close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
header image

Data Privacy Challenges

Privacy and data protection are two sides of the same coin, protecting the human right to privacy. Organizations are challenged to bridge many requirements, expectations, and hazards that are part of today’s information economy. Below are some common challenges and recommendations for achieving privacy peace of mind.

Challenge 1: Becoming overwhelmed by complexity

Organizations new to data privacy can become overwhelmed by the sheer complexity of the problem. There are many laws and regulatory guidelines to consider, and just as many areas of overlap as there are of conflicting differences.

Whether you are a California retailer looking to enter the European market, or a Canadian agency helping a UK software company market its product in Japan, it helps to take a principle-based view.

Approach: Ground yourself with foundational privacy principles

Modern privacy laws share a common set of principles that are the bedrock of any privacy and data protection program. As you consider your organization’s specific needs, root yourself in the below OECD’s principles for the protection of privacy and personal data:

  1. Collection Limitation Principle: Collect only as much as you really need.
  2. Data Quality Principle: Inaccurate and irrelevant data benefits no one.
  3. Purpose Specification Principle: Be informative and timely about your actual data uses.
  4. Use Limitation Principle: Be fair and proportionate with your data uses.
  5. Security Safeguards Principle: Practice good security hygiene every time.
  6. Openness Principle: Be transparent and clear about your data practices.
  7. Individual Participation Principle: Honor privacy rights, from requests to complaints.
  8. Accountability Principle: Hold yourself and your partners in demonstrable compliance, with applicable rules and policies.

These principles can be the foundation of your privacy management program wherever you operate.

Challenge 2: Not knowing where to start

A common starting challenge is not knowing where personal data exists across your tech stack. From hosted web forms that collect visitors’ registration data, to customer engagement tools like Twilio, to SSO providers like Okta and OneLogin, you’d be amazed how many systems touch your employees’ and customers’ personal data today.

At DataGrail, our data shows that many companies struggle with identifying all systems containing personal data: We’ve found ~50% of third-party systems go undetected by the person in charge of privacy. This includes shadow SaaS applications brought on by different departments outside of a procurement or IT security review process, a risky blind spot for any organization.

okta logo Okta suggests the average organization uses upwards of 190 different enterprise applications to conduct business, many of which contain personal data. This opens those companies up to an incomplete picture of their risk profile, which could lead to fines, or worse, a data breach.

Approach: Know thyself through data and processing mapping

Gaining an understanding of your personal data ecosystem is an essential first step and the basis for ongoing compliance activities. Your discovery efforts should focus on:

  • System detection: This process helps you pinpoint and inventory personal data processing systems — known and unknown.
  • Mapping and categorization: This is where you blueprint information about the system and how it is used, down to the categories of personal data being processed. It is important to reduce ambiguities around your processing activities.
  • Benchmarking and reporting: Create snapshots of your processing and data protection practices to comply with obligations such as under GDPR Article 30 (record of processing activity).

If you don’t know where personal data lives, what kind it is, and how it’s used, you won’t know what legal or regulatory obligations you have. By extension, you will not have a clear sense of what technical, organizational, and administrative protections you should apply. Starting with data mapping is not just good for the privacy team — the whole business benefits from actionable visibility.

When it comes to data privacy, organizational ignorance is not bliss.

Challenge 3: Privacy and security teams not working together

Data Privacy and Data Security are separate but overlapping disciplines that must work together to build and maintain trust.

Approach: Recognize differences while supporting mutual goals

What concerns security professionals

Data security teams focus on confidentiality, integrity, availability, and resilience of data environments. It is often technical and prescriptive, requiring a thorough understanding of system interactions and configurations along the lines of:

  • Confidentiality: Access to valuable business information which may or may not relate to an identified or identifiable individual. Per the Security Safeguards Principle, confidentiality helps prevent the unauthorized viewing or disclosure of personal data. Worst case scenarios lead to personal data breaches and harms like identity theft.
  • Integrity: Keeping data authentic, accurate, and reliable for its intended uses. Per the Data Quality Principle, integrity is the means by which data can be kept correct and current. Data tampering and corruption can lead to a range of harms if that data is used to make legal, professional, or financial decisions about an individual.
  • Availability: Applies to Security (and IT) ensuring that information systems function properly so that business and personal data could be used by the organization when needed. Taking steps to recover mission-critical data in case of a fire in one of your server rooms is just one example. Per the Accountability Principle, not having availability safeguards in place can in itself be a data protection violation.

What concerns privacy professionals

Data privacy focuses on the collection, use, analysis, and disclosure of personal data. Digital business models bring about particular concerns which revolve around:

  • Identifiability: The ways in which an individual, or their browser or device, can be singled out. For example, your name alone may not be enough to identify you as a customer, together with your email address and account ID you can easily be.
  • Linkability: The ways in which information can be associated with an individual or stitched together to learn or infer more about the person. When you hear terms like identity graphs, single-customer-view, profiling and targeting, data linkage is involved.
  • Secondary uses: Where personal data is used for something other than it was originally collected, which can lead to unexpected, unwanted, and potentially negative outcomes. For example, if a website publisher sells your contact information to a data broker, you may start receiving time-wasting junk mail and email spam.
  • Disclosure to third parties: As much a concern for Security as it is for Privacy teams, it is important to have trust in one’s suppliers, service providers and business partners. If you share your customers’ personal data with another organization, you are responsible for ensuring privacy principles and applicable obligations can be met.
  • Unawareness: This is a whole-business problem. Employees handling personal data should be trained on their privacy and data protection responsibilities. But this implies the business should know what those responsibilities are. Awareness starts with understanding what applies to you.
  • Privacy harms: Is personal data being used correctly? How can individuals be harmed if their data is misused or abused? Harms can be minor inconveniences like cleaning out spam emails to major consequences of having your identity stolen. Cybercriminals’ goals are often to steal a company’s most valuable information which is not only trade secrets. Security and Privacy teams care deeply about preventing personal data breaches, and doing what it takes to ensure unauthorized parties keep their mitts off.

With the above in mind, it’s easy to see how security and privacy share many principles and goals. This is one of the reasons minimum security requirements are included in data privacy laws, and why the GDPR enshrines “[personal] data protection by design and by default” as an organizational imperative.

Challenge 4: Underestimating the risk of non-compliance

Besides GDPR, California’s CCPA, Canada’s PIPEDA, China’s PIPL, and Brazil’s LGPD are just a sampling of the comprehensive data privacy laws in effect today. Virginia, Colorado, Utah and Connecticut passed their own privacy laws, and Canada and the United Kingdom are looking at fresh legislative renovations. (Don’t worry, we’ll cover this alphabet soup in the next section.)

Each regime has enforcement mechanisms that can expose your business to potential administrative penalties, and in some cases private lawsuits. Penalties can be staggering. For example, European data protection authorities can fine an organization up to 4% of their annual global revenues.

Penalties can also stack up. The California Privacy Rights Act gives the Privacy Protection Agency powers to fine businesses up to $2,500 per violation or $7,500 per intentional violation.