Data Privacy: The Ultimate Guide

Today, data privacy is the new strategic priority for many companies. Prioritizing data privacy boils down to two key drivers:

• Almost all business operations and services are data driven.
• Users, stakeholders and governments are well aware of the associated information security risks as well as their rights to privacy.

Indeed, the awareness piece has grown significantly, both leading to and because of stringent data privacy regulations, including GDPR and CCPA, the California Consumer Privacy Act. (First time on Splunk.com? You might see a pop-up banner specifically for you to opt in or out.)

So, let’s take a look at the concept of data privacy and what’s behind it. In this article, we will review how the processes and technologies behind data-driven operations call for heightened data security measures.

Defining data privacy

Data privacy is a concept that can govern how you collect, storage, manage and share data. The concept also covers whether you need to align with any government or industry laws and regulations.

We can say that data privacy spans two areas that are sometimes at odds: what technology is capable of, and what human beings and governments think is appropriate or lawful.

Though the privacy of your data certainly affects individuals, the concept applies mostly to how organizations, governments and private businesses use your data and your personal information. (Technically, data privacy is also shorthand for information privacy. Though there are some technical differences, the concepts can be similar.)

Here we can see the growing search interest in both "data privacy" (the lower, blue line on the left) and "information privacy" (the upper, red line on the left). Globally, more users started searching for “data privacy” instead of “information privacy” around fall 2015. (From Google Trends.)

Government institutions and consumers expect business organizations to demonstrate competence with data privacy by:

• Safeguarding sensitive personally identifiable user information (PII) in secure private cloud and in-house data centers.
• Providing users with an easy and transparent mechanism to access and remove personal information.

This brings us to the primary driver: all business operations and services, in some form, are data-driven.

(Related reading: data management vs. data government, data classification, AI ethics and data observability.)

Drivers for data privacy

Today’s business landscape is highly dynamic and competitive. The only real way to stand out? Making correct decisions about customer preferences and the future state. This is a significant change — making “correct” decisions is not something you can know until you’ve got hindsight.

In the not-so-distant past, large enterprises would rely on brand reputation and historical trends to forecast customer demands and market trends. Now, the market reacts to news stories and customer sentiments that can change rapidly, going viral without much predictability.

That’s just one reason that business organizations need to analyze operations and processes in real-time.

In order to make intelligent decisions based on real-time information, businesses collect data streams from all sorts of places that might give a hint which way a market might go — all the way down to individual actions and activities:

• Social media channels
• Online customer interactions
• IoT devices and sensors
• Network logs
• Hardware and software systems

Reactive programs for data privacy are inefficient and do not sufficiently meet the mandate of strict compliance regulations.

Advancements in AI have opened new avenues for cybercriminals to exploit leaked data for sensitive customer information. A popular example is the adversarial and generative AI, which can train on partially available customer data to generate sensitive and personally identifiable information (PII). This information can be used for:

• Spear-phishing & other targeted cyberattacks
• Illegal access/usage to financial accounts of the victims

(Understand more threats to know if your data is at risk.)

Capabilities of data privacy programs

In order to protect your users from such cyberattacks, your data privacy programs should do these things, at a minimum:

• Discover assets, data workloads and the dependencies between them. Extend the risk attributes to dependent assets and the data processed using those assets. 
• Create a risk profile in the context of data privacy. Consider attributes that are not limited to your business performance metrics. For instance, risk exposure based on data location (in-house data centers vs. public cloud environments).
• Enforce controls on data access based on the Principle of Least Privilege Access.
• Dispose of information that is no longer required by the business.
• Encrypt all sensitive information! At storage and in transit.
• Establish mechanisms for data breach detection and notifications to potentially compromised user accounts.
• Analyze data workflows and usage patterns to detect abuse and unauthorized use of customer data.
• Train your employees to adopt data privacy best practices.
• Update your data governance standards and policies to reflect the requirements of the latest data privacy regulations.

Challenges with data privacy

While these strategies can help reduce risks related to data privacy, organizations should also recognize the common limitations.

Difficult to defend against user malpractice

First, it is challenging to defend against data privacy malpractices, abuse and theft coming from insiders. The insider element is responsible for 95% of all cybersecurity incidents. And while organizations can introduce limitations to reduce the insider related data privacy risk, they may have limited visibility and control over third-party data privacy malpractices and violations. It is possible that third-party access may be legitimate and necessary to deliver a required business service, but regulations such as GDPR require businesses to maintain unprecedented visibility into data handling by third-party services.

Take a data-centric and zero-trust approach to address these limitations. It requires consolidated controls and intelligence into all processes, handling and modification of data workloads:

• Continuously assess the trust by evaluating how third-party tools and API requests are processed and used to interact with sensitive customer data.
• Establish security measures that can dynamically assign security policies and controls to individual data workloads.
• Use data loss prevention (DLP) tools to reduce the risk of a data breach. Additionally, encrypt sensitive information to help eliminate risk of misuse against compromised user data.

(Learn about third-party risk management.)

Marketing departments want personalization

Then there are limitations within the business models of data-driven organizations. Personally identifiable and targeted data collection is necessary to produce tailored online services. Even when users are unwilling to share their vast digital footprint, new digital engagement models work effectively only when holistic customer information is collected and used to train decision intelligence models in real-time.

A common example is the recommendations engine in ecommerce sites or algorithms on social media sites. These services work effectively for individual customers only when relevant data is collected. Naturally, this also exposes the business to data security and data privacy risks.

You can only personalize online services (well or poorly) by already having some sense of what a user, or a type of user, might want to see. This requires gathering significant data about that user. But is any given organization treating the data privately, as outlined above? It’s not easy.

Data privacy: the choice is rarely yours

Many people globally care about the privacy of their data. They make take extra steps to help protect their own data: using VPNs and secure browsers, encrypting their online searches and communications, and more.

Still, if you’re paying for products or using services online, those vendors are holding your data. Which companies and organizations will you trust to keep your data safe?