Many consider these synonymous, but it’s important for organizations and individuals to understand the difference and how to ensure their data is secure.
Organizations should protect privacy while ensuring security. Just because technology systems are secure, you cannot assume your personal data is private. Data protection must be performed to meet compliance, however that does not ensure personal data protected at this level is also private. Protecting and keeping personal data private is required by law for Federal agencies under the Privacy Act of 1974 5 U.S.C. § 552a, but that law does not apply to all U.S. businesses.
Data privacy applies to everyone. Data privacy doesn’t just mean Personal Identifiable Information (PII) related to employees. It is also related to clients and customers. For example, a consulting firm must maintain privacy for their employees, but also their client’s information. The collection of client information requires planning and strict consideration. Below are some of the questions to ask when addressing data privacy:
- How will it be used?
- Why do we need it?
- How will we protect the data?
- Who will have access once it is collected?
- How long do we maintain the data?
- How will it be destroyed when applicable?
- How will it be disseminated to others?
- Where will the information be stored?
- What is the risk that it will be duplicated and stored somewhere else?
In turn it is acceptable for an organization to ask its clients or potential clients how they will manage the company’s information. These same questions can be applied to protecting data in your personal life. Here are some tips to become proficient in protecting your own data:
- Shred incoming mail containing personal information
- Use a mail slot or locking mailbox to thwart those from stealing your mail
- Shred receipts, bank statements, credit card receipts (when no longer useful)
- Secure your home WiFi network
- Use strong passwords
- Restrict personal information sharing on social media
- Question the use of your Social Security number for identification and why it is needed
The discussion of data privacy should be transparent. Regulations like the General Data Protection Regulation (GDPR) which became effective March 25, 2018, enforces the need for data privacy transparency. GDPR calls for the protection of “personal data and privacy of EU citizens for transactions that occur with the EU”, however it applies to any organization that collects data on EU citizens even if they are not part of the European Union. While many U.S. organizations must comply, until there is a specific mandate protecting U.S. citizens, understanding that your data is private and protected is left up to the individual.
Is your organization GDPR compliant? RG’s approach to data privacy is through our proprietary business analysis and requirements methodology called LINKProcess™, which is a framework for both complying with GDPR and for remaining compliant on an ongoing basis. Contact us to learn more.