Data privacy Is more than just data security

March 3, 2022
Companies are under greater due diligence requirements from their insurers

Our privacy is a basic human right. And yet, nearly every day we share confidential information as a necessity to conduct our business and personal lives, hoping that the recipient respects our data and praying that our data is not misused or exploited in a way that causes us or others harm.

Data privacy is distinct and different from data security. Data privacy centers around the right to share our data and the way organizations must be governed and held accountable for the use of our data. Data security is focused on the policies and procedures that a company must implement to safeguard our data from any third-party unauthorized access.

As the use of our data gets called into question and more data privacy legislation is passed, as individuals, we are becoming more acutely aware of the value of our data and the potential impact of our data in the wrong hands.

But even when we intellectually understand the evil that can occur if our data is abused, we still give it away freely.

Those organizations that uphold our data rights and privacy and protect our data are held in extremely high regard. These organizations think of the individual, not just the data – they respect the person who originated the data.

Data privacy is not only about caring for the data that is being stored but living up to the expectation that maintaining an individual’s privacy is a basic human right.

Best Practices for Ensuring Data Privacy

Here are some best practices for any company that is collecting, storing and/or managing someone’s basic information. These recommendations go a long way in building mutual trust between the organization that is collecting the data and the individual that is offering their data:

Let us start with the basics. Make sure that individuals who interact with your company understand:

  • What data is being collected, and why
  • Whether that data is being sold or shared
  • Who that data is being sold to or shared with?

As data moves across borders and grows exponentially, managing and maintaining data privacy is becoming increasingly more complex.

The lesson learned from the failure of Quayside -- On May 7, 2020, the Google company Sidewalk Labs announced that it was withdrawing from its partnership with Waterfront Toronto, and its plans to create a smart-city neighbourhood called Quayside. The partnership between the land-development agency, Waterfront Toronto, and Google had many challenges. But fundamentally it was unable to gain support from the community due to concerns over the lack of transparency around data – how data was being collected, what information was being stored, and how that information being used. Moreover, it was unclear how this business partnership would obtain an individual’s informed, and unambiguous consent for use of their personal information.

A key lesson from this failure is that data privacy, data governance and intellectual property frameworks based on data needs to be well established, documented, and cemented into policies and bills before economic partnerships are considered.

Trends in Corporate Governance -- Corporations will soon be obligated to assess ‘privacy’ impacts of their initiatives that collect personal information. They will need to appoint an individual responsible for maintaining personal information about their customers; a “Person in Charge of Personal Information” (the PCPI). This role will govern the business’ treatment of personal information.

This includes the creation of policies for:

  • Managing the lifecycle of data (from collecting to storing and eventual destruction of personal information).
  • Identifying roles/responsibilities for those in their organization who have access to personal information.
  • Creating processes for dealing with complaints relating to personal information.
  • Maintaining policies around confidentiality, privacy, security and notification of breaches.
  • The use of Federated Learning of Cohorts (FLoC); a combination of generalization, suppression and adding noise to anonymize personal information.
  • Managing the insurance and policies relating to remote work and impact on security and data management.

Data privacy is a shared responsibility between the personal and the corporation. But it’s not that simple. For example, companies that use AI to create Automated Decision Systems (ADS) bear the burden of explaining the actions that will ensue based on the decisions an individual may take.

The Impact of COVID on Data Privacy -- As a result of the pandemic, more staff are working remote. With more staff working  ‘online’ from their own devices, there has been an increase in cyber crime. Not only is it becoming increasing more difficult to manage and avoid cyber attacks, but the cost of insuring against these breaches is also on the rise. Companies are under greater due diligence requirements from their insurers and are being held to a higher standard to maintain and protect data and mitigate data breaches.

We live in a world where our personal information is widely accessible – with or without our consent. Whether we are working at home or the office, walking into an airport, or shopping online, our most valuable possession in our privacy

Data privacy is reliant on good governance, global co-operation, legal policy, and informed consent.

About the author: Clara Angotti is the Co-Founder and President of Next Pathway, an Automated Cloud Migration company. Next Pathway was recently named by The Globe and Mail as one of the hottest cloud start-ups, and the Most Innovative Company by the Best in Biz Awards. In 2021, Clara was awarded one of the top 50 Most Powerful Women in Technology by the National Diversity Council. Clara has also been recognized as one of Canada’s Most Powerful Women in 2011 and 2018.