by John Bandler
Privacy is important for every individual and every organization. Privacy threats include data breaches and companies who overshare, violating their privacy promises regarding customer information. Privacy is the subject of rapidly growing laws and regulations and is worth attention from every organization. For organizations, sound privacy practices can be good for business and avoid a legal problem. For individuals, privacy awareness is important for each of us and our families.
Privacy's origins and the types
Personal privacy is a concept that has existed for hundreds, even thousands of years. In 1890 Louis Brandeis, who would go on to be a Supreme Court Justice, co-authored a law review article on the subject and suggested an individual right to privacy which included a right to be left alone.
We can think of four main areas of privacy:
- Information privacy (data privacy)
- Communications privacy
- Territorial privacy
- Bodily privacy
My focus here is information privacy, the information (data) about consumers (including you and me) that is collected, stored, used, and shared.
Data privacy vs. cybersecurity and information security
Here's how I think of data privacy versus cybersecurity and information security.
For simplicity I have combined cybersecurity and information security into the single blue circle in this Venn diagram. Cybersecurity and information security is about securing information and information systems, in any form or location, physical or digital. (I think of cybersecurity as a subset of information security, as I discuss in my introduction to information security article).
Then, data privacy (information privacy) is mostly about individual rights and organization decisions about how personal information about the individual is collected, stored, secured, shared, and used.
Thus, data privacy includes security, but also other many other elements. And cybersecurity involves securing many types of data and information systems, including individual (consumer) personal information but also others. So that's why they intersect in a large part but each also has distinct components. The intersection is not to scale, and is probably much larger, but I wanted the graphic to be clear and text visible.
Privacy laws and regulations
Today, consumers have varying privacy statutory legal rights depending upon applicable jurisdictions and sectors.
Here's a few helpful thoughts to keep in mind:
- "Privacy laws" and "cybersecurity laws" overlap. Indeed, almost every privacy law has a cybersecurity and data breach reporting component.
- The U.S. legal framework for privacy laws and regulations is a patchwork.
- A patchwork of laws and regulations, state vs. federal, and overlapping regulators and laws.
The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018 and applies to many U.S. organizations who collect personal information of EU citizens.
In the U.S., the Federal Trade Commission Act carries some privacy protections for consumers with requirements for business. Individual sectors such as finance and health have their own privacy requirements.
In the absence of an overarching federal privacy law, states have started to enact their own privacy statutes, starting with California then followed by others. The reach of these state laws extends beyond the borders.
Typical privacy legal requirements
Privacy laws generally create rights for consumers regarding information about them held by a business. This consumer rights mean legal obligations for the business. Privacy rights include:
- Notice about privacy practices; how the company collects, stores, uses, and shares information about the consumer.
- Ability to access data about the consumer, correct it, ask it be deleted or limit processing, or transfer data to another service provider.
A business privacy program should generally follow these principles:
- Be lawful, fair, and transparent
- Limit collection, use, and processing of personal data
- Keep personal data only as long as needed (then purge)
- Keep personal data accurately
- Keep personal data secure with good cybersecurity
- Be accountable for the above.
For organizations, privacy is a component of information governance
Organizations should think of cybersecurity, privacy, and business needs holistically and under the umbrella of information governance. This means managing the information technology, systems and data of a company, something well-run companies strive to do. This starts with having written policies for privacy, cybersecurity, and incident response.
This management can start with Bandler’s Three Platforms to Connect for compliance concept to align legal requirements with internal policy and company action. These should also be aligned with the Fourth Platform of business mission. When we add guidance to help us we have the Five Components for Policy Work.
Cybersecurity is a component of privacy, and a solid cybersecurity program protects organizations from cybercrimes such as data breaches, ransomware, and email based thefts as covered in earlier articles. Protection can start with Bandler’s Four Pillars of Cybersecurity which anyone can understand.
For individuals, privacy is important too
We should make conscious choices for our privacy, about the information we share, and we should teach the younger generations about this as well (and learn from them).
Knowledge of privacy is important for individuals and organizations. Individuals should strive to improve their awareness of privacy threats and choices they face. Organizations should develop privacy policies, comply with applicable legal requirements and protect consumer privacy.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- About the CIPP/US Privacy Certification and How to Study for It
- Introduction to Law (an outline)
- Cybersecurity, Privacy, You, and Your Organization
- External articles
- Privacy, you, and your business, John Bandler, Westchester & Fairfield County Business Journals, June 6, 2022, https://westfaironline.com/148491/privacy-you-and-your-business/
- CIPP/US: 5 things to know about privacy and cybersecurity law, John Bandler, InfoSec, February 2, 2022, https://resources.infosecinstitute.com/certification/cipp-us-5-things-to-know-about-privacy-and-cybersecurity-law/
- Privacy And You: Take A Step Forward On Data Privacy Day, John Bandler, informationsecuritybuzz.com, January 31, 2022, https://informationsecuritybuzz.com/articles/privacy-and-you-take-a-step-forward-on-data-privacy-day/
This article is hosted at https://johnbandler.com/privacy, copyright John Bandler, all rights reserved.
This article is also available on https://johnbandler.medium.com/privacy-7804466a1f4a (though not kept as up to date).
Originally posted 7/16/2022, updated 12/06/2022.