Protect Your Customers’ Personal Data: How to Comply with Data Protection Laws

Strong data protection not only meets all legal standards, but also benefits an organization by allowing it to use uncompromised data to conduct business. Below are the primary goals of data protection:

• Ensure data privacy
• Protect data from loss, corruption or compromise
• Ensure that an organization is able to routinely and continually use the data to conduct its business

“I think the concern has been increasing for several years,” Martinez says. “You’ve got executives and boards worrying about protecting their customers data because they see the damage a breach does.”

Data protection works to prevent a range of specific failures that can compromise data or disrupt how an organization conducts its business. Some of the primary potential problems include the following:

• Storage Device or Storage System Failure:An organization’s devices and systems that help it store and use data can fail, leading to data loss.
• Data Corruption:Data can be corrupted, either accidentally through worker error or system malfunction, or intentionally by people inside or outside the organization.
• Data Center Failure:The outside data center where all of the organization’s information is stored can suffer a failure or intrusion that loses or corrupts data.

As people increasingly worry about their data privacy and how companies are collecting their personal information, whether they trust a company to handle their data appropriately will be an important business differentiator. They won’t do business with companies they don’t trust.

A wide range of controls can help organizations protect their data. Data security standards — including ISO 27001 — can help companies understand the best way to protect data. Within the wide array of controls are three areas of processes or equipment that can help with data protection: storage technologies to protect data, processes that help with data storage, and processes that protect and recover data.

Storage technologies to protect data include the following:

• Hard Disks or Tape Backups:Physical technologies that can hold information that can then be transferred and stored on other larger storage devices.
• Database Mirroring:Continuously creating a copy of all data in another location or device, meaning the data is always an exact copy of data at the primary location.
• Cloud Backup:A method of replicating all data on outside internet servers.
• Redundant Array of Independent Disks (RAID):The process of storing the same data on multiple hard disks in different places.

Other processes that can help with data storage and recovery include the following:

• Erasure Coding:The process of breaking down data into fragments, and then expanding, encoding, and storing it in different locations.
• Data Deduplication:The elimination of redundant copies of data to free up an organization’s storage capacity to perform data backups.
• Continuous Data Protection (CDP):A system that allows for continuous backup whenever any change in data is made.

Below are some processes to protect and recover data:

• Copy Data Management:A process that manages and decreases the number of copies of data your organization needs to keep while still having appropriate backup of all data.
• Hyperconvergence:A systems framework that combines storage, computing, and networking, and reduces the complexity of a data center.
• Disaster Recovery as a Service (DRaaS):Copying data and hosting it on servers maintained by an outside vendor.

Mobile devices — especially mobile phones and laptops — are often woefully unprotected from data breaches and data protection problems. Employees routinely access basic company data with their personal mobile phones and laptops, and the data protection weaknesses in those devices often immediately compromise your organization’s data. “Every time you add a new device, you increase that risk profile,” explains Herman, from RH Strategic Communications.

It’s important to understand the vulnerabilities and fix them. Below are some steps to take that can improve data protection:

• Monitor who is accessing cloud services to get access to your organization’s data and which devices and apps they are using to do so.
• Make sure that those devices and apps have technology that complies with your company’s data protection policies.
• Use file sync-and-share services (such as Box). These tools allow users to share and access documents through a secure website, from mobile phones, laptops, and other devices.
• Reduce complexity wherever possible. While it’s important that your data is protected, it’s also crucial that you deploy technology that is not too complicated for your employees to use. If a tool is complicated, they will work to bypass certain controls and thereby weaken data protection.

In addition to the business benefits of protecting your customer data, there are two other key reasons to protect that data: One, it’s the right thing to do for your existing and potential customers; and two,protecting data is increasingly required by law.

Data privacy laws can be complex and complicated, but there are a handful of basic themes that organizations need to be aware of to ensure they are compliant. These include the following:

• Safeguarding Data:Set up a data protection system that appropriately safeguards the personal data you collect and keep, and show the appropriate authorities how you’ve setup and maintained that system.
• Getting Consent:This may be the most important requirement of the new GDPR from the EU. You must gain direct consent from the person whose data is being collected. They also have the right to revoke that consent at any time.
• Figuring out the Regulations that Apply to your Organization:You need to understand the nature and breadth of the personal data you collect and keep and how regulations may govern that data, and thus govern what you do with it and how your business operates.
• Educating Your Employees:Data protection is not just for your IT department. Data protection also involves simple emails, and accessing a customer list through a mobile phone. Ensure your employees are fully trained in the nuances of data privacy and security.

Most data protection occurs through experts establishing and overseeing the data and the information systems that collect and store it. But there have been advances in technology throughout the 21st century that allow the systems themselves to provide some data protection:

• The Platform for Privacy Preferences (P3P):This now-obsolete system was created in the early 2000s and allowed websites to provide information on how they intended to use information they collected from people using web browsers.
• Policy Enforcement:Some computer languages can express privacy policies in a machine-readable way, which enables an organization’s software systems to use that information to enforce privacy policies within an organization’s computer systems.
• Protecting Privacy on the Internet:Emails and web browsing can be notoriously open to data compromise. New technologies can help encrypt emails and allow people to browse web pages through what are calledanonymizers. In essence, the anonymizers are proxy computer servers that operate between a user’s computer and the internet, allowing the user’s identifying computer information to remain hidden.
• Improving Privacy through Individualization:Security experts believe individualized messages and security "nudges," based on a user’s characteristics and habits, might improve compliance with security protocols

Even beyond GDPR, there are some notable international legal issues that have orbited information privacy over the past decade or so:

• The Safe Harbor Framework and Privacy Shield:In 1995, the European Union established a privacy directive that stipulated that the personal data of an EU citizen could be transferred outside the EU only if the receiving country had adequate data privacy protections. As a result of that directive, the United States and the EU entered into the Safe Harbor Framework, an agreement that defined privacy principles that the U.S. would follow.
  
  However, a European Court struck down the validity of that framework in 2015, ruling that the U.S. was not providing adequate protection. So in 2016, the two governments created a new agreement: Privacy Shield. That agreement still holds, even with GDPR becoming effective in May 2018. Still, nothing in the Privacy Shield allows U.S. companies to ignore the more detailed requirements of GDPR.
• Passenger Name Record Agreements:The European Union approved a new “passenger name record” directive as part of GDPR.Passenger name records agreements, which have existed for years, govern names and other information that people give airlines to buy tickets to travel from one country to another. Passenger name records have become an especially controversial issue in recent decades, as governments — including in the United States — have used them extensively to combat potential terrorism.
  
  一些人担心政府的easy access to personal information through passenger name records. The United States and the European Union approved the Passenger Name Record Agreement to govern what data is collected and how it is kept and used.

The United Kingdom’sData Protection Act of 1998was created to protect personal data stored on computers and in paper filing systems. The law was implemented in the UK after the European Union’s Data Protection Directive of 1995, and became effective in March 2000.

The law has now been superseded by the GDPR and a new data protection law in the UK. But the act was extremely important at the time of its passage, as it gave UK citizens a more pronounced right to have control over information about themselves.

Overseen by the U.K.’s Information Commissioner’s Office, the law considered personal data to be any data that could identify an individual. It also gave especially stringent protections to “sensitive” information like the following:

• Ethnic background
• Political opinions
• Religious beliefs
• Health
• Sexual life
• Criminal history

The law gave persons certain rights, including the rights to do the following:

• View data an organization has regarding them by making what was called asubject access request
• Correct incorrect information
• Require data not be used to cause damage or distress
• Require data not be used for direct marketing

The law also featured the following overall principles about data protection:

• Personal data should be processed only under certain conditions, including in most cases only when a person consented to having his or her data collected.
• Personal data collected for a certain purpose should not be kept longer than is needed for that purpose.
• Organizations should implement “appropriate technical and organizational measures” to protect the personal data against loss.
• Personal data should be not be transferred to another country outside the European Union unless that country had adequate levels of personal data protection.

However, the law explicitly states that is does not apply to the following instances of data processing:

• Safeguarding national security
• Assessing taxes or preventing or detecting crime
• When the processing was only for purposes of an individual family, or for an individual’s household affairs

Many countries have approved data privacy laws in recent decades, and have established authoritative bodies to govern and oversee those laws. Some laws that have been improved include the following:

• Privacy Act, 1983 (Canada)
• Data Protection Directive, 1995 (European Union)
• Data Protection Act, 1998 (United Kingdom)
• Data Protection Act, 2012 (Ghana)
• Data protection (privacy) laws in Russia (mostly enacted in 2005 and 2006)
• Personal Data Protection Act, 2012 (Singapore)
• General Data Protection Regulation, 2016 (European Union)

Authorities that oversee data protection laws in specific countries include the following:

• National data protection authorities in the European Union and the European Free Trade Association
• Office of the Australian Information Commissioner (Australia)
• Commission nationale de l'informatique et des libertés (France)
• Federal Commissioner for Data Protection and Freedom of Information (Germany)
• Data Protection Commissioner (Ireland)
• Office of the Data Protection Supervisor (Isle of Man)
• Federal Data Protection and Information Commissioner (Switzerland)
• 信息rmation Commissioner's Office (United Kingdom)
• Privacy Commissioner for Personal Data (Hong Kong)

The European Union’s General Data Protection Regulation (GDPR), which went into effect in May 2018, is having and will continue to have a profound effect on data protection and data privacy worldwide.

如前所述,GDPR取代欧盟哒ta Protection Directive of 1995, which was approved when the internet was in its infancy and there was minimal personal data online. GDPR affects organizations far beyond the European Union, because it governs how all personal data and information about EU citizens is collected, kept, and used. That means the law governs many organizations in the U.S. and elsewhere in the world because they routinely collect and store basic information on EU citizens — even if it’s only when an EU citizen visits a U.S. company website.

GDPR affects data protection and data privacy in myriad ways. Below are three of its most important requirements:

1. Prohibits organizations from collecting or storing personal information about a person without that person’s consent
2. Requires organizations to notify the supervising authority within 72 hours of a data breach, and in some cases notify the people whose data was lost or compromised
3. Requires organizations to employ a “data protection officer” if they process personal data on a large scale

GDPR者包括巨大的惩罚up to 20 million Euros or four percent of an entity’s gross global revenue for significant violations. But the European Commission, which approved the law, argues that the law was important to re-establish people’s trust that their personal data can be kept private. It also has argued that it will actually help keep business costs down, because businesses will no longer need to keep track of and follow a number of different laws in different EU countries.

The full text of GDPR is 261 pages and can be incredibly complex. But there are some basics that companies worldwide should keep in mind to comply with the law:

• Obtain Consent:Directly ask customers for consent when you plan to collect information from them and only collect that info once they’ve consented.
• Communicate Openly:Even after you obtain consent, be clear with customers about how and why you are using their personal information.
• Ensure Access and Portability:Allow people to access their data and give it to another company if they want.
• 通知的人Data Breaches:The law requires you to inform people of a data breach when the breach poses a significant risk to their privacy.
• Erase Data When Requested:You must erase and delete data on a person if they request it.
• Understand the Rules for Profiling:For example, if you profile people based on their personal info to decide on awarding a loan, you must have a person check the process and allow people the right to contest any negative decision.
• Allow Marketing Opt-Out:You must give people the right to opt out of marketing that uses their personal data.
• Special Safeguards for Sensitive Info:You must use extra safeguards for personal information that is especially sensitive, including data about a person’s health, race, sexual orientation, politics, or religion.
• Special Consent for Children:You must obtain a parent’s consent to collect personal info on children under 16.
• Be Careful When Transferring Personal Data Outside the EU:Any EU citizen’s personal data transferred outside the EU can go only to countries that have adequate privacy safeguards or is transferred under other legal conditions that appropriately safeguard the info.
• Perform “Data Protection by Design”:Design your communications and other systems from their inception to protect personal data.
• Check If You Need a Data Protection Officer:The law requires you hire a data protection officer if you process significant amounts of personal data.
• Remember that Impact Assessments Might Be Required:In some cases in which an organization is considering new technologies or other significant changes in how it processes information, the law requires the organization to conduct an assessment to determine how the change might affect data protection and data privacy.

TheUK Data Protection Act of 2018replaces the UK’s Data Protection Act of 1998, and formally implements the data privacy provisions GDPR requires EU member states to implement. The law is guided by several broad principles, and in a few minor provisions, it differs from GDPR. It ensures that personal data is:

• Used fairly, lawfully and transparently
• Used for specific and identified purposes
• Used in a way that is relevant but limited to only what is needed
• Accurate and kept up to date
• Kept no longer than needed
• Handled with appropriate safeguards and security

Provisions in the law cover a range of specific areas — many of them similar to provisions in GDPR, and some of them similar to provisions in the UK Data Protection Act of 1998.

Some of those provisions include the following:

• Give a range of rights to people whose data is being collected.
• Govern how and under what circumstances personal data can be legally transferred to countries outside of the EU.
• Require “data protection impact assessments” when an organization uses new technologies or makes significant changes in how it processes data.
• Require notification to the UK’s information commissioner if there’s a data breach.
• Require the employment of data protection officers for organizations that handle significant amounts of personal data.

The UK Data Protection Act of 2018 protects a wide range of personal data, including information about a person’s name, address, email address, and web-browsing activity.

The law provides especially stringent protection to some classes of personal data, including the following:

• Race
• Ethnic background
• Political opinions
• Religious beliefs
• Trade union membership
• Health
• Genetics
• Biometrics, when used to identify a specific person
• Sexual orientation or behavior

The law also sets out separate safeguards for information relating to criminal convictions.

The law definesdata subjectsas persons whose personal data is potentially being collected and stored. Data subjects are given a wide range of rights, including the rights to the following:

• Consent or not consent to data being collected
• Be told how their data will be used
• Have access to the personal data that an organization is collecting or has already stored
• Correct incorrect personal data
• Have personal data erased if the person asks for that
• Request that an organization stops collecting and storing their data
• Obtain the personal data an organization has collected and transfer it to different organizations
• Have additional recourse if the personal data is used to automate decision-making (such as in an application for a loan)

The UK’s Data Protection Act of 2018 differs from GDPR in a few provisions, including data processing relating to some aspects of immigration, and relating to UK national security.