5 privacy pitfalls that could damage your organization

#1 Privacy is not the same as security

While related, data privacy and information security are different. Data privacy concerns the proper handling and protection of personal data to ensure it’s processed in accordance with privacy laws and individuals’ rights. Information security, on the other hand, focuses on measures and technologies to protect personal data from unauthorized access, cyber threats, and data leaks.

"There's a common misconception that advanced encryption, firewalls, and intrusion detection systems guarantee the safety of customers' or employees' data. Unfortunately, that's not the case. Due to privacy unawareness, malicious intent, and human error, personal data can still be compromised, even with robust security measures in place," notes Eglė Bakštytė, Nord Security’s Lead Privacy & Marketing Legal Counsel.

One of the most common human errors is misdirected emails, often due to spelling mistakes, mistaken identity, autocomplete errors, using "To/Cc" instead of "Bcc," or accidentally hitting "Reply All."

In a notable incident in 2023, millions of US military emails were mistakenly sent to Mali, a Russian ally, because of a minor typing error. These emails contained sensitive information, including medical records, identity documents, military base staff lists, photos, naval inspection reports, crew lists, tax records, etc. US adversaries could exploit this data leak.

"Taking privacy protection for granted, even with strong security measures, doesn’t shield companies from the consequences of privacy unawareness or human errors. These can lead to severe fines from the authorities, claims from the affected individuals, operational disruptions, a tarnished reputation, and, as in the example mentioned above, even physical threats. It's crucial to constantly remind employees about privacy best practices and the most common pitfalls to maintain vigilance in their duties," explains Eglė.

#2 A privacy policy ensures compliance – but that's not enough

It’s sometimes misunderstood that simply having a privacy policy and updating it from time to time fully ensures compliance with the privacy laws. A privacy policy, also known as a privacy notice, outlines how your company collects, processes, and uses personal data and how individuals can exercise their rights (e.g., access their personal data). However, this document alone doesn’t cover all legal obligations.

Eglė Bakštytė points out that updating the privacy policy is crucial, but before launching a new product or feature, there’s much more groundwork to do:

• Identify the personal data you’ll process and its purpose: Know what personal data you’ll be collecting and why. Is it legal, and how will it be used?

• Assess access: Define who will access the data and what vendors you’ll engage. Are these third parties trustworthy? Are all necessary agreements in place?

• Empower users: Ensure your customers can easily exercise their control over their personal data.

• Define the data lifecycle: Determine how long you will keep the personal data and how it will be erased.

• Secure the data: Implement robust security measures to protect personal data.

Merely updating the privacy policy but failing to adhere to data processing principles and other legal requirements can lead to significant legal consequences and reputational damage. So, companies must ensure that their privacy practices are not just compliant on paper but also rigorously enforced throughout every aspect of their operations.

#3 Data doesn’t need to include a name to be personal data

Some still mistakenly believe that personal data must include a name or contact details, which are the most straightforward elements for identifying someone. However, privacy laws generally define personal data much more broadly. This consists of any information that can identify an individual either directly or indirectly, such as location data, credit card number, IP address, or cookie ID.

Because of this unawareness, individuals or organizations might unintentionally share data that could help identify a person, putting them at risk. A notable example involves the Strava Fitness app. Its heatmap feature could expose athletes’ home addresses if they start or end their workouts on less popular routes.

Eglė Bakštytė highlights the potential dangers such seemingly innocent features could pose: "Location data can provide threat actors with insights into a person's routines, offering details that could be exploited. Similarly, marketers might use this information to craft personalized advertising strategies, often without the individual's knowledge or permission."

#4 Collected personal data can’t be stored indefinitely

It would be a mistake to think that once personal data is collected, it can be stored indefinitely. In reality, businesses are required to establish and adhere to data retention policies that specify how long different types of personal data should be kept. And once it expires, it must be deleted or anonymized.

Holding onto data longer than necessary can pose numerous risks for businesses, such as heightened vulnerability to data breaches, loss of customer trust due to privacy concerns, and legal liabilities for non-compliance with privacy regulations. For instance, in 2019, the real estate company Deutsche Wohnen received one of the highest GDPR fines in Germany, amounting to €14.5 million, for retaining tenants’ personal data beyond its purpose. Similarly, Uber faced nearly $11 million in fines from the Dutch Privacy Watchdog for failing to disclose how long it retains drivers' data in Europe.

Eglė Bakštytė stresses the importance of a minimalist approach when collecting personal data. Only gather the essential data needed to fulfill your purpose. Then, implement a clear data retention and deletion policy that outlines the duration for keeping the data and the procedures for both you and the third parties processing it on your behalf to delete it. Following this practice will give your company a competitive advantage, shielding your organization from legal, financial, and reputational damage.

#5 Data protection is a shared responsibility between employees and the organization

While employees play a crucial role in safeguarding personal data, the organization's primary responsibility remains. If personal data is leaked, intentionally or unintentionally, the company and the involved employees may be held accountable.

A recent case involving Tesla highlights this point. The company, founded by Elon Musk, faced a lawsuit from a group of current and former employees whose personal information was exposed in a data breach in 2023. The lawsuit alleges that Tesla failed to adequately safeguard this information, which was leaked by two former employees. The exposed data included names, phone numbers, email addresses, birth dates, and Social Security numbers. The affected employees seek compensation for damages such as privacy invasion, risks of identity theft, and other related costs incurred due to the breach. In response, Tesla has taken legal action against the two former employees responsible for the data leak.

Eglė concludes, "Organizations must take a proactive approach by regularly training employees on the importance of privacy and data protection and by reinforcing their legal and ethical obligations. This dual focus on policy and education is one of the effective ways to prevent data breaches and other non-compliances. It ensures that both employees and the organization are aligned in their commitment to safeguarding personal data."

How to protect against these privacy pitfalls?

Neglecting privacy considerations or believing in some common myths related to personal data can end badly. To avoid them, Eglė Bakštytė shares key tips for keeping your business in line with privacy laws:

1. Promote a culture of privacy awareness.

   • Foster a workplace culture that values privacy as highly as security.

   • Establish a dedicated Privacy Team to handle privacy issues, educate employees, and serve as a central point for data protection concerns within the organization.

   • Regularly train employees on privacy rules and principles and how to handle personal data responsibly. The General Data Protection Regulation (GDPR) came into force in May, so you can mark it as Privacy Awareness Month/Week in May. It’s a great opportunity to highlight key privacy topics and the fundamentals of privacy laws.

     

     

2. Implement “Privacy by Design”.

   • Integrate privacy considerations into every stage of your business operations from the ground up, making privacy an integral part of the organizational process.

   • Educate employees about the broad scope of personal data (any information that helps directly or indirectly identify an individual),

   • Adopt principles of purpose limitation and data minimization, ensuring personal data is only collected for specific, necessary purposes and deleted after its retention period expires.

3. Update privacy policies and controls.

   • Ensure your privacy policies and other privacy notices are current with laws and reflect your company's practices.

   • Develop internal controls for adherence to the policies and outline organizational and individual responsibilities.

4. Develop a data breach management procedure and a clear action plan for responding to data breaches.

   It should detail immediate actions to contain the breach, investigate and assess its impact, and communicate with the authorities and affected parties. Ensure your employees know of such an action plan and train them to act accordingly.

   
   

5. Deploy technical safeguards.

   • Utilize tools to prevent common errors like misdirected emails or unintended sharing permissions.

   • Employ data encryption and anonymization techniques to minimize identifiable information, ensuring privacy protection even when detailed datasets are used.