Data privacy laws are legal frameworks that aim to protect consumers’ personal data.
Data privacy laws typically allow consumers to know what information a company collects about them, why the information is collected, and how the information will be processed. Laws also give people the right to determine who can access their personal information.
Examples of data privacy laws include the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard, the California Consumer Privacy Act, and the EU’s General Data Protection Regulation (GDPR).
Data privacy is often confused with data security, which focuses on protecting an organization’s technology and tools from cyberattacks.
Research firm Gartner predicts that modern privacy laws will cover the personal information of 75% of the world’s population by the end of 2023.
Compliance With Data Privacy Laws
Companies must comply with data privacy regulatory requirements or else face often significant fines. A GDPR violation, for example, can cost a company as much as 20 million euros (more than $22 million U.S. dollars). A HIPAA violation can exceed $6 million.
To ensure compliance, organizations must align their information governance, processes, technologies and people with data privacy requirements. According to Enza Iannopollo, a principal analyst at Forrester Research, the best way to get started is to follow these three general steps:
- Understand where the data resides in your organization and what you are trying to protect;
- Map and analyze relevant regulatory requirements; and
- Translate legal constructs into controls, policies, behaviors, contracts, notices and a shared culture.
When Did Data Privacy Become a Priority?
Europe was ahead of the United States in protecting personal data. Sweden passed the first federal privacy law in 1973, followed by Germany in 1978 and the U.K. in 1998. The past few years have seen significant growth of data privacy laws, spurred by GDPR going into effect in 2018.
More recently, India, China, Canada, Japan, Brazil and South Korea have adopted or are in the process of adopting data privacy regulations. The United States has seen data privacy gain traction in several states, including California and Virginia, and experts expect a federal law to emerge.
Why Are People Paying Attention to Data Privacy Now?
As the COVID-19 pandemic prompted organizations to overhaul their business processes, many moved workloads to the cloud, which made data and applications accessible for remote workers and third parties as necessary. The increased accessibility of data via the cloud, while highly beneficial, created more risks to data privacy. As a result, many organizations and oversight organizations have grown concerned about protecting privacy.
In the U.S., data privacy laws are a work in progress. Several states are working on enacting laws. Congress has discussed the creation of a federal privacy law along with a new privacy bureau.
Who Benefits From Data Privacy?
Data privacy laws, in addition to giving the peace of mind to consumers, can benefit companies that meet compliance requirements. When a company demonstrates compliance, consumers and third parties can know that their data is respected and secure, which means they are likelier to continue doing business with the company.
What Technology Can Help With Regulatory Compliance?
Under some data privacy laws, companies may be required to provide customers with access to their personal data or delete data at a customer’s request. These processes can be complicated, requiring not only an understanding of the specific privacy laws that apply but also exactly where customers’ data resides.
Vendors include Privitar, Anonos, Immuta, BigID, OneTrust, D-ID, Duality, Truata, TrustArc, Wirewheel, ZLTech and Ethyca.