Skip to main content

Learn Data Privacy Laws and Regulations

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the importance of data privacy.
  • Describe how privacy laws apply to your organization.
  • Outline customer expectations regarding privacy.

Privacy Introduction

As a security professional, it’s important to stay informed of the latest privacy laws that apply to your organization, especially if your organization handles customers’ personal data. Why is this so important? Ensuring your customer and employee data is protected is paramount to establishing and maintaining trust. In this module we’re going to review the tools for implementing an effective privacy program.

If your organization stores and processes customer data, your customers trust you to protect, use, and process their data securely, in accordance with applicable laws. This data can include personal data such as contact, healthcare, or financial information, or business-related information such as expenditures, marketing, or analytics data.

Regardless of what type of data you process or store, it’s important to keep it safe. In addition to processing or storing customer data, your organization is accountable for its own data, including knowledge about prospective customers, employee information, financial data, and more.

So how do you ensure this data is protected? For starters, you should be aware of and follow applicable privacy laws. We get into the details of these privacy laws here. To document compliance with applicable privacy laws and protect yourself and your customers, it’s a good idea to have agreements in place when you’re collecting customer data. These agreements should detail how your organization will keep customer data secure and confidential. As an example, most international airlines are required to attest on their public websites to how they protect a customer’s privacy, what data they collect, and why and how it’s collected, used, assessed, safeguarded, and stored.

Why Privacy Matters

Let’s step back for a moment and review the concept of privacy and what it means. Privacy relates to how a piece of information—or data— should be managed and protected based on its relative importance.

Data privacy has become a hot topic lately due to lapses in security and concerns about how companies are using the customer data they collect. Data privacy concerns are particularly important for companies in certain sectors such as finance and healthcare. These sectors contain sensitive information and are typically highly regulated. They also are increasingly targeted by cyberattacks, which if successful may result in not only loss of this data, but also loss of confidence by consumers. 

Let’s look at an example. When you apply for a credit card, you’re typically required to provide your legal name, birthdate, address, government-issued identification number, and annual income. That’s a lot of information! Not only is this information used to verify your identity, but it also allows the credit card company to check your credit history. This information is considered your personal data, and the credit card company is required to put security measures in place to protect it.

In this example, privacy means that the credit card company is responsible for protecting your personal information against unauthorized disclosure, that they’re transparent about how they use your personal data, that they use the data in accordance with applicable laws, and that you agree to the use of your data for a certain purpose.

A laptop shows a person applying for a credit card online, with a file folder filled with dollar signs, and credit cards, overlain by a shield.

Privacy Terminology

Before we dive deeper into privacy laws, let’s review some basic definitions.

Customer data: The information a customer provides while interacting with a business whether via a website, mobile application, social media, and more.

Data subject: An individual whose personal data is collected, held, or processed.

Personal data: The data that is directly attributable to a data subject and can identify an individual such as a name, home address, or personal identifier (for example, passport number).

Sensitive personal data: Some types of personal data are considered sensitive and are subject to stricter regulation. This may include data about race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a person's sex life or sexual orientation.

Processing: Any operation or set of operations on data (for example, access, collection, recording, retrieval, copying, storage, disclosure, dissemination, and so on).

Controller: An individual or entity that determines the purposes and means of processing personal data.

Processor: An individual or entity that processes personal data on behalf of a controller.

Custodian (or handler): The individual responsible for the safe custody, transport, and storage of the data, and implementation of business rules. 

Data Protection Authority (DPA): National authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union.

Your organization can act as both a processor and a controller, depending on the situation and the data involved. It’s helpful to think of the roles of processor and controller in relation to the allocation of responsibilities between parties. Your customers can be both controllers and processors. However, your organization always acts as a processor when a customer submits data to you and as controller when you determine the means and purposes of processing the data.

Privacy Laws

Depending on where your organization operates, you may need to adhere to location-specific privacy laws. If your organization operates globally, it’s important to implement policy requirements applicable to the country of operation. For example, if your organization operates in Japan, you are subject to the Act on the Protection of Personal Information.

Privacy laws exist to protect individuals with respect to their personal data. They also regulate how personal data can and cannot be used. Let’s take a closer look at what privacy laws address.

  • Whether personal data can be collected and processed
  • What and how information should be provided around data processing practices
  • Who can access and use the personal data
  • How personal data can be processed
  • How the data should be secured
  • When to delete or amend the data
  • Who is allowed to transport or have custody of the data
  • Where and how personal data can be transferred to other countries
  • How security incidents are handled
  • What rights data subjects have regarding their personal data

Globally, there are two types of privacy laws: comprehensive (applicable to all industries and sectors) and sectoral (applicable to specific industries or sectors). In the US, the federal government has historically taken a sectoral approach. For example, there’s the Health Insurance Portability and Accountability Act (HIPAA), which is the US healthcare privacy law protecting data that reveals the health status of an individual (called protected health information or PHI). 

The only US national privacy law that exists is the Children’s Online Privacy Protection Act (COPPA), which regulates how online companies can collect and use data on children under the age of 13. 

In the absence of a comprehensive national privacy law, several states have taken the initiative to  enact their own privacy legislation, including:

  • California - California Privacy Rights Act (CPRA)
  • Virginia - Virginia Consumer Data Protection Act (VCDPA)
  • Connecticut - Connecticut Data Privacy Act (CTDPA)
  • Utah - Utah Consumer Privacy Act (UCPA)
  • Colorado - Colorado Privacy Act (CPA)

These states have either recently passed their own privacy legislation or are in the process of legislation. And many more states are considering doing the same. By passing their own privacy laws, these states provide their own protection for their constituents.

In contrast, the European Union (EU) and the European Economic Area (EEA) take a more comprehensive approach through the General Data Protection Regulation (GDPR). GDPR is the EU’s and EEA’s privacy legislation and applies to all controllers and processors, irrespective of their industry or sector. However, there are also some sector-specific laws in Europe, such as for the telecoms sector.

While not an exhaustive list, several other countries across the globe–including Japan, Australia, China, Canada, Brazil, Argentina, India, South Africa, and more–operate their own privacy laws, or are working on drafting them. Even though each country may have their own law, most privacy laws across the globe are based on the same core principles.

  • Fairness and Transparency
  • Purpose Limitation
  • Data Minimization
  • Accuracy
  • Data Deletion and Retention
  • Security
  • Accountability
  • Individual Rights
  • International Transfers
  • Data Privacy Impact Assessments

We take a closer look at these principles in the next unit.

Customer Contracts and Service Level Agreements

In addition to complying with privacy laws, organizations include privacy commitments in customer contracts or service level agreements (SLAs). These commitments detail ways your organization can use personal data, including those required by applicable law.

International Privacy Certifications and Standards

In addition to privacy laws, your organization may also be required to comply with certain certifications and standards that impose comprehensive privacy requirements. These certifications and standards vary by industry, but may include:

  • International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27001/27018, which provide requirements for information security management systems and for protecting personally identifiable information (PII) in public clouds acting as PII processors
  • Service Organization Control (SOC) reports, which help companies establish trust and confidence in their service delivery processes and controls
  • TRUSTe certification, which enables organizations to demonstrate responsible practices consistent with standards for privacy accountability
  • International Organization for Standardization and International Electrotechnical Commission (ISO/IEC) 27701, which is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. It provides guidelines for the processing of PII and helps organizations establish, implement, maintain, and continually improve their Privacy Information Management System (PIMS).

Privacy Policies

Your organization should abide by the commitments made to customers when you collect personal data from individuals. Also, your organization should maintain a privacy statement on your public website that describes the types of data you collect from users of your websites, and how you use and share that data. The commitments you make in that privacy statement should be similar to the ones you make in the contracts you sign with your customers. The same is true for internal privacy policies and employee notices that detail how you collect, use, share, and process employee data.

Sum It Up

You now have a better understanding of privacy concepts, laws, and customer expectations. In the next unit, we cover privacy principles and how you can apply them to protect your organization.

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now