At Data Summit 2022 in Boston, Jeff Jockisch, CEO, CIPP/US, PrivacyPlan and Data Collaboration Alliance, presented a workshop on what everyone needs to know now about data privacy and security.
The presentation provided an overview and update for professionals who interact with data privacy functions and want to understand data privacy and security better.
Jockisch covered the widely varying regulatory environment and the ways in which businesses are responding (and failing to respond), as well as what's changed to make data privacy so relevant today. He touched on fair information practices, the legislative landscape, and how businesses can best secure their data.
Data Summit 2022 is taking place May 17 – 18 at the Hyatt Regency Boston with pre-conference workshops on May 16. Many Data Summit 2022 presentations are available for review at www.dbta.com/DataSummit/2022/Presentations.aspx.
Data Privacy Recognition
Data privacy is becoming better understood as a critically important part of business, and also becoming better understood by individuals. With the rise of data privacy regulations, it is important for companies to be attentive since some carry severe severe financial fines or even, in some countries, actual jail time. "Privacy laws can no longer be ignored with impuity," Jockisch told attendees.
Laws governing privacy can be categorized in buckets as information privacy, communication privacy, bodily privacy, and territorial privacy, but it is important to consider them all since there is overlap. Privacy touches everything, he emphasized.
Jockisch outlined some of the many federal data privacy laws, such as HIPAA (healthcare), GLBA (finance), COPPA (children’s data), FCRA (credit reporting), as well as some of the state data privacy laws and data breach laws.
8 Key Data Privacy Principles
To stay on the road to compliance, there are 8 basic data privacy principles or rules of thumb that companies should follow, he advised:
1-Collection Limitation: Only collect the data required to do a job. Collecting extra data can come back to bite you if there is a breach.
2-Data Quality: Accurate up-to-date information is important for algorithms. If it is not accurate, there is no point.
3-Purpose Specification: Companies need to tell people what they are collecting data for and get their consent.
4-Use Limitations: If a company says it is using data for one purpose, it can’t also use it for something else without additional consent.
5-Security Safeguards: Companies should enforce safety protocols.
6-Openness: Companies should be open and transparent with privacy notices and consent.
7-Individual Participation: There should be the ability for individuals to see information about them and correct errors.
8-Accountability: All individuals in an organization need to be responsible for how they handle data and its safety.
In Europe, data privacy is considered a right but in the U.S. it is looked upon as a transaction involving notice and consent, Jockisch said. However, the notice-and-consent paradigm is broken since there are simply too many privacy notices, and no one actually reads them.
New Regulations
More laws are on the way regarding data privacy, Jockisch added, and there is also growing recognition of the need for certified auditors who can check a company’s data-handling practices similar to the way in which CPAs check a company’s accounting practices.