There are a lot of privacy laws - it’s an alphabet soup of laws specific to countries or states as well as types of data. To comply with all of these laws, companies often take a principles based approach to compliance - in other words, following principles that are common to all the laws.
Here are some of those principles:
- Lawfulness: In some countries, companies have to have some legal reason for collecting data from a person (called a “data subject”)- like if a person consents to having their data collected; or if you need to collect data to complete a transaction (like getting addresses for shipping).
- Purpose Limitation: Only using data for the purpose for which it was collected. For example, if you collect email addresses to send receipts for a purchase, don’t use them for marketing.
- Data minimization: Companies should only collect the data they need. You might need an address and credit card number to complete a sales transaction, but not a social security number!
- Transparency: Companies need to tell data subjects what data they are collecting and for what reasons - this is why we see privacy notices!
- Accuracy: Personal data should be accurate, and kept up to date to the extent possible - and incorrect data should be rectified (meaning “corrected”) or erased (meaning “deleted”).
- Storage Limitation: This means that personal data, in general, should only be kept for as long as it is necessary to achieve the purposes for which it was collected.
- Integrity, and Confidentiality, and Security: Data must be kept secure and protected against unauthorized or accidental disclosure or theft. Organizations should follow up-to-date information security (infosec) standards - like ISO 27001 or SOC2.
- Individual Rights: Privacy must be approached with individual rights in mind. Data subjects have rights that companies must honor. Rights like notice (the right to be informed about what data is being collected, access (the right of a data subject to get their data), portability (the right to have data be transferable to another company or platform), erasure, or the right to be forgotten (the right to have data erased), and many more;
And finally, to bring it all together:
- Compliance: Companies must put in place compliance programs to ensure compliance with privacy laws - these programs include things like providing privacy notices, data mapping (knowing what and where your data is), contracts (ensuring contracts include appropriate protections for personal data), privacy by design (designing products and systems with privacy at the forefront), individual rights (developing procedures to respond to requests from data subjects - like to access or delete their personal data), training staff; hiring privacy officers, and much much more!
Okay - that was a lot. But getting a grip on these principles will get you ready for the huge responsibility of working with people’s personal data.