Why Privacy Should Be a Top Consideration for Your Organization

Cybersecurity often takes the headlines, but privacy deserves equal mention when it comes to the data that organizations collect. As with security, organizations have strong business reasons to build privacy into products and processes early. First, though, organizational leaders should understand the differences between security and privacy. 

Security focuses on data: protecting organizational assets from a breach while maintaining their confidentiality, integrity and availability. Privacy concerns the individuals whose data is collected and the harm they might suffer if their data were compromised. Privacy breaches can pose the same business risks as organizational data breaches, including financial loss, reputational damage and regulatory penalties. 

The best privacy practices combine technical and administrative controls. Without that balance, an organization may have strong policies but no way to enforce them, or ineffective technical controls because users don’t know when or how to apply them. An organization should consider both technical and administrative controls when evaluating its privacy practice.

In addition to federal privacy laws, some U.S. organizations are subject to the European Union’s General Data Protection Regulation or privacy laws in the five U.S. states that have passed them (California, Colorado, Connecticut, Utah and Virginia). Those states certainly won’t be the last, which brings up another critical point: Privacy is constantly changing — legally, technologically and culturally — which means organizations must be conscientious about staying up to date. 

It’s also essential to understand the limitations of consumer consent. A consumer might allow an organization to collect and use data in a particular way, but that doesn’t permit the organization to use that data for other purposes. For example, using personal information for marketing when a consumer authorized only transaction processing would constitute a privacy violation. 

Organizations need a solid grasp of their data flows: where data comes from, where it’s going, how it’s stored and who has access. A detailed data inventory and data map are crucial. Many organizations lack that insight. Further, it is impossible to protect data if you don’t know where it is or how it is used. The good news is that any measures that bolster privacy will likely enhance an organization’s cybersecurity posture too.

It’s not unusual for an organization to start small in one state and, as it grows, serve enough consumers in another state to meet its privacy regulation threshold. The best way to prepare for compliance with these regulations is to incorporate privacy into applications, products and services from the beginning. This eliminates the time, expense and hassle of going back later to re-engineer processes. 

Similarly, organizations should discuss privacy at the early stages. Does the organization need to collect certain data? How long must the data be retained? Can the data be disposed of sooner rather than later? At a minimum, these conversations should involve IT, legal and business units — the latter because they often decide which data the organization will collect.

Once a transaction is complete or personal data is no longer needed, that data should be removed from the system. Organizations may be reluctant to do so because historical sales and marketing data are valuable. But there are ways to anonymize and aggregate data that can eliminate personal details such as names and addresses. 

From a security perspective, there’s a strong argument not to retain personal data longer than necessary. The longer it exists, the more likely it is to be breached. In the event of a breach, an organization that follows proper data retention practices and loses only 10,000 records would be in a much better position than an organization that keeps everything and loses 1 million records.

Ultimately, organizations should consider making privacy a market differentiator. That’s just one of the many business advantages to enhancing privacy practices, even when the law doesn’t require it.

Story by Hyunjin Eugene Cho, the senior manager of the Data Privacy Services Practice for CDW, leading a team of privacy professionals.  He holds a Juris Doctor from Wayne State University Law School, a bachelor’s degree in physics from the University of Illinois Urbana-Champaign, and a master’s degree in physics from Northern Illinois University.  He has several years of experience in cybersecurity, privacy, information protection and intellectual property law.