Data Protection Training & Solutions

The Importance of Data Privacy in Ethics & Compliance

The EU’s General Data Protection Regulation (GDPR) catalysed data privacy laws across the globe. A growing host of local, national and international regulations and standards have placed a direct emphasis on how organisations govern, protect and secure individuals’ data.

The recent COVID-19 pandemic has compounded these data privacy challenges. The rapid move to remote working gives risk, compliance and information security teams another layer of security and compliance to manage.

In this rapidly changing environment, organisations must ensure their employees and third parties are aware of their data privacy responsibilities in order to comply with regulations and guidelines. Failure to do so can result in detriment to the business and have a lasting effect on their financial posture and their reputation.

Train Your Organisation on GDPR

The distinctions between data privacy and data security are fundamental to understanding how one complements the other.

Data privacy is the interplay between the collection and dissemination of data, technology, public expectation of privacy and the legal and political issues surrounding them. Data privacy considerations arise wherever personal data is collected, stored, used, and/or deleted/destroyed.

Data security is about protecting data against unauthorised access, corruption or theft throughout the data’s entire lifecycle. An organisation cannot have privacy without security.

Privacy legislation, such as the European Union’s General Data Protection Regulation (GDPR), is often referred to as data protection legislation because the primary goal is to set expectations around the collection, use, access and security of personal data – as well as the rights individuals have with respect to their personal data. These laws and regulations aim to protect individuals from lapses in security which would result in improper use of their personal data.

Learn How NAVEX Global Protects Your Data

THE PRINCIPLES OF DATA PRIVACY

Collection Limitation

Personal data should be collected lawfully, fairly and where appropriate and required, with the consent of the data subject.

Data Quality

Personal data must be relevant to the purpose for which it is to be used, and remain accurate and up-to-date.

Security Safeguards

Personal data should be protected using appropriate security safeguards to prevent loss, unauthorised access, destruction, use, modification or disclosure.

Use Limitation

Personal data should not be shared or disclosed other than for the purpose specified unless the data subject has consented or as otherwise required under applicable law.

Purpose Specification

Personal data should only be collected when the purpose for such collection is disclosed at the time of collection. Its subsequent use should be limited to the intended purpose or use that is not incompatible with the stated purpose.

Openness

Personal data should be subject to a general policy of openness about developments, practices and policies. This includes a way to identify personal data, the purpose for its use and the identity of the controller of the personal data.

Individual Participation (Data Subject Rights)

Personal data should be kept in a manner that allows an individual to confirm whether a data controller has their personal data, have information about the personal data communicated to the individual promptly, be provided a reason if the request for information is denied, and have the right to request their personal data be erased, rectified, updated or amended.

Accountability

A data controller should be held accountable for complying with the Principles. These Principles are built on the Organisation for Economic Co-operation and Development's (OECD) eight foundational Principles and have served as the foundation for global data protection legislation.

The GDPR, which became enforceable on 25 May, 2018, is a comprehensive reform of existing EU data protection law, expanding the rights of EU individuals and placing more stringent requirements on organisations that provide goods and services to individuals in the EU.

The new law applies not only to organisations that are located in the EU, but also those located outside the EU that offer goods or services to individuals in the EU. Any organisation that fails to comply with the GDPR can be subject to a fine of 2% - 4% of global annual revenue. Naturally, the more serious the infringement, the higher the anticipated fine. Some other important aspects of GDPR are:

Organisations that are deemed "controllers" under the law must notify an authority within 72 hours of becoming aware of a breach of personal data
Data protection by design and default is required for all personal data processing
Controllers are required to conduct Privacy Impact Assessments, including when assessing vendors and suppliers
Relevant training must be provided to employees reflective of their access to personal data and their job responsiblities
Organisations must determine whether they are required to appoint a data protection officer (DPO)
Compliance must be demonstrable—organisations must determine how they can demonstrate their compliance with the requirements

What is Data Privacy?

What is the European Union (EU) General Data Protection Regulation (GDPR)?