As data continues to maintain dominance in the realm of driving enterprise value, challenges surface when understanding, handling, and operating enterprise-grade data. Privacy laws and sensitive data pose a significant obstacle for organizations navigating the world of data; as laws become more rigid, enterprises must be prepared to face security threats while ensuring privacy compliance.
Jeff Jockisch, CEO of PrivacyPlan and partner at Avantis Privacy, offered his expertise in data privacy and privacy laws at the annual Data Summit’s pre-conference workshop, “Essentials of Data Privacy and Security,” highlighting the ways in which evolving technology and consumer preferences affect information practices and data security.
The annual Data Summit conference returned to Boston, May 10-11, 2023, with pre-conference workshops on May 9.
Jockisch first explored the basics of personal data, explaining that “specific elements like name, SSN, income, address, etc. that are specific to an individual make up personal data.” Under the umbrella of personal data exist two categories: sensitive personal information (SPI) and personal information (PI), which can also be referred to as personal data (PD) or personally identifying info (PII).
Ultimately, what matters is knowing which information being collected is sensitive, or is not publicly available and is regulated by a series of laws. These laws, namely those such as FCRA, OECD, HIPPA, or GDPR, have evolved as privacy has increased in concern over the years. It begs the question, though, why is privacy important?
Jockisch outlined a few principles that highlight the significance of privacy:
- Privacy is critical to freedom.
- Privacy is power against large organizations.
- Privacy protects information that individuals do not want shared publicly.
Privacy affords individuals certain powers and protections that, under law, ensure that their sensitive information cannot be exploited. These laws operate around a few principles that any organization should be familiar with, including:
- Collection limitation, or only collecting the data elements required to do the job.
- Data quality, which dictates that accurate, up-to-date data is required to prevent misinformation.
- Purpose specification, where organizations must inform the data subject what the intent is behind that data being collected.
- Use limitation, or not collecting data for one purpose and then using it for another without consent.
- Security safeguards, which demand a reasonable level of security for data.
- Openness, or transparency of data collection, existing as privacy notices, consent frameworks, and reporting.
- Individual participation or user consent, affording customers the ability to see the information an organization holds about them as well as the ability to fix any errors.
Despite the apparent severity of sensitive information, many enterprises chose to ignore data privacy—either due to knowledge gaps, lack of enforcement, ranking low in task priority, or placing revenue as more critical than privacy.
Jockisch further highlighted data privacy tenets put forth by Google’s privacy report; ultimately if you want customer data, an organization must make it meaningful, memorable, and manageable. In other words, customers will share their data with companies that demonstrate a clear value proposition; when customers remember the choices they made about data sharing, they will have a more positive experience; and when customers feel they lack control over their personal data, they can become skeptical of digital marketing.
Many Data Summit 2023 presentations are available for review at https://www.dbta.com/DataSummit/2023/Presentations.aspx.