The Key Principles of Data Protection (EU and North America)

 

There’s no doubt that the typical modern enterprise generates large amounts of data that must be moved, analyzed, and safely stored. Because much of this data involves the privacy of users and customers, various laws and regulations have been created to drive strong protection practices. While these regulations vary a great deal from country to country, the underlying concept remains the same: keep data safe while making it available to authorized users when they need it.

What this article will cover:

• What is data protection?
• Data protection in the US
• Data protection in Canada
• Data protection in the EU
• The 7 principles of data protection (GDPR)
• Data protection solutions

What is data protection?

Data protection is the concept of safeguarding important data from corruption, compromise, or loss. It doesn’t just involve passive protection and also includes establishing processes for restoring and recovering data. This is typically done trough reliable backup software. Data protection also covers matters of compliance with applicable legal or regulatory requirements.

In addition to security, data protection concern authorized access to data. Obviously, one can’t simply delete important data or lock it inside an impenetrable vault. Data is meant to be used, and protected data must be available to authorized users when needed for its intended purpose.

In broad terms, the modern idea of data protection spans three broad categories: traditional data protection such as backups; data security and breach defense; and data privacy.

Here’s a video guide on data protection and methods to learn more about how IT and MSP teams can keep business-critical information safe.

The first principle of data protection

The primary principle of data protection is to engage methodologies and technologies to protect data while making it available to authorized users under all circumstances.

Beyond this basic maxim, data protection becomes very granular depending on the region in question. Various laws and government regulations add layers and details to this broad-level objective, taking into consideration myriad cybersecurity concerns and matters of personal privacy.

As we continue, we’ll explore data protection as defined within different regions.

Data protection principles in the United States

Unlike some regions, notably the European Union, the United States does not have a comprehensive federal law governing privacy and the handling of data or personal information. Instead, organizations in the US must navigate an amalgam of federal and state laws that regulate the collection, processing, disclosure, and security of personal information (PII).

In addition, certain industries such as healthcare and finance are regulated in ways unique to their sector.

Because of the decentralized nature of US data protection laws, data controllers have to stay up to date with these varied laws and prepare for likely further evolution in US data regulation.

Let’s take a quick look at the major data protection laws that codify key principles of data protection for the US:

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that establishes standards when safeguarding certain health-related personal information from being disclosed without the patient’s consent or knowledge.

The HIPAA Privacy Rule, brought forth by the US Department of Health and Human Services, went into effect in 2003 and regulates the use and disclosure of protected personal information in healthcare treatment, payment, and operations.

An additional HIPAA Security Rule also went into effect in 2003 which deals specifically with electronic medical records. This rule specifies administrative, physical, and technology safeguards required for HIPAA compliance.

FCRA

The Fair Credit Reporting Act (FCRA) is a federal law governing consumer reporting agencies and their procedures regarding the confidentiality, accuracy, relevancy, and proper use of personal data.

The personal information governed by FCRA is specific to credit reporting and consumer reports sold for purposes of determining eligibility for employment, for credit or insurance underwriting, and for certain other purposes described in the FCRA.

The FCRA also includes several protections for consumers, including the right to obtain one’s own credit score and the right to know what is in the file that a consumer reporting agency maintains on the consumer.

GLBA

The Gramm-Leach-Bliley Act of 2002 (GLBA) is a federal law that primarily regulates the collection, use, disclosure, and protection of nonpublic personal information collected by financial institutions.

COPPA

The Children’s Online Privacy Protection Act (COPPA) is a federal law that imposes requirements on websites directed to children under 13 years of age and on operators of websites or online services that knowingly collect personal information from children under 13 years of age. Operators covered by COPPA must disclose certain information in their privacy policy and obtain parental consent before collecting certain types of information from children under the age of thirteen.

FERPA

The Family Educational Rights and Privacy Act (FERPA) is a federal law that covers the protection of students’ educational records. FERPA applies to any public or private elementary, secondary, or post-secondary school, as well as state or local education agencies that receive funds under certain US Department of Education programs.

FERPA gives parents and eligible students greater control over their educational records, as well as prohibiting educational institutions from disclosing personally identifiable information in education records without written consent from an authorized individual

TCPA

The Telephone Consumer Protection Act (TCPA) is a federal law regulating telemarketing calls, auto-dialed calls, recorded calls and automated text messages, and unsolicited faxes. TCPA also lays out technical requirements for fax machines, autodialers, and voice messaging systems and how to identify users of such equipment.

Privacy act

The Privacy Act of 1974 is a federal law that applies largely to federal government agencies, contractors, and employees. The Privacy Act restricts disclosure of personal information maintained by government agencies and grants individuals increased rights of access to agency records maintained on themselves. This law also establishes a code of fair information practices with statutory requirements for collection, security, and dissemination of personal records.

Data protection principles in Canada

Data protection laws in Canada are similar to those in the US in that they consist of a complex set of federal and provincial statutes. Like within the US, some of these laws enforce regulations on specific sectors. Certain statutes include mandatory notification and reporting requirements in the case of a breach of personal information.

The key data protection statutes in Canada include:

• Federal: Personal Information Protection and Electronic Documents Act 2000 (PIPEDA)
• British Columbia: Personal Information Protection Act (BC PIPA)
• Alberta: Personal Information Protection Act (AB PIPA)
• Quebec: Act Respecting the Protection of Personal Information in the Private Sector (Quebec Private Sector Act)

Canada has also enacted an anti-spam law, Canada’s Anti-Spam Legislation (CASL), which involves electronic marketing activities such as data collection and bulk email sending.

Data protection principles in the European Union

The European Union currently boasts the most comprehensive data protection framework in the world. The General Data Protection Regulation (GDPR) enacted in 2018 serves as the legal framework for data protection and privacy for every member state.

This complex legislation establishes data protection principles that businesses must adhere to if they are conducting trade with the EU. Failure to follow legal frameworks carries stiff fines and penalties to ensure GDPR compliance. The GDPR is designed to protect EU citizens’ sensitive data and give them more control over how it is accessed and used. Requirements include controls over international data transfers and citizens’ rights to have data deleted.

We’ll explore the GDPR in greater detail in the next section.

The 7 principles of data protection (GDPR)

1. Lawfulness, fairness and transparency

GDPR Article 5(1)(a): “Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”

According to this data protection principle, organizations must ensure their data collection methods don’t compromise the law and that their use of data is transparent to those whose data is being collected.

2. Purpose limitation

GDPR Article 5(1)(b): “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes”

The principle of data protection states that organizations must only gather personal data for a defined and stated purpose. They must outline what the purpose and goal is, and only collect data for the time that they need to achieve these ends.

Data collection and processing that is carried out for historical, scientific, or statistical research, or for reasons in the public interest, is granted more freedom.

3. Data minimization

Article 5(1)(c): “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization).”

Organizations should only retain the smallest amount of data needed for their requirements. Gathering “extra” data in hopes that it will be useful later is not allowed.

4. Accuracy

Article 5(1)(d): “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”

Organizations must ensure that the personal information they collect is accurate and up-to-date. Personally identifiable information must be reviewed regularly, and inaccurate information must be corrected or deleted.

5. Storage limitations

Article 5(1)(e): “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)”

After collecting data, that data should be deleted. If there is an acceptable reason for keeping the information, for example that it can be used for public interest or historical research, the organization must set and justify a retention period.

6. Integrity and confidentiality

Article 5(1)(f): “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”

Any information retained must be kept securely. Organizations must implement adequate data protection measures are set to safeguard personal information. This typically requires an organization to rely on IT security tools.

7. Accountability

Article 5(2): “The controller shall be responsible for, and be able to demonstrate compliance with [the other data protection principles]”

This means that organizations should take responsibility for the data they retain and show compliance with all the other principles. Organizations should be able to document and prove their adherence to these practices.

This may involve:

• Keeping up to date on data protection practices
• Creating a Data Protection Officer (DPO) or compliance officer position
• Establishing a personal data inventory
• Performing data protection impact assessments and cybersecurity audits

NinjaOne and data protection

Choosing the right tools can make a huge difference when creating a data protection plan for your organization. NinjaOne Backup allows organizations to protect their data by backing up sensitive data for easy recovery in the event of a disaster, cyberattack, or even just an accidental deletion. This data is stored in immutable cloud storage and is encrypted in transit and at rest to prevent unauthorized access and to ensure data integrity. NinjaOne is designed to help organizations and IT providers tackle the complexities of data protection regulations.

• Full Image Backup
• Document, File, and Folder Backup
• Endpoint Management
• Patch Management
• Bitdefender Advanced Threat Security
• Comprehensive Ransomware Defense

Build a solid data protection foundation. Watch The key principles of data protection now!

Conclusion

Data protection protects sensitive data against compromise or corruption. While implementing the key principle of data protection may seem challenging, organizations that deal with high-value data must protect the personal information they collect and process from the increasing number of cyberthreats.

IT compliance with major data protection laws and regulatory standards reduces the possibility of data breaches and prevents businesses from facing costly fines and legal fees. Following the key principles of data protection ensures that strict security measures are in place and compliance is maintained in regions or industries where it’s required. Choosing the right compliance management solutions and partners can be lifesaving when it comes to navigating the complex waters of data protection.