While different countries and regions have specific laws and regulations governing how personal data must be collected, used, and protected, there are a few generally accepted data privacy principles that most experts agree on. This article will explore some of the most universally accepted data privacy principles which are also covered in the CDP certification course.
Generally Accepted Data Privacy Principles
- Management – The entity establishes, documents, discusses and assigns responsibility for its privacy policies, notifications, and processes.
- Notice – The entity, in its privacy notice, informs users (Notice) of the company’s policies and procedures and explains what constitutes appropriate proportional personal information collection, usage, retention, and disclosure for each purpose.
- Choice and consent – The entity outlines the options available to the individual and gets permission to collect, use, and share personal information. This applies to non-identified transactions, where feasible, as well as the use of pseudonyms, and opting out of data sharing with third parties.
- Collection – The entity explains the collection technique, such as what, why, and how data is gathered, and only collects the bare minimum of personal information for the stated purposes with consent from the relevant data owner.
- Use, retention, and disposal – Personal information may not be used for purposes other than those specified in the Notice or for which the individual has given consent. This includes the use of distinct identifiers. The entity retains personal information only as long as it is required to fulfill the stated goals or as directed by law or regulations and then destroys it.
- Access – Individuals have information about their data as well as the ability to access and modify it, including the option to dispute the entity’s compliance.
- Disclosures to third parties – The entity makes only those disclosures of personal information that are permitted by the Notice and with the consent of the individual, and only after making certain that the third party adheres to data protection principles.
- Security – Personal information should be secured in a variety of ways, such as encrypting data at rest, online, and in-transit through the use of firewalls, VPN, encryption tools, and access control agreements, to name a few.
- Quality – The entity maintains accurate, complete, and relevant personal information for the stated purposes.
- Enforcement and monitoring – The entity has processes in place to handle privacy-related complaints and disputes, as well as procedures for monitoring compliance with its privacy policies.
Rights of individuals
The data privacy rights of individuals are probably among the best known and universally or generally accepted data privacy principles. In general, when a company or entity collects any personally identifying information from an individual, it must provide notification of this fact to the individual when requested. The individual also has a right to know what information is being collected, how and where the data is being used, who has access to it, how long it will be kept, and if it will be shared with other entities. Where personal data was collected without the individual’s express permission, they have a right to demand its removal.
The common theme that runs through these rules is privacy by notification and consent. Individuals have a right to know and specify how their information is used and protected. They also must permit its use and revoke the consent at any time.
According to the EU’s General Data Protection Regulation (GDPR), these rights are not simply suggestions, and they are absolute requirements. Any company that processes or intends to process the data of individuals in the EU must comply with the GDPR or face significant fines.
In the US, the Fair Information Practice Principles (FIPPs) provide a similar set of rights for individuals. The FIPPs were created in the 1970s and have been updated several times over the years. They are not legally binding, but most companies follow the best practices.
Obligations of Organizations
Organizations that process personal data must also comply with several specific obligations. These include ensuring the security of the data, protecting it from unauthorized access or use, and destroying it when it is no longer needed. They must also ensure that individuals have a right to review the information that has been collected about them, request changes, and demand that it be deleted when no longer needed. The organization should also provide individuals with access to any information shared with third parties or outside companies.
Organizations must take all reasonable steps to protect personal data in their possession, regardless of whether they collected it themselves or received it from another entity. The penalty for not doing so can be significant, as Google recently learned when the French data protection authority fined it $57 million for violating GDPR.
Finally, all entities involved in collecting, using, or storing personal data must ensure that they are aware of and comply with the relevant laws and regulations governing data privacy.
Obligations of Individuals
Individuals have several obligations when it comes to data privacy. They must protect their passwords and other login information and not share them with anyone else. They must also take care not to reveal any personal data unnecessarily.
When it comes to social media, individuals must be cautious about the information they share. Anyone can see public posts, including employers, insurance companies, and other organizations that may use the information to make decisions about individuals. It is always best to assume that anything shared online is public and can be accessed by anyone.
The generally accepted data privacy principles discussed above are some of the most widely accepted globally. They provide a framework for protecting the privacy of individuals while still allowing organizations to exchange information. This provides a useful starting point for any company that wants to improve its data privacy policies and procedures.
These principles can also outline new legislation related to data privacy. It is already being used by legislators in the US, who consider how best to address concerns about personal data in the age of big data and digital transformation. Organizations must incorporate their privacy program into their digital transformation efforts and consider privacy governance concepts to protect data and respond to privacy inquiries.