Data Privacy Guide: Definitions, Explanations and Legislation

Data Privacy Guide: Definitions, Explanations and Legislation

Data privacy is the proper handling of data - consent, notice, and regulatory obligations. It is a branch of data security. Practical privacy concerns include:

  1. Whether or how data is shared with third parties.
  2. How data is legally collected or stored.
  3. Regulations such as GDPR, HIPAA, GLBA, and CCPA.

We'll examine the importance of data privacy and how it relates to data security in this guide. Following that, we will look at the legislation that covers data privacy in several key countries, as well as in a few key industries. Then, we'll discuss how you can improve your personal and business data privacy.

Why is Data Privacy Important?

Two factors contribute to the importance of data privacy in our industry.

First, data is one of the most valuable assets a company has. With the rise of the data economy, companies are finding enormous value in collecting, sharing, and using data. Many companies have built empires based on the data economy, including Google, Facebook, and Amazon. Transparency in how businesses ask for consent, abide by their privacy policies, and manage the data they collect is crucial to building trust and accountability with customers and partners who expect privacy. Through highly publicized privacy failures, many companies have learned the importance of privacy the hard way.

The second aspect of privacy is the freedom from uninvited surveillance. In a democratic society, the freedom to exist in one's space and express one's opinions behind closed doors is crucial.

"Privacy is at the core of our freedom." "We must take time for reflection, intimacy, and solitude," says Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario, Canada.

Dr. Cavoukian understands the importance of data privacy. Her most well-known contribution is her work developing Privacy by Design (PbD), which serves as a cornerstone for a number of contemporary privacy laws.

Data Privacy vs. Data Security

Many organizations believe that keeping sensitive data safe from hackers makes them compliant with data privacy regulations. This is not true.

The terms data security and data privacy are often used interchangeably, but there are distinct differences:

  • Data Security protects data from compromise by both external attackers and malicious insiders.
  • Data Privacy governs how data is collected, shared and used.

Imagine a situation where you have gone to great lengths to safeguard personally identifiable information (PII). A number of overlapping monitoring systems are in place to monitor data, restrict access, and encrypt it. Even though the data is secure, if that PII was collected without proper consent you may be in violation of a data privacy regulation.

Data Protection is the Force Behind Our Right to Privacy

Consumers' privacy is regularly invaded or compromised by companies and governments, despite recent advances in data privacy legislation and practice. This has led some to claim that the privacy war has been lost.

There can be data privacy without data protection, but there cannot be data protection without data privacy.

Assuring data privacy means ensuring that you are not the creepy company that collects all of the personal data of your customers - whether that is passive location tracking, apps that steal your personal address book, or websites that monitor every keystroke.

As part of a data security portfolio, employees should be regularly trained on data protection, so they understand the processes and procedures necessary to ensure proper collection, sharing, and use of sensitive data.

Regulations for protecting data can also be included in information privacy. As global data protection regulation grows, global privacy requirements and demands will also expand and change. One constant, however, is adequate data protection: it's the best way to ensure that companies are compliant with the law as well as guarantee the privacy of customer information.

Varonis' products are some of the best available. Because of this, our systems are used worldwide to protect consumer privacy.

Different Definitions of Data Privacy

Even though most people agree that data privacy is important, and most everyone knows that data protection is essential to ensuring privacy, the definition of "data privacy" is notoriously difficult.

All of the laws we mention in this article - the GDPR, the CCPA, and the HIPAA - do not define precisely what data privacy means. They outline consumer and business rights instead, and suggest a number of best practices. Every piece of legislation is different, so it can be difficult to define exactly what "privacy" means.

If we limit ourselves to one piece of legislation, the situation will not improve. GDPR is arguably the most comprehensive piece of data privacy legislation in Europe. In May 2018, the New York Times described it as a "big, confusing mess". A number of rights are granted to individuals under the law, including the right to data portability (that allows people to move their data from one platform to another), and the right not to be subject to decisions based on automated data processing (for example, banning the use of algorithms to reject job applicants or loan applicants).

Practical implications of these rules are extremely complex. The GDPR, like many EU laws, seeks to present a compromise between the different systems and values of many nations. Therefore, "many scientists and data managers who will be subject to the law find it incomprehensible," and doubt that compliance can be guaranteed.

This is likely to pose a significant problem for businesses in the USA. It is problematic to be subject to both GDPR and CCPA as their definitions of privacy and fair use of data are very different. They are as follows:

  • Firstly, you should realize that the CCPA applies to residents of California (albeit defined in a slightly strange way), regardless of where your company is situated. Furthermore, the GDPR protects the rights of EU citizens, regardless of where your company is located. No matter where you are located, you are covered.

Section 1798.140 (7) G of the CCPA, showing definition of Californian resident

  • Companies are prohibited from selling Californians' data under the CCPA. All companies doing business with Californians (that is, all companies with a website) must include a link on their home pages that says "do not sell my personal information" so consumers can opt out of allowing their information to be sold. GDPR, on the other hand, does not address this issue.
  • Furthermore, Article 6 of the GDPR requires companies to demonstrate that their processing of customer information is legal. On the other hand, the CCPA does not require that you justify collecting or processing private data.


  • Health data collection and storage are also regulated by GDPR. In the GDPR, "biometric data" and "genetic data" are defined as two different types of personal information, while under the CCPA, the two types of information are combined under the term "personal information."
  • GDPR applies to all businesses that work with data, whereas CCPA only applies to for-profit companies.
  • GDPR is stricter in some respects when it comes to the managerial processes required to achieve compliance. Companies are required to appoint "data protection officers." CCPA does not require this, as long as the rest of the regulations are followed.
  • There are also huge differences in the fines that can be imposed under both pieces of legislation. A violation of GDPR's Article 83 can result in a fine of up to €20 million or 4% of the total worldwide turnover of the company. It can be a huge amount for some companies, and Google has already been fined €50 million for data privacy violations in France. On the other hand, the CCPA is much more lenient: companies are given a grace period of 30 days to rectify the violation, and they will only be fined $2500 per violation.

Simply put, the definitions of data privacy in these two pieces of legislation (not to mention HIPAA) are confusing. It is clear that what constitutes "reasonable" varies widely from law to law, as do the penalties for breaking them.

Basically, this means that companies that work with private data need to exceed the law in order to ensure that their data practices go far beyond those outlined in legislation. We'll talk about how to do that shortly, but let us first take a closer look at the pieces of legislation we've already mentioned.

Data Privacy Laws and Acts


Fortunately, lawmakers have recognized the importance of regulating data privacy and holding companies responsible for end-user data.

Companies must now determine what laws and acts affect their users' data privacy. For instance, you should know where the data came from (country and state), what personally identifiable information it may contain, and how it was used.

Here is a closer look at how recent data privacy regulations affect users and companies. This is a list of the four most important data privacy laws.

GDPR: EU Data Privacy Law

GDPR, which was enacted in May 2018, aims to protect the personal data of EU citizens, and is already having an impact on companies in Europe. In order to achieve and maintain compliance with the GDPR, companies must undertake many tasks. Among them are:

  • Users' explicit consent
  • The right to request data from companies
  • The right to have your data deleted

Aside from giving consumers certain rights over their data, the GDPR also imposes security obligations on companies that hold consumer data. The requirement that companies respond to subject access requests is one challenging aspect of the legislation.

Most organizations cannot locate, provide, or delete an individual's personal information on request. In order to keep personal data protected and to expedite data subject access requests, many CIOs and data privacy officers use GDPR compliance software that detects and classifies personal data automatically.

Data Privacy in Healthcare

Despite GDPR in the EU, one of the most prominent US data protection and privacy laws at the federal level is HIPAA, a data privacy law put into place to protect patients' personal health information.

Healthcare providers have always been attractive targets for data breaches. The value of health records exceeds that of credit card numbers by approximately 10-20 times. Therefore, they should ensure that they are in compliance with HIPAA.

Though Congress passed HIPAA in 1996, calls for even greater data privacy protection have grown as data breaches at an all-time high and the rate at which companies use and sell the data they collect on their patients has risen.

In December 2000, the   U.S. Department of Health and Human Services (HHS) released the Privacy Rule to fulfill HIPAA's mandate to protect the privacy of individual health information.

If you're wondering how GDPR and HIPAA compare, keep in mind that GDPR covers an even broader scope than HIPAA and does not exclusively deal with health information. In the GDPR, "sensitive personal data" is protected, including health data. GDPR's regulatory requirements are similar to those of HIPAA.

Data Privacy for Financial Institutions

Gramm-Leach-Bliley Act (GLBA) should be on your radar as well. Financial institutions are required to protect consumer financial information. Identify sensitive financial data quickly using classification to accomplish this.

GLBA compliance has numerous benefits. By reducing the risk of unauthorized sharing and loss of sensitive financial information, the risk of fines and reputational harm is reduced. While the GLBA isn't the same as the GDPR in the EU, it won't be long before America gets its own.

Innovative US Data Privacy Laws

A number of other laws govern data privacy in the US. There are some that work at the state level, and some that apply nationwide. These laws represent an innovative approach to ensuring data privacy in the country, and in some cases go far beyond the current legislation that deals with individual industries.

CCPA, for example, is a law that extends the protections of data privacy in California. Businesses operating in California must be prepared for the CCPA on January 1, 2020 in order to identify and discover personal information, comply with data subject access requests, and protect consumer information. CCPA gives consumers control over how companies collect and use their personal information. Thus, companies must be capable of finding and classifying sensitive data quickly and accurately so that they can identify information that falls under the CCPA and fulfill data subject access requests (DSARs).

Children's Online Privacy Protection Act (COPPA) protects the privacy of children under 13 and was adopted back in 1998. In this law, companies must obtain parents' permission before collecting children's data, and it specifies how that data can be stored and processed.

Several states are considering laws similar to California's, and it appears that lawmakers are eager to improve data security and privacy in additional sectors. Some have even suggested creating a Federal Department of Cybersecurity to standardize laws across the country, but the current situation remains a patchwork of laws.

Other Data Privacy Laws

The above laws are some of the more prominent regulatory frameworks when it comes to data privacy, but you should also be aware that there are data privacy laws that apply to particular kinds of companies, or to particular kinds of data.

If you operate in a certain sector and store and process data differently than others, the requirements for ISO 27001 compliance, FISMA compliance, and SOX compliance might apply to your business.

We can assist in ensuring that your data is both safe and compliant with all of these frameworks by providing comprehensive data protection solutions. Feel free to contact us if you have any questions about your data privacy requirements.

Data Privacy Tips

You may be wondering how to ensure data privacy after reading the above. In this section, we'll share some tips on how to do that, whether you're a business or just a consumer.

Business-Focused Data Privacy Tips

We have previously written about how businesses can ensure data security, and our suggestions there will also help you to protect the confidentiality of the data you hold.


These techniques include:

  • Educate every employee in your company about data security and privacy concerns and techniques. The training on data privacy should be incorporated into your general training program, as well as the onboarding process for new employees.
  • Take advantage of the free security tools available. These include encryption, password managers, and VPNs. They are easy to install and use, and can greatly reduce your vulnerability to attacks.
  • Be on the lookout for suspicious activity on your network to catch any attacks early enough to limit their damage.
  • Because you have a small business or are just starting out, hackers may be interested in your company - breaches and attacks affect organizations of all sizes.
  • Implement a zero trust policy. Leading Cyber Ladies founder Sivan Tehila tells us, "Zero Trust isolates applications and segments network access based on user permissions, user authentication, and user verification to control access to the entire network." Policies are enforced and protected for all users, devices, applications, and data regardless of where users are connecting from. In this user-centric approach, verifying authorized entities is mandatory, not optional. Organizations of today need this 'trust, but verify' mentality.

Consumers-Focused Data Privacy Tips


  • You don't have much control over how companies store or protect your data as a consumer. As a result, you can take a number of easy steps to make your data more private. Knowing what privacy tools are available to you is a good first step. At the very least, you should use a VPN to encrypt your internet connection, and a password manager to improve security of your online accounts.
  • To ensure important accounts aren't easily hacked if the passwords are cracked, use multi-factor authentication. Select an MFA option that does not use SMS. Today, many online companies offer multi-factor authentication for free, so ask them to set it up on your account.
  • It is important to keep all of your IoT devices updated with the latest security software, since spyware in the IoT has become one of the biggest cybersecurity stories of the last year.
  • Always back up your data. Having a secure backup of your data is the best way to protect it from being compromised.

Look out for strange requests, spelling and grammar mistakes, flashy click-bait content, and other things that may seem out of place.

How Varonis Helps with Data Privacy

Data privacy nirvana requires a data security solution that protects enterprise data, prevents data breaches, reduces risk, and complies with compliance regulations. Varonis' approach to data security as it relates to data privacy includes the following:

Manage access to sensitive and regulated data 

in such a way that no one will complain about having too much access. DataPrivilege and DatAdvantage ensure that only the right people have access to the right data: unrestrained access could leave companies vulnerable to data breaches, theft, or misuse. By automating global access remediation and file system permissions, the Automation Engine helps you achieve least privilege and compliance faster.

Follow proper compliance requirements

The compliance requirements hold a baseline that enforces data privacy goals to maintain freedom, intimacy, and solitude. With Data Classification Engine, you can find and classify regulated and sensitive content. Afterwards, you can automatically transport data to where it needs to be and also fulfill data subject access requests as required.

Monitor and detect suspicious behavior on sensitive data

By using DatAlert, your organization will have continuous monitoring and alerting of its data. This allows companies to identify and monitor consumer personal data, track who is accessing it, highlight suspicious activity, and report on strange behaviors that are regulated and sensitive. In the end, knowing that your data is always secure also ensures data privacy.

Data Privacy News and Resources

The issue of data privacy has become a mainstream concern over the past year, and all of the major newspapers have covered it. You can also keep up with breaking data privacy news by following specialized media. For example, WIRED frequently reports on data privacy stories, as do HackerNoon and InfoSecurity Magazine.

Here are some of the biggest stories in data privacy at the moment:

California’s CCPA Comes Into Effect

As 2019 draws to a close, all eyes will be on next year, when California's CCPA takes effect. Companies have been preparing to implement this law for years, and it represents the strongest privacy protections in the United States at the moment. Whether such a law can be applied at all levels of government is a key question.

Privacy concerns arise from Google's Project Nightingale.

On the consumer side of the equation, much of the discussion has been dominated by the disclosure of "project nightingale", a data-sharing agreement between Google and Ascension, the country's second-largest health insurer. Despite the fact that this exchange of data was completely legal, it has heightened people's awareness of just how much personal information they share and how it is processed.

India Rolls Out New Data Privacy Law

India is now passing national legislation to limit what companies can do with personal information. Inspired by similar frameworks in the EU and US, the new law could have a huge impact on the country's growing tech industry.

FAQs About Data Privacy

Even after all that information, you might still have some questions about data privacy. We’re here to help.

Q: Is There a Global Data Privacy Law?

A: No. Regardless, privacy laws are relatively new, and there is no worldwide standard. Despite this, many companies look to GDPR, Europe's data protection law, as a guide for how to store and manage data privacy correctly, even if they don't do business in the EU. Your business will be subject to different laws depending on its sector and location, so make sure you know what your responsibilities are.

Q: Can We Protect Our Data in Other Countries?

Because of the fragmentary nature of data privacy laws, it can be difficult to ensure the security of your data if you send it overseas. As a concerned consumer, the key is to only share information with companies who are open and honest about their data privacy policies, and who will not sell your information to anyone at any price.

Q: How Can Companies Ensure That They Have Data Privacy When Using Public Clouds?

Choose the correct cloud provider. In truth, most companies will not have the time or resources to employ a dedicated cloud security specialist. The best solution for most will, therefore, be to choose a cloud provider who also provides you with security features, and who can advise you about your legal responsibilities.

A Final Word

The privacy of your data is very important for many reasons. Consumers need to be aware that their data is being stored and used by a variety of companies, and avoid sharing more information than they need to. The right to privacy is unalienable.

As a business, data privacy is perhaps even more crucial. If you don't comply with the law about how you collect, store, and process personal data, you could face hefty fines. The consequences of being hacked in terms of lost revenue and lost customer trust could be worse.

Because of this, we have built a security solution that offers advanced data protection features. With DataAdvantage and DataPrivilege, only people who should have access to your data do, and you can easily and effectively achieve data privacy compliance.