Data Privacy in the Enterprise

In this topic, we will equip you with practical information to help you elevate your enterprise data protection and privacy plan by covering the following topics:

How Can You Ensure Data Privacy?

The following best practices and methods have proved to be instrumental for enterprises looking to protect and maintain data privacy and confidentiality:

  1. Do not collect customer information you do not need or intend to use. Make sure the different stakeholders are conscious of the associated responsibility that comes with collecting and retaining personal information. If there is no business reason for collecting social security numbers or customer phone numbers, it is better to keep the information out of harm’s way.
  2. Encrypt all sensitive data with strong encryption methods. Remember that your system is only as strong as your weakest link (or encryption method).
  3. Be transparent about data privacy with your customers. Inform them of the data you collect, how long you retain it, the rationale behind collection, and the data protection practices employed. Ensure your privacy policy is clear and simple and do not leave any loopholes for your customers to fall into.
  4. Train your employees, especially if you’re operating in a highly sensitive industry (i.e. healthcare, finance), make sure they understand the importance of customer privacy and confidentiality and the associated regulations to the industry you operate in (i.e. HIPAA – Health Insurance Portability and Accountability Act) or CCPA.

What Is a Privacy Plan?

NIST defines a privacy plan as a “formal document that provides an overview of the privacy requirements for an information system or program and describes the privacy controls in place or planned for meeting those requirements. The privacy plan may be integrated into the organizational security plan or developed as a separate plan.”

Source(s):NIST SP 800-53A Rev. 4 under Privacy Plan

Who Is Responsible for Data Privacy?

  • The ultimate authority on privacy in the enterprise is the Data Privacy Officer (DPO) who should have a comprehensive perspective of all privacy aspects.
  • The enterprise legal team should define the privacy policy and manage the interaction with data subjects on behalf of the enterprise.
  • The enterprise Chief Information Security Officer (CISO), equipped with the tools, knowledge,, and resources, will own the implementation of the technical aspects of the privacy program. In certain cases, the CISO acts as a DPO. It is important to mention that many data privacy requirements eventually funnel into data engineering teams who own the data platforms in the enterprise and are tasked with technical implementation.

Which Tools Can Implement Data Privacy Regulations?

There is a need for next-generation tools for privacy that have not existed in the Security industry, which focus on data privacy needs. There are security tools that try to solve privacy issues or just talk about it, but were never built to solve privacy issues, rather for security issues like:

  1. Cloud Access Security Broker (CASB)
  2. Data Loss Prevention (DLP)
  3. Encryption Software
  4. Identity and Access Management (IAM)
  5. Compliance Software (GRC)
  6. Data Backup and Recovery Solutions

A platform like Secuvy is purpose-built to solve data privacy and protection needs of the enterprises to get compliant with Global Privacy Laws.

How Does Storing Data in the Cloud Affect Compliance with Data Privacy Laws?

In short, storing data in the cloud does not affect compliance with data protection laws, as the overall responsibility is on the data controller. Even if the enterprise uses best of breed cloud service providers, it’s the enterprise’s responsibility to verify data is handled according to relevant data protection laws and regulations. It falls under the data controller’s ownership to verify that the cloud provider processes personal data in a secure manner and ensure, for example, that data is not transferable outside of specific regional boundaries (i.e EU borders for GDPR).

It is important to establish a responsibility level with your cloud providers in regards to data security and continuity and agree, in advance, on compensation in the unfortunate event of a data leak.