Practical Guidance: The Technical Side of Compliance

Recently, Forbes released an article titled 13 Tech Experts Explain Essential Facts About Data Privacy And Data Protection, in which “13 members of Forbes Technology Council further explore and explain data privacy and data protection, their differences and their impact on businesses.”

ADCG has created guides and explainers for most if not all of the concepts explored in this roundup. We’ve summarized Forbes’ points here, and linked to further reading on ADCG’s site.

1.  True Data Protection Requires Securing Every Point Of Entry

Roger Northrop, the chief technology officer (CTO) of Mutare, Inc. points out that a complete and effective data security process requires companies to “secure every single point of entry” in their information systems.

The first practical step in meeting this security standard outlined by Northrop is to analyze your company’s current cybersecurity and data governance practices. To get started, check out ADCG’s guide:  Cybersecurity Checkup: 5 Steps You Can Take Now.

2.  Data Protection Covers The ‘Technical’ Side Of Compliance

Northrop and Clément Stenac, the CTO of Dataiku, both stated the differences between data privacy — being the standard of access to certain data collected or stored by an organization — and data protection — which is the actual process for and the procedures and tools used to ensure that this data stays technically protected.  However, Stenac noted that they are overlapping by nature as “data protection is the ‘technical’ part of the ‘legal and compliance’ elements defined by data privacy.” To read more about the latest data protection tools, click here.

3. Data Privacy Encompasses Consumers’ And Partners’ Rights To Manage Their Data

According to Jamilia Grier, founder and chief executive officer (CEO) of ByteBao, data privacy for your organization should encompass company policies for both keeping certain information private, and managing a consumers’ right to review, modify, or erase this private data.

This is one thing that has been made increasingly clear over the last few years as several states have adopted legislation requiring covered organizations to include procedures for maintaining and responding to these consumer rights. Check out the following guides to state laws from ADCG: Virginia Becomes Second State to Enact Comprehensive Privacy Bill; A Guide to Utah’s Data Privacy Act; CPPA Releases Draft Regulations of CPRA; and CPRA Training Requirement. And search our “News and Resources” section for your state:

4.  Data Protection Requires Infrastructure Managed By Qualified Engineers

Oleg Lola, Founder and CEO of MobiDev, says that in order to actually protect your organization’s data, you need a qualified engineer to oversee your process and ensure that the data is stored safely and secured properly. And, as we discussed in our recently released ADCG Article: Employee Privacy to See Advances in 2023, finding or maintaining these qualified engineers may present your organization with some challenges this year. And if you’re looking to rethink your data infrastructure, consider reading about Why Your Organization Should Invest in Confidential Computing.

5.  Modern Data Privacy Is Moving Toward Limiting Data Collection And Storage

Cyril Korenbeusser, Chief Resilience Officer (CRO) of BNP Paribas, notes that we have recently trended away from the idea that the more data a business can accumulate on a consumer, the better it can serve that consumer. To learn why, check out: Why Organizations Need to Start Implementing Data Minimization.

6.  Data Privacy And Data Protection Are Both Key To Building Brand Trust

While Dale Renner, the Founder and CEO of Redpoint Global Inc., agreed with Northrop and Stenac’s approach of distinguishing data privacy and data protection, he acknowledged that both elements are “key to building and maintaining trust with consumers, which will result in a strong and secure brand reputation.” That’s partly why Why 83 Percent of Financial Organizations Plan to Invest in Data Rights Management

7.  Data Privacy Is Something Every Employee Is Responsible For

Jeff Fettes, CEO of Laivly Inc., proposes that a proper data privacy process requires “day-to-day proper handling of personally identifiable information[.]” While this can be challenging to accomplish, if your organization is larger and handles personally identifiable information (PII), Fettes encourages the use of an external auditor to ensure this day-to-day management is being achieved. And don’t forget, Cybersecurity Training is Important for the Whole Organization

8.  Data Privacy Is About Access; Data Protection Is About Security

Laureen Knudsen, chief transformation officer (CTrO) of Broadcom, boasts the importance of data privacy and data protection as they can gain and keep the trust of your customers, vendors, and employees. But what happens when a breach happens anyway?That’s why we have cybersecurity frameworks—and an ADCG explainer: How Cybersecurity Frameworks Can Protect Your Organization (Even in the Event of a Breach).

9.  Data Privacy And Data Protection Work Together To Protect Companies From Risk

Neil Lampton, President and Chief Operating Officer (COO) of TIAG, stated “data privacy and data protection are different sides of the same coin[,]” both of which “are important and necessary to keep a business running smoothly and to protect companies from risks.” Our explainer on NIST’s guide for assessing risk can help you get started.

10.  De-Identifying Data Helps Address Both Privacy And Protection

James Beecham, Founder and CEO of ALTR, stated the importance of de-identifying consumer information to ensure data privacy as ensuring a consumer’s privacy “is a commitment to customers that must be honored.”

To learn more about de-identifying your company data, review these ADCG Articles: Why Your Organization Should Invest in Confidential Computing; Data Classification; ADCG Explainer – Polymorphic Encryption.

11.  Data Privacy Applies To Highly Sensitive Data; Data Protection To All Data

Suresh Sethuramaswamy, Engineering Lead at Microsoft, stated data protection requires “[a] combination of techniques” to ensure “maximum protection from ransomware, data leaks, accidental damage and so on.” Data Privacy, on the other hand, can be accomplished through “ensuring limited data collection, establishing highly restrictive access controls and meeting compliance requirements.” Our explainer on clean rooms offers some practical guidance for achieving both protection and privacy.

12.  There Are Multiple Global Regulations Regarding The Collection And Sharing Of Data

Neelima Mangal, Global Head of Delivery of Nutcache, stated the “crucial” significance of both data privacy and data protection due to the related “legal ramifications and requirements[,]” such as Europe’s General Data Protection Regulation (GDPR), and China’s Data Security Law

13.  To Ensure Both Data Privacy And Protection, You Must Monitor Your Entire Data Pipeline

Nicholas Domnisch, CEO of EES Health, encouraged organizations to approach monitoring their entire “data pipeline” by using end-to-end encryption. To read about Privacy by Design, click here.

* * * * * * *

To read our news alerts discussing: Hong Kong’s data privacy law, Congress’s progress on the ADPPA, and the FTC’s proposed settlement with BetterHelp, click here.

This week’s breach report covers the following organizations: Chick-fil-A, PayPal (lawsuit), Denver Public Schools, Verizon (outside vendor), Hatch Bank. Click here to find out more.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

Our most recently released episodes:

87 | Artificial Intelligence & Chatbots…Helpful or Harmful? (With guest Heather West)

86 | Using Tools to Help Manage Incident Response (With guest Lauren Wallace)

85 | How Incident Response Has Changed (With guest Violet Sullivan)

To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.