What is Data Privacy?

Data privacy refers to the right of individuals to control how

their personal information is collected, used, and shared by
organizations. It encompasses the principles of transparency,
consent, and individual autonomy, ensuring that individuals
have a say in how their data is handled. For instance, when
you sign up for a social media platform, you expect that your
personal information will be kept private and not shared with
third parties without your consent.

Data privacy generally means the ability of a person to

determine for themselves when, how, and to what
extent personal information about them is shared with or
communicated to others. This personal information can be
one's name, location, contact information, or online or real-
world behavior. Just as someone may wish to exclude people
from a private conversation, many online users want to
control or prevent certain types of personal data collection.

As Internet usage has increased over the years, so has the

importance of data privacy. Websites, applications, and social
media platforms often need to collect and store personal data
about users in order to provide services. However, some
applications and platforms may exceed users' expectations for
data collection and usage, leaving users with less privacy than
they realized. Other apps and platforms may not place
adequate safeguards around the data they collect, which can
result in a data breach that compromises user privacy.

Why is data privacy important?

In many jurisdictions, privacy is considered a fundamental

human right, and data protection laws exist to guard that
right. Data privacy is also important because in order for
individuals to be willing to engage online, they have to trust
that their personal data will be handled with care.
Organizations use data protection practices to demonstrate to
their customers and users that they can be trusted with their
personal data.

Personal data can be misused in a number of ways if it is not

kept private or if people don’t have the ability to control how
their information is used:

 Criminals can use personal data to defraud or harass

users.

 Entities may sell personal data to advertisers or other

outside parties without user consent, which can result
in users receiving unwanted marketing or advertising.

 When a person's activities are tracked and monitored,

this may restrict their ability to express themselves
freely, especially under repressive governments.
For individuals, any of these outcomes can be harmful. For a
business, these outcomes can irreparably harm their
reputation, as well as resulting in fines, sanctions, and other
legal consequences.

In addition to the real-world implications of privacy

infringements, many people and countries hold that privacy
has intrinsic value: that privacy is a human right fundamental
to a free society, like the right to free speech.

What is Data Protection

Data protection goes hand in hand with data privacy,

encompassing the measures and safeguards put in place to
ensure the confidentiality, integrity, and availability of data. It
involves implementing technical, organizational, and
procedural controls to prevent unauthorized access,
disclosure, alteration, or destruction of data. For example,
encryption and access controls are common data protection
measures used to safeguard sensitive information from
unauthorized access.
What are some of the challenges users face when protecting
their online privacy?

Online tracking: User behavior is regularly tracked

online. Cookies often record a user's activities, and while most
countries require websites to alert users of cookie usage,
users may not be aware of to what degree cookies are
recording their activities.

Losing control of data: With so many online services in

common use, individuals may not be aware of how their data
is being shared beyond the websites with which they interact
online, and they may not have a say over what happens to
their data.

Lack of transparency: To use web applications, users often

have to provide personal data like their name, email, phone
number, or location; meanwhile, the privacy policies
associated with those applications may be dense and difficult
to understand.

Social media: It is easier than ever to find someone online

using social media platforms, and social media posts may
reveal more personal information than users realize. In
addition, social media platforms often collect more data than
users are aware of.

Cyber crime: Many attackers try to steal user data in order to

commit fraud, compromise secure systems, or sell it on
underground markets to parties who will use the data for
malicious purposes. Some attackers use phishing attacks to try
to trick users into revealing personal information; others
attempt to compromise companies' internal systems that
contain personal data.

What are some of the challenges businesses face when

protecting user privacy?

Communication: Organizations sometimes struggle to

communicate clearly to their users what personal data they
are collecting and how they use it.

Cyber crime: Attackers target both individual users and

organizations that collect and store data about those users. In
addition, as more aspects of a business become Internet-
connected, the attack surface increases.

Data breaches: A data breach can lead to a massive violation

of user privacy if personal details are leaked, and attackers
continue to refine the techniques they use to cause these
breaches.

Insider threats: Internal employees or contractors might

inappropriately access data if it is not adequately protected.
What are some of the most important
technologies for data privacy?
 Encryption is a way to conceal information by
scrambling it so that it appears to be random data.
Only parties with the encryption key can unscramble
the information.

 Access control ensures that only authorized parties

access systems and data. Access control can be
combined with data loss prevention (DLP) to stop
sensitive data from leaving the network.

 Two-factor authentication is one of the most

important technologies for regular users, as it makes it
far harder for attackers to gain unauthorized access to
personal accounts.

These are just some of the technologies available today that

can protect user privacy and keep data more secure. However,
technology alone is not sufficient to protect data privacy.
Data privacy is the branch of data management that deals
with handling personal data in compliance with data
protection laws, regulations, and general privacy best
practices.

Ensuring data privacy involves setting access controls to

protect information from unauthorized parties, getting
consent from data subjects when necessary, and
maintaining data integrity.

Data privacy needs to be a top priority for businesses. Failure

to comply with data privacy regulations can lead to big losses.
Think legal action, steep financial penalties, and brand
damage.

Ensuring data privacy is part of the larger topic of data

governance. Data governance requires organizations to know
what data they have, where it’s stored, how it flows through
their IT systems, and how it’s used. Data governance best
practices allow organizations to maintain data integrity
and trust in their data.

Personal data protection

Any data may be sensitive, from a company’s earnings
information to sales figures or product roadmaps. Among the
most sensitive data is information about people — personal
data about any identified or identifiable individual. Personally
identifiable information (PII) can be almost anything. PII isn't
always as obvious as a name or Social Security number.
Sometimes, it's another identifier such as an IP address or
cookie information. If it’s possible to identify an individual
based on a data field or record, that data is personal data.

The importance of data privacy in today's business world

cannot be overstated. In most of the world, personal data —
such as credit card information or personal health information
— is subject to data privacy laws.

GDPR and other data regulations

Data privacy laws specify how data should be collected,
stored, and shared with third parties. The most widely
discussed data privacy laws include:

GDPR: The European Union’s General Data Protection

Regulation (GDPR) is the most comprehensive data privacy
law in effect. It applies to European Union citizens and all
companies that do business with them, including countries
not based in Europe. GDPR gives individuals the right to
determine what data organizations store, request that
organizations delete their data, and receive notifications of
data breaches. Noncompliance may result in hefty fines and
legal action.
CCPA: The California Consumer Privacy Act (CCPA) is a state-
level regulation in the United States. It enables California
residents to ask organizations what personal data exists about
them, delete it on request, and find out what data has been
given to third parties. These measures apply to consumer data
gathered within the state.

Data sovereignty as part of data privacy laws

Data sovereignty is the concept that data is subject to the
laws of the location in which it's collected. For example, in
July 2020, the Schrems II ruling decided that, according to
GDPR, consumer data for customers in the EU must be hosted
on servers within the borders of the EU.

Think of data sovereignty as a way to make sure that

user data stays close to home for its own protection. By
dictating where data can be stored and processed,
governments aim to keep their citizens' data from falling into
the wrong hands.

Data sovereignty becomes critical when looking at cloud

service providers. GDPR compliance, or future regulations,
may require you to store certain data on servers in certain
jurisdictions
What are Data Privacy Laws?

As technological advances have improved data collection and

surveillance capabilities, governments around the world have
started passing laws regulating what kind of data can be
collected about users, how that data can be used, and how
data should be stored and protected. Some of the most
important regulatory privacy frameworks to know include:

 General Data Protection Regulation (GDPR): Regulates

how the personal data of European Union (EU) data
subjects, meaning individuals, can be collected, stored,
and processed, and gives data subjects rights to control
their personal data (including a right to be forgotten).

 National data protection laws: Many countries, such as

Canada, Japan, Australia, Singapore, and others, have
comprehensive data protection laws in some form.
Some, like Brazil's General Law for the Protection of
Personal Data and the UK's Data Protection Act, are
quite similar to the GDPR.

 California Consumer Privacy Act (CCPA): Requires that

consumers be made aware of what personal data is
collected and gives consumers control over their
personal data, including a right to tell organizations
not to sell their personal data.

There are also industry-specific privacy guidelines in some

countries: for instance, in the United States, the Health
Insurance Portability and Accountability Act (HIPAA) governs
how personal healthcare data should be handled.

However, many privacy advocates argue that individuals still

do not have sufficient control over what happens to their
personal data. Governments around the world may pass
additional data privacy laws in the future.

#4.3.C:

Data Security Threats

Here are a few of the most common threats facing
organizational data.

Social Engineering Attacks

Social engineering attacks are the primary medium used by
attackers to gain access to sensitive data. This includes
manipulating or deceiving individuals to provide personal
information or access privileged accounts.

Phishing is a common form of social engineering. This includes

messages that appear to come from a trusted source, but are
actually sent by an attacker. If an employee is convinced to
provide personal information, click a malicious link, or open a
malicious attachment, the attacker can compromise the user’s
device or account and gain access to the corporate network.

Security Misconfiguration
If a computing system does not have security settings properly
defined, or is kept with the default username and password, a
security misconfiguration occurs. This typically means that a
system’s configuration does not comply with security
standards, such as CIS benchmarks, the OWASP Top 10, or
specific compliance requirements.

If an administrator or developer does not properly configure

security for an application, website, server, or workstation,
the system may be wide open to attackers.

Misconfiguration is widely cited as one of the biggest security

threats in a cloud environment, and the risk is also present in
an on-premises environment. It can lead to large-scale data
breaches and can have economic consequences such as
temporary loss of business, damage to reputation, revenue
loss, exposure to lawsuits, and regulatory fines.

Shadow IT
Unauthorized use of third-party software, applications, or
Internet services in the workplace, known as shadow IT, is
difficult for IT departments to track. Shadow IT is very
common because employees habitually use applications they
know from their personal lives, which are more efficient,
lightweight, and easier to use than company-approved
alternatives.

Shadow IT creates a blind spot in an organization’s data

security strategy, making it difficult to identify what data is
stored on unauthorized services. Even more dangerous is the
weak security of these third-party services. This could lead to
data breaches, and also represents a major compliance risk—
an organization could face lawsuits or fines because sensitive
data was stored by an employee on unauthorized services.

The main cause of shadow IT is that a company cannot

provide its employees with the tools they need to get the job
done. Organizations must have an open dialogue with their
employees and do their best to understand and satisfy their
technical needs. DLP tools can also be used to prevent
employees from uploading sensitive information to third party
services, and monitor data transfers to better understand the
impact of shadow IT.

Ransomware
Ransomware is a top priority, if not the highest priority, in any
organization’s cybersecurity program, and it directly affects
data security. In a ransomware attack, the victim’s computer
is infected by malware that encrypts valuable files, or entire
devices, making it impossible for victims to use the equipment
and data. To regain access to the device or data, ransomware
demands that the victim pay a ransom.

Ransomware is becoming a huge global business for

cybercriminals, and techniques are evolving rapidly.
Ransomware as a Service (RaaS) provides large groups of
hackers easy access to advanced Ransomware technology. In
addition, new types of ransomware use a double extortion
technique—before they encrypt files, they transmit them to
the attacker, who threatens to make them publicly available if
the ransom is not paid.

Ransomware can spread through malicious email

attachments, infected software applications, infected external
storage devices, infected websites, and vulnerabilities in
commonly deployed applications.

Advanced Persistent Threat Attacks

An Advanced Persistent Threat (APT) is a targeted network
attack that goes undetected for a long period of time after
attackers penetrate the network. The purpose of APT attacks
is not to compromise systems or networks, but rather to
monitor network activity and steal data over a prolonged
period of time. Cybercriminals often use APT attacks to target
high-value targets, such as large corporations and government
institutes, to steal valuable or strategic data.

$.3C3:

Key Data Protection Challenges

The ever-expanding data landscape presents many data
protection challenges, at both individual and organizational
levels, such as:

 Balancing Security and Privacy - Robust security measures

are crucial for safeguarding sensitive information.
However, these measures can sometimes come at the
expense of user privacy. Finding the right balance
between strong security and individual control over
personal information remains a complex task.
 Data Ownership and Control - Who truly owns the data
we generate online? Data protection regulations
empower individuals with some control over their data,
but the concept of ownership in this digital age remains a
complex and evolving issue.
 Cross-Border Data Flows - Information can be easily
transferred and stored across geographical boundaries.
Countries have varying data privacy regulations, making it
difficult for organizations to ensure compliance when user
data is located in different jurisdictions.
 The Rise of Third-Party Data Sharing - Companies
often share user data with third-party vendors for various
purposes like marketing or analytics. Individuals may not
 be aware of the extent of data sharing or who has access
to their information. Data protection regulations are
increasingly focusing on transparency and user control
over such third-party data-sharing practices.
 Evolving Regulatory Landscape – Regulations in the world
of data protection are constantly changing. New laws,
such as GDPR and CCPA, have raised the bar for data
privacy protection, but complying with a growing number
of regulations across different countries and regions can
be a complex and costly endeavor for organizations.
Businesses operating globally need to navigate this
complex regulatory landscape to ensure they are
protecting user data in accordance with the relevant laws.
 Data Visibility - With the massive amount of data
exchanged daily, understanding what data exists, where it
resides, who can access it, and how it is transmitted
becomes critical for organizational data security. CISOs
(Chief Information Security Officers) are naturally
concerned about visibility, as it forms the foundation for
proactive security measures. Without a clear picture of
their data landscape, organizations struggle to implement
effective protection strategies.
 Identifying Data Requiring Protection - Not all data is
equal. Some information, like financial records or health
data, require extensive protection. Others, like publicly
available marketing materials, can be shared more freely.
Implementing a data classification solution helps
organizations apply markers to sensitive data, allowing
 streamlined secure exchanges without unnecessary
restrictions that could hinder productivity.
 Proliferation of Devices - The surge in connected devices,
from laptops and smartphones to wearables and smart
home devices, poses challenges in securing data across
various platforms and endpoints. Organizations need to
develop comprehensive security strategies that address
the unique vulnerabilities of these diverse devices.
 Increasing Maintenance Costs - As data volumes grow,
maintaining robust security measures becomes costlier
and more complex. Organizations need to find ways to
scale their security infrastructure efficiently while
ensuring adequate protection of their data.
 Access Control Complexity - In many industries, managing
access control for data is difficult due to diverse user roles
and permissions. Employees may need access to specific
datasets for their job functions, but not others.
Organizations need to strike a balance between providing
users with the access they need and preventing
unauthorized access to sensitive information.