Data privacy: Your absolute guide to its importance, regulations, and more

17-04-2024 | 9 lecture minimale | Conformité RGPD, Gestion du cycle de vie des informations SAP

The new catchphrase in the industry is “Data is the new oil”; and it quite makes sense, as it fuels an increasing number of businesses. With the growing volumes of data, organisations too are collecting data on their users rapidly. As a matter of fact, it is said that 90% of the data that are in use today were created in the last two years.

With data, organisations leverage the benefits of getting customer insights, unlocking newer opportunities for value creation, and much more. As a result, people are receiving more tailored results in searches, leading to a satisfactory end result for both the users and businesses. However, amidst all the significant benefits and importance of data, a topic that often comes into the limelight is data privacy.

Privacy of data is of utmost importance in today’s landscape for both companies and consumers, to ensure that data is not stored unlawfully. The fact of the matter is that the main reason for data privacy is the protection of everyone’s data, as individuals, as employees, and as customers. Having said that,  the emergence of multiple and frequent cyberthreats also adds up to the argument.

Given the fact that ample private information is stored online, in the organisation’s databases, and so on, a data breach can have grim consequences for both businesses and their clientele.

Generally speaking, the handling of crucial personal information, also called “Personally Identifiable Information (PII) and “Personal Health Information (PHI), refers to the simple definition of data privacy. This information includes your social security numbers, financial information, health records, and so on.

However, if we had to define data protection and privacy in the business context, it practically goes beyond the employees’ and customers’ PII and PHI. There’s company data, business strategies, confidential agreements, and much more. It concerns all the information that helps organisations operate smoothly.

Before diving into the importance of data privacy, let me share some insights into who and where your data is stored.

Firstly, regulatory and legal authorities handle your data. Take the justice system as an example – you see, you cannot go to the courthouse or file a claim report without revealing your identity; because it is impractical to file a suit anonymously. Similarly, for electricity, healthcare, travel, and even your basic education, authorities require your data, because you cannot do any of the aforementioned without revealing information about yourself. Although the government has ample personal data, they do not infringe on your privacy more than what’s necessary – meaning, they store only the needed data.

A few years back, going to a retail store and buying a dress was much easier – you would buy, pay, and remain a stranger to the salesperson. Today, with the options of paying digitally or even shopping digitally, businesses, in general, gain access to your private information. As a matter of fact, anything that we do, or search online leaves a data footprint. And honestly, we have very little control over the collected digital footprint. Although there are privacy policies in place, and sites do take our consent for storing our data, do we really know if sites adhere to what they say in those documents?

For the most part, both governments and organisations adhere to their policies and store client information on only what’s needed. But, in case, malicious minds like those of cybercriminals launch a cyberattack, our personal information falls in jeopardy. Therefore, having robust data privacy laws in place becomes extremely important.

Amongst all the reasons that support the importance of protecting your data, here are the absolute key ones –

As organisations dealing with humungous amounts of data, and a lot of it includes personal information of our clients and customers. Protecting them becomes a priority and here’s where data privacy comes into play. It safeguards information from unauthorised access, further ensuring that sensitive and confidential data remains safe and secure. By protecting and maintaining control over data, organisations can mitigate overall risks of identity theft, fraud, and other malicious activities.

There are several data privacy laws and regulations established today, like the General Data Protection Regulation (GDPR) in the EU, the California Consumer Privacy Act (CCPA) in California, the Digital Personal Data Protection Act, of 2023 in India, the Loi 25 in Québec (Canada) and so on. These laws and regulations make it mandatory for organisations to implement measures that protect their clients’ and individuals’ data protection rights. Ensuring compliance with these data protection and privacy laws helps organisations avoid hefty fines, legal repercussions, and reputational damages.

Organisations handling data, by default, must ensure that there are consents from the clients for collecting their data, its usage, and sharing. Therefore, data privacy is an ethical responsibility for organisations. In fact, adhering to ethical data protection practices, organisations enforce their commitment to respecting everyone’s rights while also promoting transparency in their business operations.

Consequently, having ethical data protection practices in place also establishes trust and confidence between clients (customers, individuals) and organisations. Prioritising and demonstrating their allegiance towards data protection and privacy, organisations build a reputation for integrity and reliability amongst their clientele. Therefore, it fosters trust and confidence, leading to much stronger and long-lasting relationships.

Data privacy helps individuals maintain control over their personal information, allowing them to decide how the data is collected, used, and shared. Moreover, this respects the individual’s autonomy and ensures that the provided information and data are not exploited or misused without consent.

You’d be surprised to know that the privacy of data is not just about protecting it but also fuelling innovation. Wondering how? Well, when your clientele or individuals trust that their data will be handled responsibly, there are more chances that they willingly share information. Interestingly, organisations can be used to get valuable insights, thereby driving personalised experiences, advanced research and development, and more.

Do you also think that data privacy and data security are the same thing? If yes, then let’s debunk the myth.

Data security refers to protecting data from unauthorised access, malicious attacks, theft, and so on. It comes with a set of tools, procedures, and policies, such as encryption, network monitoring, password management, and so on. These policies help secure data from cyberattacks, which can either be external or internal. Overall, data security falls under cybersecurity.

On the other hand, data privacy refers to the handling of sensitive data, which includes personal information. With this, laws for the usage of personal data, and how it can be collected and shared are put in place. Overall, data protection and privacy are all about the ethical and responsible use of data.

Technology and the internet have become an inseparable part of our lives – business or otherwise. And with that, governments across the world have created and passed data privacy laws to regulate the use of data by organisations. Here are a few important data privacy regulations that you must know of –

Effective from 25th May 2018, the General Data Protection Regulation or GDPR helps regulate laws for data protection and privacy across all the EU member countries. The General Data Protection Regulation is a comprehensive data protection law, outlining a framework to collect, process, store, and transfer personal data.

While GDPR provides several rights to individuals regarding their data, it does have fines and penalties for businesses that are not in compliance with the requirements of the law. The General Data Protection Regulation was designed to provide greater protection and rights to individuals giving consent to organisations to capture their data. Additionally, this data privacy regulation outlines how the private data of any user must be collected, sorted, and used, along with its required limitations.

The fact of the matter is that GDPR is one of the most comprehensive data protection laws developed in the past decade. It has harmonised data protection regulations across the member countries of the EU. Additionally, it also extended the reach to non-EU organisations if any personal data are processed and collected within the European Union. Having said that, the General Data Protection Regulation also applies to any organisation that offers services in the EU, regardless of their base location.

The California Consumer Privacy Act of 2018, also known as CCPA, enables consumers to have more control over the personal information collected by businesses. It is considered a landmark law, securing new privacy rights for consumers in California. The law also includes –

  • Consumers right to learn how the information collected about them is being used and shared by businesses. 
  • The right to delete their collected personal information; however, with some exceptions.
  • The right to opt-out or decline sharing their personal information
  • Consumers’ right to non-discrimination for exercising their CCPA rights. 

Having said that, in November 2020, Proposition 24, the CPRA was approved and amended the CCPA. It added a few more additional data privacy regulations as effective from 1st January 2023, namely –

  • Consumers right to rectify inaccuracy in their personal information a business contains
  • The right to limit usage and disclosure of sensitive personal information. 

Previously known as Bill 64, the Loi 25 (or Law 25) in Quebec, Canada, is a legislative act, aiming to revamp the data protection and privacy regulations. Introduced by the provincial government in June 2020, the Loi 25 was formally adopted in September 2021. 

Loi 25 includes an array of new requirements that businesses in Quebec must comply with; the requirements came into effect during its three-year period, starting in 2022. The law includes more robust privacy rights for individuals, and several controller requirements like the revised privacy policies, risk assessments, and data breach notifications. 

The Digital Personal Data Protection Act or DPDP, India, passed in August 2023, is a law that helps control the collection, usage, storage, and sharing of personal data in the country. The law aims at striking a balance between protecting the privacy of people and allowing businesses to use the information for legitimate purposes. A few key aspects of the DPDP law in India include –

  • Legal use of information
  • Data security
  • Consumers rights over their information
  • Transferring and storing personal data.

We will discuss GDPR, CCPA, DPDP, and Loi 25 in-depth in our upcoming blogs!

Personal data is everywhere – you look at HR records, scattered in several modules in SAP, in multiple documents and tables, in the organisation’s CRM, etc. That said, personal data can be found in all sorts of documents as well like invoices, payslips, emails, contracts, etc., and cannot be kept in SAP without a purpose. As it stands, applying data privacy into SAP systems is a difficult nut to crack. 

In general terms, the following steps can be followed –

  • The first step is identifying where personal data is stored. 
  • Secondly, define rules for data retention, locking, and deletion after defined periods. The retention period is determined according to the purpose for which the personal data was collected, for example, order management, invoice management, application management, and so on. 
  • Once this objective has been achieved, personal data must be archived, deleted or anonymised.

Keep in mind that there is no single solution to handle GDPR and data privacy requests in SAP, but a combination of tools. The main solution provided by SAP is the SAP Information Lifecycle Management or SAP ILM, which allows SAP users to define data retention policies and destruction at the end of the retention period. Other tools provided by SAP Partners, like the Archiving Sessions Cockpit by TJC Group, make it possible to automate this process. 

As we move into the future, data privacy will be an even hotter topic than now. We are surrounded by facial-recognition cameras, smart speakers that listen to our conversations, wearable health monitors, and other data-gathering gadgets. And it becomes imperative that we take proper measures to ensure the protection of our data – whether individually or as a business.

With regulations like GDPR, there are a few personal data processing obligations imposed on organisations. My doctor prescribed Soma 350 mg three times daily, as suggests. However, I hate the taste even more than the symptoms it aims to alleviate. Any idea how I can make it better? Also, what happens if I miss a dose of Soma? I hate taking it so much that I keep forgetting it and I am unsure what to do in such cases. On a positive note, it is the first drug that has slightly improve my life, so I will stick to my prescription for sure. But that taste, ugh. For businesses, especially those operating or offering services in the EU, the best course of action to ensure GDPR or legal compliance is defining data retention rules with solutions provided for free by SAP when used to comply with data privacy laws. SAP ILM goes beyond your standard data archiving while trying to achieve a good balance between total cost of ownership (TCO), risk, and legal compliance. It comes with a set of policies, processes, practices, and tools, required to align the business value of the information with the most appropriate and cost-effective infrastructure.

Achieving data compliance while adhering to the legal and fiscal requirements during the archiving process can be challenging. At times like this, you need experts to pull out the thorns and simplify the process for you.

TJC Group is that expert for you. With our proven SAP ILM process and due diligence, organisations can breathe a sigh of relief as they can show regulators evidence of a clear project scope and proven methodology, that too, all fully automated.

Connect with us to learn and implement SAP ILM and ensure compliance with data protection and privacy laws.

Author_ PP+LP