This is the start of a blog series on Data Protection and Privacy. This instalment will serve as a general introduction to these topics. Later blogs in this series will go further in-depth into topics such as GDPR requirements and technical solutions to help with Data Protection and Privacy.
Data Protection & Privacy
More data is gathered now than ever before. Apps, websites, and social media all gather information on their users. Internet of Things devices, present in more and more places, gather information about their surroundings. Everyone walks around with mobile devices which share information about someone’s location, interests, political beliefs, and more. Because of this, organizations have access to more information than ever before on their business, their employees, and their customers.
This access to data has many positive consequences. Businesses are becoming increasingly data-driven, through things like business intelligence and data science, and this can result in clearer, more transparent insights and easier decision-making. However, this is also a potential risk. Many organizations have access to very sensitive information, such as financial information or personal information on their employees or customers.
The nature of this data means that it can be very harmful, for both the business and especially the people involved, if this data is not properly handled, secured, or disposed of. This blog will discuss the basics of the regulations concerning sensitive data, what counts as sensitive or personal data, and the best practices of working with it.
At the core of any discussion surrounding data protection and privacy is the General Data Protection Regulation (GDPR). While the scope of the GDPR is very wide, it is good to know the basics of what the GDPR is, and what it contains. The GDPR is a EU-wide set of rules on data protection and privacy, which regulates how businesses are allowed to work with data of private individuals located in the European Economic Area (EEA).
The GDPR applies to basically any business that has activities in the EEA, or activities concerning people located in the EEA, regardless of whether the business itself is located there. It establishes, among others, what data you can store, when, how you can process it, and what rights data subjects (the people whom the data concerns) have. The GDPR is one of the most far-reaching sets of rules on privacy ever created – it is legally enforceable, far-reaching, and noncompliance can result in enormous fines. Any organization that stores personal data should think about how the regulation applies to them, and what they need to do to ensure that they are compliant.
What data should you be concerned about? The GDPR identifies several types of data that are given special importance. The first, personal data (often called Personally Identifiable Information, or PII), refers to any information relating to an identified or identifiable individual. This obviously includes data that can be directly used to identify an individual, such as names, identification numbers, or addresses, but such a clean means of identifying an individual is not necessary for something to count as personal data. For example, data that includes a combination of postal code and age, while separately not enough to identify an individual, can often be used together to narrow down a search to a specific person. An individual even counts as identifiable even if outside sources need to be combined with the data to help identify an individual. As a general rule, if the data could reasonably be used to, with some effort, identify an individual, it counts as personal data.
Within personal data, there are a few cases for which a special amount of care is required, such as data relating to health, genetics, biometrics, racial or ethnic background, political opinions, religious or philosophical beliefs, trade union membership, and information regarding a person’s sex life or sexual orientation. Data relating to these topics is considered ‘sensitive personal data’, as this data could create significant risk for the individual. These types of data have additional rules with regards to processing and storage.
Of course, there is also sensitive data that is not personal data, and as such, is not dealt with by the GDPR. Think, for example, of financial information of the business, or confidential information with regards to business processes. While there are significantly fewer legal (or moral) demands of protecting this data, it is still important for a business to keep this data secure, and equal care should be taken with it.
When speaking about data protection, the first thought on a lot of people’s minds is what technologies can be used to protect data. There are a few obvious methods here, such as setting up firewalls, encrypting the data, data masking, data erasure, managing access control through for example Microsoft Azure Active Directory, or identifying sensitive data through tools like Azure Purview. These technologies make it more difficult for unauthorized people to access the data. Later instalments of this blog series will discuss some of these technical solutions.
Equally important to the technical protection of data is the culture in an organization. It is possible to technologically do everything right, but if the culture in an organization is not sufficiently privacy-oriented, it is still possible to create a data leak. For example, if the system only allows some people to access sensitive data, and this data then gets shared around in excel exports, it is as if the data protection technology did not exist in the first place.
While it is necessary to have these technical protections in place on multiple levels, they alone are not sufficient. The people actually working with the data should be aware of the rules, risks and obligations of working with sensitive data, and always keep data protection in mind. This blog series aims to further the awareness of data protection. Part two will discuss when and how you can process data.
Premium Microsoft Consulting with Devoteam
Devoteam M Cloud, an Expert Azure MSP Partner, is one of the world’s leading providers of Microsoft Cloud technologies. Our team of over 1,000 Microsoft experts in EMEA, helps modernize the IT architecture of leading businesses and governmental organizations. With this, we support our clients in their digital journey to the Cloud, make them future proof, and provide the best managed services.