Business Insights

Harvard Business School Online's Business Insights Blog provides the career insights you need to achieve your goals and gain confidence in your business skills.

 
Filter Results Arrow Down Arrow Up
Subscribe to the Blog
RSS feed

Data Privacy: 4 Things Every Business Professional Should Know

Professional working with data privacy icons
  • 04 Mar 2021
Catherine Cote Author Staff
tag

Data is a powerful resource that’s at the disposal of nearly every organization. It's collected every time an action is taken online, a product is purchased, and a patient visits a doctor. With so much data available, it’s beneficial to know how to use it to drive impactful decisions in your organization.

But what rights do customers have when it comes to their privacy? How can you navigate those rights and uphold their trust and safety? Data privacy is an imperative field to understand as a data-driven professional. Here’s a primer on what data privacy is and four things you need to know.

Free E-Book: A Beginner's Guide to Data & Analytics

Access your free e-book today.

DOWNLOAD NOW

What Is Data Privacy?

Data privacy, also known as information privacy, is a subcategory of data protection that encompasses the ethical and legal obligation to protect access to personally identifiable information (PII).

In the Harvard Online course Data Science Principles, taught by Harvard Professor Dustin Tingley, it’s explained that data privacy is made up of three key questions:

  • What data is collected?
  • How is the data stored?
  • Who can access the data?

Considering these questions can help you determine how to ensure the privacy of sensitive data without hampering its usefulness to your organization.

Related: Data Governance: A Primer for Managers

Data Privacy vs. Data Security

There’s a distinction between data privacy and data security, which together make up the field of data protection. Although they aid each other and share common goals, they have different focuses and implementations.

Data security focuses on systems in place that prevent malicious external attempts to access, steal, or destroy data, whereas data privacy focuses on the ethical and legal use and access to sensitive data and PII.

To illustrate the difference, imagine you work at an e-commerce company that stores its customers’ demographics, contact information, and credit card details. Customers freely and ethically provided this information, and your organization is in compliance with applicable privacy laws. The data is only accessible to members of your organization who need it to do their jobs and securely stored in an internal database. Data privacy encompasses all of these measures.

Now, imagine a third-party source tries to hack into your company’s database with malicious intent. This is where data security comes in. Two-factor authentication, data file encryption, and virtual private network (VPN) access are all examples of data security measures that can help protect your customers’ sensitive information and identities.

Data security and data privacy work together to ensure your customers’ safety and anonymity. Here are four things you should know about data privacy to help your organization collect and handle data with ethical and legal integrity.

4 Things to Know About Data Privacy

1. What Constitutes Personally Identifiable Information?

Personally identifiable information is any information that can be linked to a specific person. Examples of PII include:

  • Name
  • Address
  • Phone number
  • Email address
  • Social Security number
  • Driver’s license number
  • Social media handles
  • Bank account number
  • Passport number

The Importance of De-Identifying a Dataset

When non-identifiable information is linked to PII in a dataset, an individual’s privacy is lost. It’s of the utmost importance that consent is given before any PII is collected or made public. To protect privacy, one tactic is to de-identify data, or remove all PII from a dataset.

For example, if your company is tracking spending habits across various demographics, remove customers’ names, contact information, address, and credit card details, leaving only their demographics (for instance, age and gender) and purchase history. This ensures your company can still analyze variables of interest without putting customers’ privacy at risk.

The process of de-identification requires you to critically think about connections that can be made through data so it’s truly de-identified. Harvard Professor Latanya Sweeney, who’s featured in Data Science Principles, conducted research to discover how easily de-identified data can be re-identified. Re-identification is the process of combining two or more datasets to reveal identities, and it presents a significant threat to privacy.

In the course, Sweeney explains that information often assumed to be anonymous—like birthdate, gender, and ZIP code—can be linked to specific individuals in public, non-de-identified datasets, like voter lists.

“Eighty-seven percent of people in the United States are estimated to be unique based on date of birth, gender, and ZIP code,” Sweeney says. “If somebody takes a dataset that’s supposed to be anonymous and re-identifies the people in it, all kinds of harm can happen.”

2. How to Protect Data Internally

While your company may collect and store customers’ data, all employees shouldn’t have access to it. PII should only be available on a need-to-know basis within an organization. This prevents any accidental, or purposeful, misuse or publication of sensitive information.

Here are some simple but effective tips to secure data internally:

  • Lock your computer when you get up from your desk.
  • Lock any filing cabinets or drawers containing hard copies of data.
  • Password-protect database access.
  • Use a secure file transfer method.
  • Properly store physical copies of data, and don’t leave them out where they could be taken, misplaced, or read.
  • Don’t message or talk about sensitive data with others unless you’re in a secure, private meeting room.

Although some of these tips seem like common sense, they can go a long way in ensuring your customers’ data remains in the right hands.

3. It’s a Legal Responsibility

Data privacy is a legal responsibility with strict guidelines and repercussions. The laws that apply to your company depend on location and the type of data you handle. Familiarize yourself with the laws that pertain to the locations of your business and customers.

Here are a few examples of data privacy laws, who they impact, and what they generally require. In addition to data privacy, many of these laws include mandates pertaining to data security.

General Data Protection Regulation (GDPR)

The GDPR is a data protection act passed by the European Union in May 2018. This law applies to any person or company that handles the data of Europeans. The seven pillars of the GDPR are:

  • Lawfulness, fairness, and transparency: There should be no deception in the data collection process.
  • Purpose limitation: Data subjects must be told why you’re collecting their data.
  • Data minimization: You must only collect the smallest amount of data necessary for your specified purpose.
  • Accuracy: You must keep data accurate and up to date.
  • Storage limitation: The data must not be stored for longer than the intended purpose.
  • Integrity and confidentiality: Appropriate security measures must be in place to ensure confidentiality, and the data’s integrity must be maintained across format and time.
  • Accountability: Data handlers are responsible for complying with the GDPR.

The GDPR is extensive and, at points, vague. If you’re collecting data from customers who live in the European Union, give this law a thorough readthrough to ensure you’re in compliance.

California Consumer Privacy Act (CCPA)

The CCPA, passed in June 2018, protects California citizens’ right to be aware and in control of what personal data businesses collect and store about them. The law comprises four key individual rights:

  • The right to know about the data businesses collect about them and how it’s used and shared
  • The right to delete personal information collected from them (with a few exceptions)
  • The right to opt-out of the sale of their personal information
  • The right to non-discrimination for exercising their CCPA rights

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a law passed in 1996 to protect the medical privacy of US citizens. The HIPAA Privacy Rule was put in place to provide explicit guidelines for any person or organization that handles medical data. This includes:

  • Health care providers, such as hospitals, doctor’s offices, and dental practices
  • Health plans, such as insurance organizations and health maintenance organizations
  • Health care clearinghouses, for instance, a company that transfers health care data from a health care provider to a business associate
  • Business associates, whose duties include claims processing, data analysis, utilization review, and billing involving personally identifiable medical data

The HIPAA Privacy Rule aims to protect individuals’ rights to know and control who has access to their medical data and understand how it’s being used. It protects their right to privacy while still allowing for the transfer and use of data to drive medical advancement.

Related: 3 Applications of Data Analytics in Health Care

4. It’s an Ethical Responsibility

Data privacy is not only a legal matter, but an ethical one. The ethics of data privacy can be boiled down to the fact that an individual’s consent is necessary to collect, store, and use their personal information.

The powerful nature of data can be enticing, but it’s important to judiciously use PII. Remember: There are real people behind your data points. They have identities and lives that could be at risk if their sensitive data ends up in the wrong hands, which makes your precautions and transparency well worth the effort.

A Beginner's Guide to Data & Analytics | Access Your Free E-Book | Download Now

Protecting Your Customers’ Data

Your compliance with privacy laws, internal precautions, and efforts to de-identify data help uphold your customers’ safety and right to privacy. In giving you their consent, they’re trusting you to protect their information and use it for a specific purpose—whether that’s identifying a trend that could lead to a new product, tracking spending habits to personalize their shopping experience, or backing a decision to increase funding for a specific health care initiative.

Understanding the ethical, legal, and logistical foundation of data privacy enables you to maintain their trust and use data to make a positive impact.

Are you interested in furthering your data literacy? Download our Beginner’s Guide to Data & Analytics to learn how you can leverage the power of data for professional and organizational success.

About the Author

Catherine Cote is a marketing coordinator at Harvard Business School Online. Prior to joining HBS Online, she worked at an early-stage SaaS startup where she found her passion for writing content, and at a digital consulting agency, where she specialized in SEO. Catherine holds a B.A. from Holy Cross, where she studied psychology, education, and Mandarin Chinese. When not at work, you can find her hiking, performing or watching theatre, or hunting for the best burger in Boston.