Data Privacy: 4 Things Business Professionals Should Know

Data privacy is a legal responsibility with strict guidelines and repercussions. The laws that apply to your company depend on location and the ... …→ HarvardBusinessSchool→ HBSOnline→ BusinessInsights→ BusinessInsights HarvardBusinessSchoolOnline'sBusinessInsightsBlogprovidesthecareerinsightsyouneedtoachieveyourgoalsandgainconfidenceinyourbusinessskills.   FilterResults ArrowDown ArrowUp Topics Topics Accounting Analytics BusinessEssentials BusinessinSociety CareerDevelopment Communication Community ConneXt Decision-Making EarningYourMBA Entrepreneurship&Innovation Finance Leadership Management Marketing Negotiation News&Events Productivity StaffSpotlight Strategy StudentProfiles Technology Work-LifeBalance Courses Courses AlternativeInvestments BusinessAnalytics BusinessStrategy CORe DesignThinkingandInnovation DisruptiveStrategy EconomicsforManagers EntrepreneurshipEssentials FinancialAccounting GlobalBusiness LeadershipPrinciples LeadingwithFinance ManagementEssentials NegotiationMastery OrganizationalLeadership PowerandInfluenceforPositiveImpact StrategyExecution SustainableBusinessStrategy SustainableInvesting SubscribetotheBlog RSSfeed Filters Topics Topics Accounting Analytics BusinessEssentials BusinessinSociety CareerDevelopment Communication Community ConneXt Decision-Making EarningYourMBA Entrepreneurship&Innovation Finance Leadership Management Marketing Negotiation News&Events Productivity StaffSpotlight Strategy StudentProfiles Technology Work-LifeBalance Courses Courses AlternativeInvestments BusinessAnalytics BusinessStrategy CORe DesignThinkingandInnovation DisruptiveStrategy EconomicsforManagers EntrepreneurshipEssentials FinancialAccounting GlobalBusiness LeadershipPrinciples LeadingwithFinance ManagementEssentials NegotiationMastery OrganizationalLeadership PowerandInfluenceforPositiveImpact StrategyExecution SustainableBusinessStrategy SustainableInvesting SubscribetotheBlog RSSfeed DataPrivacy:4ThingsEveryBusinessProfessionalShouldKnow 04Mar2021 CatherineCote Author Staff tag Analytics Dataisapowerfulresourcethat’satthedisposalofnearlyeveryorganization.It'scollectedeverytimeanactionistakenonline,aproductispurchased,andapatientvisitsadoctor.Withsomuchdataavailable,it’sbeneficialtoknowhowtouseittodriveimpactfuldecisionsinyourorganization. Butwhatrightsdocustomershavewhenitcomestotheirprivacy?Howcanyounavigatethoserightsandupholdtheirtrustandsafety?Dataprivacyisanimperativefieldtounderstandasadata-drivenprofessional.Here’saprimeronwhatdataprivacyisandfourthingsyouneedtoknow. FreeE-Book:ABeginner'sGuidetoData&Analytics Accessyourfreee-booktoday. DOWNLOADNOW WhatIsDataPrivacy? Dataprivacy,alsoknownasinformationprivacy,isasubcategoryofdataprotectionthatencompassestheethicalandlegalobligationtoprotectaccesstopersonallyidentifiableinformation(PII). IntheHarvardOnlinecourseDataSciencePrinciples,taughtbyHarvardProfessorDustinTingley,it’sexplainedthatdataprivacyismadeupofthreekeyquestions: Whatdataiscollected? Howisthedatastored? Whocanaccessthedata? Consideringthesequestionscanhelpyoudeterminehowtoensuretheprivacyofsensitivedatawithouthamperingitsusefulnesstoyourorganization. Related:DataGovernance:APrimerforManagers DataPrivacyvs.DataSecurity There’sadistinctionbetweendataprivacyanddatasecurity,whichtogethermakeupthefieldofdataprotection.Althoughtheyaideachotherandsharecommongoals,theyhavedifferentfocusesandimplementations. Datasecurityfocusesonsystemsinplacethatpreventmaliciousexternalattemptstoaccess,steal,ordestroydata,whereasdataprivacyfocusesontheethicalandlegaluseandaccesstosensitivedataandPII. Toillustratethedifference,imagineyouworkatane-commercecompanythatstoresitscustomers’demographics,contactinformation,andcreditcarddetails.Customersfreelyandethicallyprovidedthisinformation,andyourorganizationisincompliancewithapplicableprivacylaws.Thedataisonlyaccessibletomembersofyourorganizationwhoneedittodotheirjobsandsecurelystoredinaninternaldatabase.Dataprivacyencompassesallofthesemeasures. Now,imagineathird-partysourcetriestohackintoyourcompany’sdatabasewithmaliciousintent.Thisiswheredatasecuritycomesin.Two-factorauthentication,datafileencryption,andvirtualprivatenetwork(VPN)accessareallexamplesofdatasecuritymeasuresthatcanhelpprotectyourcustomers’sensitiveinformationandidentities. Datasecurityanddataprivacyworktogethertoensureyourcustomers’safetyandanonymity.Herearefourthingsyoushouldknowaboutdataprivacytohelpyourorganizationcollectandhandledatawithethicalandlegalintegrity. 4ThingstoKnowAboutDataPrivacy 1.WhatConstitutesPersonallyIdentifiableInformation? Personallyidentifiableinformationisanyinformationthatcanbelinkedtoaspecificperson.ExamplesofPIIinclude: Name Address Phonenumber Emailaddress SocialSecuritynumber Driver’slicensenumber Socialmediahandles Bankaccountnumber Passportnumber TheImportanceofDe-IdentifyingaDataset Whennon-identifiableinformationislinkedtoPIIinadataset,anindividual’sprivacyislost.It’softheutmostimportancethatconsentisgivenbeforeanyPIIiscollectedormadepublic.Toprotectprivacy,onetacticistode-identifydata,orremoveallPIIfromadataset. Forexample,ifyourcompanyistrackingspendinghabitsacrossvariousdemographics,removecustomers’names,contactinformation,address,andcreditcarddetails,leavingonlytheirdemographics(forinstance,ageandgender)andpurchasehistory.Thisensuresyourcompanycanstillanalyzevariablesofinterestwithoutputtingcustomers’privacyatrisk. Theprocessofde-identificationrequiresyoutocriticallythinkaboutconnectionsthatcanbemadethroughdatasoit’strulyde-identified.HarvardProfessorLatanyaSweeney,who’sfeaturedinDataSciencePrinciples,conductedresearchtodiscoverhoweasilyde-identifieddatacanbere-identified.Re-identificationistheprocessofcombiningtwoormoredatasetstorevealidentities,anditpresentsasignificantthreattoprivacy. Inthecourse,Sweeneyexplainsthatinformationoftenassumedtobeanonymous—likebirthdate,gender,andZIPcode—canbelinkedtospecificindividualsinpublic,non-de-identifieddatasets,likevoterlists. “Eighty-sevenpercentofpeopleintheUnitedStatesareestimatedtobeuniquebasedondateofbirth,gender,andZIPcode,”Sweeneysays.“Ifsomebodytakesadatasetthat’ssupposedtobeanonymousandre-identifiesthepeopleinit,allkindsofharmcanhappen.” 2.HowtoProtectDataInternally Whileyourcompanymaycollectandstorecustomers’data,allemployeesshouldn’thaveaccesstoit.PIIshouldonlybeavailableonaneed-to-knowbasiswithinanorganization.Thispreventsanyaccidental,orpurposeful,misuseorpublicationofsensitiveinformation. Herearesomesimplebuteffectivetipstosecuredatainternally: Lockyourcomputerwhenyougetupfromyourdesk. Lockanyfilingcabinetsordrawerscontaininghardcopiesofdata. Password-protectdatabaseaccess. Useasecurefiletransfermethod. Properlystorephysicalcopiesofdata,anddon’tleavethemoutwheretheycouldbetaken,misplaced,orread. Don’tmessageortalkaboutsensitivedatawithothersunlessyou’reinasecure,privatemeetingroom. Althoughsomeofthesetipsseemlikecommonsense,theycangoalongwayinensuringyourcustomers’dataremainsintherighthands. 3.It’saLegalResponsibility Dataprivacyisalegalresponsibilitywithstrictguidelinesandrepercussions.Thelawsthatapplytoyourcompanydependonlocationandthetypeofdatayouhandle.Familiarizeyourselfwiththelawsthatpertaintothelocationsofyourbusinessandcustomers. Hereareafewexamplesofdataprivacylaws,whotheyimpact,andwhattheygenerallyrequire.Inadditiontodataprivacy,manyoftheselawsincludemandatespertainingtodatasecurity. GeneralDataProtectionRegulation(GDPR) TheGDPRisadataprotectionactpassedbytheEuropeanUnioninMay2018.ThislawappliestoanypersonorcompanythathandlesthedataofEuropeans.ThesevenpillarsoftheGDPRare: Lawfulness,fairness,andtransparency:Thereshouldbenodeceptioninthedatacollectionprocess. Purposelimitation:Datasubjectsmustbetoldwhyyou’recollectingtheirdata. Dataminimization:Youmustonlycollectthesmallestamountofdatanecessaryforyourspecifiedpurpose. Accuracy:Youmustkeepdataaccurateanduptodate. Storagelimitation:Thedatamustnotbestoredforlongerthantheintendedpurpose. Integrityandconfidentiality:Appropriatesecuritymeasuresmustbeinplacetoensureconfidentiality,andthedata’sintegritymustbemaintainedacrossformatandtime. Accountability:DatahandlersareresponsibleforcomplyingwiththeGDPR. TheGDPRisextensiveand,atpoints,vague.Ifyou’recollectingdatafromcustomerswholiveintheEuropeanUnion,givethislawathoroughreadthroughtoensureyou’reincompliance. CaliforniaConsumerPrivacyAct(CCPA) TheCCPA,passedinJune2018,protectsCaliforniacitizens’righttobeawareandincontrolofwhatpersonaldatabusinessescollectandstoreaboutthem.Thelawcomprisesfourkeyindividualrights: Therighttoknowaboutthedatabusinessescollectaboutthemandhowit’susedandshared Therighttodeletepersonalinformationcollectedfromthem(withafewexceptions) Therighttoopt-outofthesaleoftheirpersonalinformation Therighttonon-discriminationforexercisingtheirCCPArights HealthInsurancePortabilityandAccountabilityAct(HIPAA) HIPAAisalawpassedin1996toprotectthemedicalprivacyofUScitizens.TheHIPAAPrivacyRulewasputinplacetoprovideexplicitguidelinesforanypersonororganizationthathandlesmedicaldata.Thisincludes: Healthcareproviders,suchashospitals,doctor’soffices,anddentalpractices Healthplans,suchasinsuranceorganizationsandhealthmaintenanceorganizations Healthcareclearinghouses,forinstance,acompanythattransfershealthcaredatafromahealthcareprovidertoabusinessassociate Businessassociates,whosedutiesincludeclaimsprocessing,dataanalysis,utilizationreview,andbillinginvolvingpersonallyidentifiablemedicaldata TheHIPAAPrivacyRuleaimstoprotectindividuals’rightstoknowandcontrolwhohasaccesstotheirmedicaldataandunderstandhowit’sbeingused.Itprotectstheirrighttoprivacywhilestillallowingforthetransferanduseofdatatodrivemedicaladvancement. Related:3ApplicationsofDataAnalyticsinHealthCare 4.It’sanEthicalResponsibility Dataprivacyisnotonlyalegalmatter,butanethicalone.Theethicsofdataprivacycanbeboileddowntothefactthatanindividual’sconsentisnecessarytocollect,store,andusetheirpersonalinformation. Thepowerfulnatureofdatacanbeenticing,butit’simportanttojudiciouslyusePII.Remember:Therearerealpeoplebehindyourdatapoints.Theyhaveidentitiesandlivesthatcouldbeatriskiftheirsensitivedataendsupinthewronghands,whichmakesyourprecautionsandtransparencywellworththeeffort. ProtectingYourCustomers’Data Yourcompliancewithprivacylaws,internalprecautions,andeffortstode-identifydatahelpupholdyourcustomers’safetyandrighttoprivacy.Ingivingyoutheirconsent,they’retrustingyoutoprotecttheirinformationanduseitforaspecificpurpose—whetherthat’sidentifyingatrendthatcouldleadtoanewproduct,trackingspendinghabitstopersonalizetheirshoppingexperience,orbackingadecisiontoincreasefundingforaspecifichealthcareinitiative. Understandingtheethical,legal,andlogisticalfoundationofdataprivacyenablesyoutomaintaintheirtrustandusedatatomakeapositiveimpact. Areyouinterestedinfurtheringyourdataliteracy?DownloadourBeginner’sGuidetoData&Analyticstolearnhowyoucanleveragethepowerofdataforprofessionalandorganizationalsuccess. AbouttheAuthorCatherineCoteisamarketingcoordinatoratHarvardBusinessSchoolOnline.PriortojoiningHBSOnline,sheworkedatanearly-stageSaaSstartupwhereshefoundherpassionforwritingcontent,andatadigitalconsultingagency,whereshespecializedinSEO.CatherineholdsaB.A.fromHolyCross,whereshestudiedpsychology,education,andMandarinChinese.Whennotatwork,youcanfindherhiking,performingorwatchingtheatre,orhuntingforthebestburgerinBoston.