Data privacy is the branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations.
The purpose of personal data protection is to protect the fundamental rights and freedoms of persons and companies that are related to that data.
Data privacy is the right of a citizen to have control over how personal information is collected and used. Data protection is a subset of privacy. This is because protecting user data and sensitive information is the first step to keeping user data private.
South Africa's data privacy regulation, the Protection of Personal Information Act (PoPIA) extends the definition of a citizen to include any juristic person. This means that our data privacy bill protects against the abuse of sensitive data related to individuals (like customers and employees) and companies (suppliers and partners).
Ensuring data privacy requires sound data management practises
Whilst legal compliance is of course essential, the bulk of the effort of ensuring compliance is built around ensuring sound data management practices.
Data privacy is built upon a foundation of accountability.
In larger organisations, accountability means defining and sharing clear policies for the use of personal data, and ensuring that these policies are followed throughout the organisation. Polices can be linked to specific business processes and systems, to link individual actions to the underlying data and ensure that privacy is not infringed. A governed data catalogue can be an invaluable tool for tracking and sharing (and to external auditors and regulators) the details of your policies within the organisation, and for putting these into the context of actual data use.
Locate and document personal data
In order to protect personal data, we need to understand where it is captured and stored, and for what purpose.
This can be a very large challenge, particularly for larger organisations. The use of automated scanners to locate PII and other sensitive data can be extremely helpful to then complete Impact Assessments, Risk Assessments, Data Cataloguing and Classification exercises
Once data is secured we need to protect it from both internal and external threats. Whilst it may be tempting to focus on securing the perimeter of the organisation, many cases of abuse of personal data are internal. Managing data privacy effectively requires a nuanced approach to data security - ensuring role-based access to individual fields based on the user's processing purpose. Blending technology such as masking, encryption and user behaviour analytics ensures the granular level of security needed to ensure the data subject is protected.
A final piece in the puzzle is to monitor personal data access for suspicious activity. A number of breaches have occurred through the illegal activities of legitimately authorised users. By monitoring user activity and access, and flagging unusual or suspicious activities for further investigation, we minimise the risk of abuse.