Data privacy protection has been an issue that's been around since the days of the Clinton administration, when the doors were first opened on what was then called the "information superhighway."
Over time, the business case for data privacy protection has only gotten more urgent. Internet-facing companies – which these days means all but the smallest businesses – are collecting increasing amounts of data about their customers, or even people who just visit their sites. Protecting that data is codified into privacy laws that dictate what information can be collected, how and where it can be stored, and for how long it can be held before it must be destroyed. It’s also good customer service.
During its June summit sessions, Red Hat brought out Orla O'Hannaidh, a senior data privacy and security attorney at Red Hat, and Clarence Clayton, a Red Hat data privacy manager, for an "Ask the Expert" Q&A session called “Data Privacy: A Primer and Practical Approach to Privacy.”
Data Privacy and Data Security
The discussion at Red Hat Summit Part 2 started with the assumption that you can't protect data privacy if you don't know what it means.
"It's about protecting an individual's information," O'Hannaidh said. "If you dig into that a little more, I think that involves being transparent about what's collected, how that data is used, caring about how personal data is secured, and giving people control over their personal data. Personal data, which is what privacy is about, is a really, really broad term."
Clayton then explained the difference between data privacy and data security.
"They are related topics that certainly go hand in hand, and one influences the other," he said. "[Data privacy is] the responsible, compliant, legal use of personal information. It's being very transparent about how we collect information, who has access to it and with whom it's shared, and honoring people's rights with regard to how their data is used.
"Security is more of a means of protecting that data," he continued. "It's the technical or other process measures that companies or other entities put in place to make sure their privacy obligations, and other obligations with regard to keeping data secure and confidential, are met."
Data Privacy Protection Laws
The next question, posed to lawyer O'Hannaidh, was about data privacy protection laws and whether privacy laws are the same worldwide.
"I think I know the answer to that," said Heather Burnett, the Red Hat senior manager of assessment and development programs who was moderating the discussion. "Can you kind of elaborate if the answer is ‘No?’"
(The answer was "no.")
"There are hundreds and hundreds of privacy laws, and most countries have one or more," O'Hannaidh said. "If you take the US as an example, it's a patchwork of privacy laws."
There are data privacy laws that regulate sectors such as finance, health or education. Other laws apply to groups, such as legal minors or students. Then there are a hodgepodge of state regulations concerning specific issues, such as data breach notification ("Every state in the US has one of those laws," O'Hannaidh said). On top of that, there are consumer protection laws relating to privacy, that exist on both federal and state levels.
Those were just U.S. examples, she added. In Europe there's the GDPR, which can also affect online companies in the U.S. (and other non-EU countries), even if they don't have a physical office in Europe. The GDPR isn't the only privacy law affecting European companies. Others include the "privacy directive" and employee laws.
"All of that's to say there are hundreds of privacy laws," she said. "Many of the laws share really similar requirements and principles, and that certainly is really important when running a global privacy program."
There are some things that companies can do as a matter-of-course, without even needing to consult a lawyer first (but you probably should anyway, modern life being what it is), like integrating identity access management within a data privacy protection policy.
"Identity and access management is at the heart of what we do to make sure that we have secure access to data and that only people who need to be accessing personal data have the means to do so," Clayton said. "Ideally, we would prefer that systems use some sort of access management, like our internal or external SSO [single sign-on] that's just a little bit easier to manage from a control and security perspective. Then you're not relying on manual means to validate whether or not people have left the company, or whether or not their access needs have changed."
Due diligence around identity access management is also necessary with when it comes to dealing with outside contractors or vendors who may have access to data.
"If we find that we're working with vendors or third parties that we share data with, we do put those vendors through vendor risk assessments with the work of our information security teams, sometimes doing penetration tests and reviews of their security protocols and policies," he said. "We also put those same controls on them around access management, ensuring that data is only used for as long as needed, that it is deleted when the engagement ends and that we also have contractual protections that govern the use of how vendors and other third parties work with data that we transact with them."
From a legal perspective, O'Hannaidh agreed that well-written legal agreements were necessary for any enterprise that plans to share data with outside sources such as contractors or vendors.
"Legal teams work really closely with procurement and infosec, and certainly there's a legal contractual element of due diligence, as well as having appropriate contractual terms in place when you work with third parties, if they have access to personal data," she said.
Interested parties can revisit this entire discussion on data privacy protection, which Red Hat Summit 2021 is making available, along with all other event sessions, through May 2022 on the event's website. Free registration is required.