenue. Naturally, the more serious the infringement, the higher the anticipated fine. Some other important aspects of GDPR are:

Organisations that are deemed "controllers" under the law must notify an authority within 72 hours of becoming aware of a breach of personal data
Privacy by design is the default for products and services
Controllers are required to conduct Privacy Impact Assessments, including assessing its vendors and suppliers
Relevant training must be provided to employees reflective of their access to personal data and their job responsiblities
Organisations must determine whether they are required to appoint a data protection officer (DPO)
Compliance must be demonstrable—organisations must determine how they can demonstrate their compliance with the requirements

What is Data Privacy?

What is the European Union (EU) General Data Protection Regulation (GDPR)?